[SOLVED] External nic unreachable from local network

naquad · 01-11-2010, 04:29 AM

Hi.

I've got router with: eth2 - local network (192.168.1.1), ppp0 - uplink (x.y.z.a)

my firewall:

Code:

# Generated by iptables-save v1.4.5 on Mon Jan 11 12:22:25 2010
*raw
:PREROUTING ACCEPT [1038480:666298388]
:OUTPUT ACCEPT [52176:5482685]
COMMIT
# Completed on Mon Jan 11 12:22:25 2010
# Generated by iptables-save v1.4.5 on Mon Jan 11 12:22:25 2010
*mangle
:PREROUTING ACCEPT [14108:12047521]
:INPUT ACCEPT [96646:92066698]
:FORWARD ACCEPT [1111826:653133089]
:OUTPUT ACCEPT [3326:235073]
:POSTROUTING ACCEPT [1181462:660486512]
COMMIT
# Completed on Mon Jan 11 12:22:25 2010
# Generated by iptables-save v1.4.5 on Mon Jan 11 12:22:25 2010
*nat
:PREROUTING ACCEPT [160:13709]
:POSTROUTING ACCEPT [28:1911]
:OUTPUT ACCEPT [20:1430]
-A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j MASQUERADE 
COMMIT
# Completed on Mon Jan 11 12:22:25 2010
# Generated by iptables-save v1.4.5 on Mon Jan 11 12:22:25 2010
*filter
:INPUT ACCEPT [4442:6226870]
:FORWARD ACCEPT [9621:5816943]
:OUTPUT ACCEPT [3326:235073]
COMMIT
# Completed on Mon Jan 11 12:22:25 2010

internal network has access to internet and works pretty fine, but
external interface ip is unreachable, i.e. clients can't reach x.y.z.a.
according to tcpdump packets are transmitted to router, but there's no response.

somehow iptables -t nat -A PREROUTING -i eth2 -d x.y.z.a -j DNAT --to-destination 192.168.1.1 helps, but imho there should be some other solution.

any ideas?

kernel is 2.6.31.6, architecture is x86_64.

P.S. i've also tried iptables -A POSTROUTING ! -d x.y.z.a -s 192.168.1.0/24 -j MASQUERADE that didn't help either.

nimnull22 · 01-11-2010, 11:13 AM

Quote:

Originally Posted by naquad

Hi.

I've got router with: eth2 - local network (192.168.1.1), ppp0 - uplink (x.y.z.a)
...
internal network has access to internet and works pretty fine, but
external interface ip is unreachable, i.e. clients can't reach x.y.z.a.
according to tcpdump packets are transmitted to router, but there's no response.

"external interface ip is unreachable, i.e. clients can't reach x.y.z.a" - are you talking about your router interface?

Your route may respond nothing, and it is good. Try to ping it interface, but check if ICMP is enabled.

jeff_k · 01-11-2010, 02:05 PM

I'm afraid I am beyond my understanding with this suggestion, but the example iptables scripts that I can find does not specify a source parameter in the nat POSTROUTING line, so try instead of (in the *nat section):
-A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j MASQUERADE
just:
-A POSTROUTING -o ppp0 -j MASQUERADE
and see if that helped. Perhaps the address gets translated before the postrouting occurs? If this is correct I am sure there is someone here that can provide insight.
Regards

naquad · 01-13-2010, 05:56 AM

Quote:

Originally Posted by nimnull22

"external interface ip is unreachable, i.e. clients can't reach x.y.z.a" - are you talking about your router interface?

Your route may respond nothing, and it is good. Try to ping it interface, but check if ICMP is enabled.

yes, i'm talking about my router external nic.
i'm doing ping, pings are enabled, but it doesn't work.

Quote:

Originally Posted by jeff_k

I'm afraid I am beyond my understanding with this suggestion, but the example iptables scripts that I can find does not specify a source parameter in the nat POSTROUTING line, so try instead of (in the *nat section):
-A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j MASQUERADE
just:
-A POSTROUTING -o ppp0 -j MASQUERADE
and see if that helped. Perhaps the address gets translated before the postrouting occurs? If this is correct I am sure there is someone here that can provide insight.
Regards

i tried to do this too. didn't help

nimnull22 · 01-13-2010, 10:13 AM

Are you trying to ping it from outside or from LAN?
If from LAN pings really may not return, and from LAN you should ping LAN interface of you router.
I also suggest to turn firewall OFF for test period.

naquad · 01-14-2010, 04:01 AM

Quote:

Originally Posted by nimnull22

Are you trying to ping it from outside or from LAN?
If from LAN pings really may not return, and from LAN you should ping LAN interface of you router.
I also suggest to turn firewall OFF for test period.

i'm trying to ping it from lan. ping doesn't return. disabling firewall doesn't help. i did a dirty hack:

Code:

iptables -t nat -A PREROUTING -i eth2 -d x.y.z.a -j DNAT --to-destination 192.168.1.1

and that helps, but imho thats wrong

nimnull22 · 01-14-2010, 10:19 AM

What do you want exactly to achieve?
Do you want someone from outside be able to connect to your LAN?

naquad · 01-15-2010, 04:57 AM

no, i want someone from inside (lan) to be able to connect to routers external interface

beadyallen · 01-15-2010, 08:46 AM

Have you got ip forwarding enabled on the server?

Code:

sudo echo 1 > /proc/sys/net/ipv4/ip_forward

nimnull22 · 01-15-2010, 10:39 AM

Quote:

Originally Posted by naquad

no, i want someone from inside (lan) to be able to connect to routers external interface

Wait a second, but why? What for?
If you want to manage your router you have to connect to it LAN interface, which is GW for your network.

naquad · 01-22-2010, 03:28 PM

iptables -t nat -A PREROUTING -i eth2 -d x.y.z.a -j DNAT --to-destination 192.168.1.1