LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   How to route traffic on a network - cannot get machine to transfer across interfaces (http://www.linuxquestions.org/questions/linux-networking-3/how-to-route-traffic-on-a-network-cannot-get-machine-to-transfer-across-interfaces-487088/)

captainpotato 09-26-2006 08:06 AM

How to route traffic on a network - cannot get machine to transfer across interfaces
 
I'm having some fun and games trying to set up a new machine on my
home network, so I'm after some help, please. My broadband ISP has
failed (Aussies - Veridas :P ), so whilst my churn goes through, I'm
running an old box with dialup to connect to the outside world.

I'm trying to get my other machines routing through it so that they
can all access the modem (I'm sitting on the floor typing this, as the
machine itself is in a very uncomfortable location, plus so that more
than one person can be online at the same time, speed be damned...).

My setup:

- A few machines on the subnet 192.168.0.0, networked wirelessly;
- A wireless router at 192.168.0.1;
- The old box connected to the wireless router by a CAT5 cable (on the
same subnet, eth0);
- The old box is connected to the outside world by a dialup modem.

What works at the moment:

- Each machine can ping the other (including the old box, using eth0);
- The old box can dial out and connect up correctly on the modem
(ppp0).

However, I cannot connect from one of the other boxes, via the old
box, to the outside world:

- ie - main machines -- wireless router -- old box -- modem -- ISP

The issue is the old box (running a 2.4.26 kernel using Damn Small
Linux 3.0) not routing the requests from eth0 to ppp0.

I've played around with the shell (route and a quick go with
iptables), but have failed dismally to get anything working. It's been
a (long) while since I did this, and I have no idea how to get it
working.

What am I doing wrong, and how do I get it working? All advice
gratefully accepted :)

TigerOC 09-26-2006 11:32 AM

You need to implement ip-masquerading and then enable forwarding which is covered here.

captainpotato 09-26-2006 09:15 PM

Thanks, TigerOC - I'll give that a shot tonight and report back about how it went.

captainpotato 09-27-2006 06:02 AM

Quote:

Originally Posted by TigerOC
You need to implement ip-masquerading and then enable forwarding which is covered here.

No luck, I'm afraid. The nat table script that is listed on the webpage fails, as iptables claims that it doesn't understand the option 'state', as listed in it.

ie - the lines such as this one fail:

/sbin/iptables -t filter -A FORWARD -i ${WAN} -o ${LAN} state --state RELATED,ESTABLISHED -j ACCEPT

Any ideas?

michaelk 09-27-2006 07:14 AM

Should be iptables ... -m state --state RELATED,ESTABLISHED -j ACCEPT

captainpotato 09-27-2006 08:02 AM

Quote:

Originally Posted by michaelk
Should be iptables ... -m state --state RELATED,ESTABLISHED -j ACCEPT

Thanks for that - I'd found that whilst googling, and it removed the error mesage, but it's nice to know that this is correct :)

However, I'm still not (quite?) there yet. From my desktop box, I can now ping the IP address that my ISP has assigned my modem, but no further. In other words, I'm a step closer to my aim as I can ping the next IP address in the line.

This is the set of rules that I'm using:


LOOPBACK=lo
LAN=eth0
WAN=ppp0

#Flush any rules that may still be configured
/sbin/iptables -t filter -F INPUT
/sbin/iptables -t filter -F OUTPUT
/sbin/iptables -t filter -F FORWARD
/sbin/iptables -t nat -F PREROUTING
/sbin/iptables -t nat -F POSTROUTING
/sbin/iptables -t nat -F OUTPUT

# Set the default policies for the chains
/sbin/iptables -t filter -P INPUT DROP
/sbin/iptables -t filter -P OUTPUT ACCEPT
/sbin/iptables -t filter -P FORWARD DROP
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT

# Set up the firewall rules
/sbin/iptables -t filter -A INPUT -i ${LOOPBACK} -j ACCEPT
/sbin/iptables -t filter -A INPUT -i ${LAN} -j ACCEPT
/sbin/iptables -t filter -A INPUT -i ${WAN} -m state --state RELATED,ESTABLISHED -j ACCEPT

# Set up the ip forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -t filter -A FORWARD -i ${LAN} -o ${WAN} -j ACCEPT
/sbin/iptables -t filter -A FORWARD -i ${WAN} -o ${LAN} -m state --state RELATED,ESTABLISHED -j ACCEPT

# Set up ip masquerading
# Allow the boxes 192.168.0.2 and 192.168.0.227 on the Internet
/sbin/iptables -t nat -A POSTROUTING -o 192.168.0.2 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o 192.168.0.227 -j MASQUERADE


Anything obviously wrong here?

captainpotato 09-27-2006 08:15 AM

Some more information - my routing table:

Destination Gateway Genmask Flags Metric Ref Use Iface
203.220.236.xxx 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 203.221.53.*** 0.0.0.0 UG 0 0 0 ppp0
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0

192.168.0.1 is my wireless router; 203.221.53.*** is my dialup IP address for tonight. No idea what the 203.220.236.xxx address is.

fotoguy 09-27-2006 08:38 AM

Quote:

Originally Posted by captainpotato
/sbin/iptables -t nat -A POSTROUTING -o 192.168.0.2 -j MASQUERADE
Anything obviously wrong here?


The ouput device -o needs to be the device not the ipaddress, try:

Code:

/sbin/iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
Or to use a source ipaddress:

Code:

/sbin/iptables -t nat -A POSTROUTING -o $WAN -s 192.168.0.2 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o $WAN -s 192.168.0.227 -j MASQUERADE


michaelk 09-27-2006 08:41 AM

Not really a iptables guru but I would use:
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

and limit the two internal IP address via a foward rule.

fotoguy 09-27-2006 09:40 AM

Quote:

Originally Posted by michaelk
and limit the two internal IP address via a foward rule.

Yeah that would be the better way, should seen that myself

captainpotato 09-27-2006 07:16 PM

michaelk, fotoguy - thanks for your assistance. I'll give it a shot (again) tonight.

So the error you both pointed out would therefore explain why I could ping the external IP address, but couldn't go any further? Or does POSTROUTING only deal with where the incoming information is directed?

fotoguy 09-27-2006 11:08 PM

Quote:

Originally Posted by captainpotato
So the error you both pointed out would therefore explain why I could ping the external IP address, but couldn't go any further?


I'm no guru myself as well, but I think it's because the rule wasn't in the correct format for the rule to work so the rule could not be used to match any packets of data. So instead of change the internal ipaddress to the external ipaddress it was left as the internal ipaddress and sent out to the default gateway of the exteral ipaddress network.

A default networking standard, if a packet of data has an address that is not the same as the network it is currently on, push it out the default gateway and let the next network process the packet.

So by pinging your external ip address and having both internal and external networks, there would be information in the routing tables about both networks so the packet would know how to return back to the original host.

But if you pinged the gateway of the external ipaddress, it would receive a ping from your internal ipaddress, and since it's not on the same network it will check it's routing table for entries for that ipaddress to see where to send it, since none will exist, (unless it has been added to the routing table) it will be pushed out to it's default gateway.

Hope this helps

captainpotato 09-28-2006 07:02 AM

Thanks again for your help, but I'm still no closer. I can still ping internally, but nothing from outside. I'm not getting any errors on the iptables setup, but I still cannot get the traffic to flow as I want it to.

I'm beginning to wonder whether it's something else that is causing the issue, but I've no idea what else to check.

I'd be pulling out my hair by now, were it long enough to grab :P

michaelk 09-28-2006 08:35 AM

You need to change the gateway to ppp0

captainpotato 09-30-2006 09:02 PM

Quote:

Originally Posted by michaelk
You need to change the gateway to ppp0

On which box? The following is the route table from the box with the modem:

Destination Gateway Genmask Flags Metric Ref Use Iface
203.220.236.xxx 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 203.221.52.xxx 0.0.0.0 UG 0 0 0 ppp0
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0

I'm assuming the gateway is set correctly here because I'm able to be online using it.

The wireless router only lets me set the gateway to the 'Internet port', which is the specific ethernet port on it to which one normally connects the broadband modem. If I plug the modem box into it, I don't seem to be able to get the two to talk, so i've got it plugged into one of the LAN ports on the router.


All times are GMT -5. The time now is 03:31 PM.