LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 01-11-2010, 04:29 AM   #1
naquad
Member
 
Registered: Feb 2007
Posts: 34

Rep: Reputation: 15
External nic unreachable from local network


Hi.

I've got router with: eth2 - local network (192.168.1.1), ppp0 - uplink (x.y.z.a)

my firewall:
Code:
# Generated by iptables-save v1.4.5 on Mon Jan 11 12:22:25 2010
*raw
:PREROUTING ACCEPT [1038480:666298388]
:OUTPUT ACCEPT [52176:5482685]
COMMIT
# Completed on Mon Jan 11 12:22:25 2010
# Generated by iptables-save v1.4.5 on Mon Jan 11 12:22:25 2010
*mangle
:PREROUTING ACCEPT [14108:12047521]
:INPUT ACCEPT [96646:92066698]
:FORWARD ACCEPT [1111826:653133089]
:OUTPUT ACCEPT [3326:235073]
:POSTROUTING ACCEPT [1181462:660486512]
COMMIT
# Completed on Mon Jan 11 12:22:25 2010
# Generated by iptables-save v1.4.5 on Mon Jan 11 12:22:25 2010
*nat
:PREROUTING ACCEPT [160:13709]
:POSTROUTING ACCEPT [28:1911]
:OUTPUT ACCEPT [20:1430]
-A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j MASQUERADE 
COMMIT
# Completed on Mon Jan 11 12:22:25 2010
# Generated by iptables-save v1.4.5 on Mon Jan 11 12:22:25 2010
*filter
:INPUT ACCEPT [4442:6226870]
:FORWARD ACCEPT [9621:5816943]
:OUTPUT ACCEPT [3326:235073]
COMMIT
# Completed on Mon Jan 11 12:22:25 2010
internal network has access to internet and works pretty fine, but
external interface ip is unreachable, i.e. clients can't reach x.y.z.a.
according to tcpdump packets are transmitted to router, but there's no response.

somehow iptables -t nat -A PREROUTING -i eth2 -d x.y.z.a -j DNAT --to-destination 192.168.1.1 helps, but imho there should be some other solution.

any ideas?

kernel is 2.6.31.6, architecture is x86_64.

P.S. i've also tried iptables -A POSTROUTING ! -d x.y.z.a -s 192.168.1.0/24 -j MASQUERADE that didn't help either.
 
Old 01-11-2010, 11:13 AM   #2
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
Quote:
Originally Posted by naquad View Post
Hi.

I've got router with: eth2 - local network (192.168.1.1), ppp0 - uplink (x.y.z.a)
...
internal network has access to internet and works pretty fine, but
external interface ip is unreachable, i.e. clients can't reach x.y.z.a.
according to tcpdump packets are transmitted to router, but there's no response.
"external interface ip is unreachable, i.e. clients can't reach x.y.z.a" - are you talking about your router interface?

Your route may respond nothing, and it is good. Try to ping it interface, but check if ICMP is enabled.

Last edited by nimnull22; 01-11-2010 at 02:13 PM.
 
Old 01-11-2010, 02:05 PM   #3
jeff_k
Member
 
Registered: Jan 2008
Location: San Diego, CA USA
Distribution: Debian / Ubuntu
Posts: 51

Rep: Reputation: 17
I'm afraid I am beyond my understanding with this suggestion, but the example iptables scripts that I can find does not specify a source parameter in the nat POSTROUTING line, so try instead of (in the *nat section):
-A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j MASQUERADE
just:
-A POSTROUTING -o ppp0 -j MASQUERADE
and see if that helped. Perhaps the address gets translated before the postrouting occurs? If this is correct I am sure there is someone here that can provide insight.
Regards
 
Old 01-13-2010, 05:56 AM   #4
naquad
Member
 
Registered: Feb 2007
Posts: 34

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by nimnull22 View Post
"external interface ip is unreachable, i.e. clients can't reach x.y.z.a" - are you talking about your router interface?

Your route may respond nothing, and it is good. Try to ping it interface, but check if ICMP is enabled.
yes, i'm talking about my router external nic.
i'm doing ping, pings are enabled, but it doesn't work.

Quote:
Originally Posted by jeff_k View Post
I'm afraid I am beyond my understanding with this suggestion, but the example iptables scripts that I can find does not specify a source parameter in the nat POSTROUTING line, so try instead of (in the *nat section):
-A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j MASQUERADE
just:
-A POSTROUTING -o ppp0 -j MASQUERADE
and see if that helped. Perhaps the address gets translated before the postrouting occurs? If this is correct I am sure there is someone here that can provide insight.
Regards
i tried to do this too. didn't help
 
Old 01-13-2010, 10:13 AM   #5
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
Are you trying to ping it from outside or from LAN?
If from LAN pings really may not return, and from LAN you should ping LAN interface of you router.
I also suggest to turn firewall OFF for test period.
 
Old 01-14-2010, 04:01 AM   #6
naquad
Member
 
Registered: Feb 2007
Posts: 34

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by nimnull22 View Post
Are you trying to ping it from outside or from LAN?
If from LAN pings really may not return, and from LAN you should ping LAN interface of you router.
I also suggest to turn firewall OFF for test period.
i'm trying to ping it from lan. ping doesn't return. disabling firewall doesn't help. i did a dirty hack:

Code:
iptables -t nat -A PREROUTING -i eth2 -d x.y.z.a -j DNAT --to-destination 192.168.1.1
and that helps, but imho thats wrong
 
Old 01-14-2010, 10:19 AM   #7
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
What do you want exactly to achieve?
Do you want someone from outside be able to connect to your LAN?
 
Old 01-15-2010, 04:57 AM   #8
naquad
Member
 
Registered: Feb 2007
Posts: 34

Original Poster
Rep: Reputation: 15
no, i want someone from inside (lan) to be able to connect to routers external interface
 
Old 01-15-2010, 08:46 AM   #9
beadyallen
Member
 
Registered: Mar 2008
Location: UK
Distribution: Fedora, Gentoo
Posts: 209

Rep: Reputation: 36
Have you got ip forwarding enabled on the server?
Code:
sudo echo 1 > /proc/sys/net/ipv4/ip_forward
 
Old 01-15-2010, 10:39 AM   #10
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
Quote:
Originally Posted by naquad View Post
no, i want someone from inside (lan) to be able to connect to routers external interface
Wait a second, but why? What for?
If you want to manage your router you have to connect to it LAN interface, which is GW for your network.

Last edited by nimnull22; 01-15-2010 at 10:43 AM.
 
Old 01-22-2010, 03:28 PM   #11
naquad
Member
 
Registered: Feb 2007
Posts: 34

Original Poster
Rep: Reputation: 15
iptables -t nat -A PREROUTING -i eth2 -d x.y.z.a -j DNAT --to-destination 192.168.1.1
 
  


Reply

Tags
iptables, nat


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
"network is unreachable" but I can ping local machines MrGaiters Linux - Newbie 3 03-24-2006 02:38 AM
Problem with an external DHCP server giving address on my local department network atl02wrx Linux - Networking 2 07-12-2005 05:50 AM
Can't access external server from local network newuser455 Linux - Networking 7 05-30-2005 12:47 AM
Can't access external server from local network newuser455 Linux - Networking 4 11-26-2004 02:09 PM
"Destination Host Unreachable" on local network radupastia Linux - Networking 0 08-13-2003 09:46 AM


All times are GMT -5. The time now is 06:07 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration