LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 08-14-2012, 06:35 AM   #1
borgy95
Member
 
Registered: Mar 2012
Location: England
Distribution: Debian, Kali, CentOS 7
Posts: 64

Rep: Reputation: Disabled
IP forwarding across to subnets


Hi been having some trouble getting ym rules correct was hoping someone could chip in.

so here is the setup:

Tunis: (win7)
eth0: 192.168.5.9 FROM
(Firewall off)

Alexandria: (CENTOS6)
eth1: 192.168.5.1 VIA
eth0: 10.14.137.91

ebcdemo-AD1 (WIN2k8R2)
eth0: 10.14.136.1 VIA

mascara: (WIn7)
eth0: 10.14.137.129 TO

I have admin/root access to all machines.

Current State:
tracert/ping - Tunis> Alexandria : SUCCESS
tracert/ping - Tunis> Ebcdemo-AD1 VIA alexandria : FAIL
tracert/ping - Mascara>Alexandria VIA Ebcdemo-AD1 : SUCCESS
tracert/ping - Mascara>Tunis VIA EBCdemo-AD1-alexandria: FAIL
tracert - mascara>tunis : FAIL - gets to 10.14.136.1 (ebcdemo-AD1 and gets lost)

So with that information i hope that sets a good foundation to figure this out.
There seems to be two issues. One is forwarding across alexandria (centos) and the other forwarding from 10.14.136.1 to 10.14.137.91 to then send across the subnet gap to 192.168.5.1.

I understand there is some windows involved and technically out of this websites remit, but please forgive me! maybe we can atleast get the traffic moving from Tunis via alexandria to ebcdemo-AD1.

below i have pasted the current iptables rules i have... (p.s i am aware they are veryvery open but i my network does not need to be secure as it's a lab.)

Code:
[roo@alexandria Mozilla]# iptables -L
Chain INPUT (policy ACCEPT)  
target    prot opt source            destination
ACCEPT    all  --  anywhere          anywhere
ACCEPT    all  --  anywhere          anywhere

Chain FORWARD (policy ACCEPT) 
target prot opt source               destination
ACCEPT    all  --  anywhere          anywhere
ACCEPT    all  --  anywhere          anywhere
ACCEPT    all  --  192.168.5.9       anywhere
ACCEPT    all  --  192.168.5.0/26    anywhere
ACCEPT    all  --  10.14.136.0/24    anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source               destination
EDIT: i figured it may be worth mentioning the IP route setup incase there is an error there:

Code:
 [roo@alexandria Mozilla]#ip route
192.168.5.0/26 dev eth1 proto kernel scope link src 192.168.5.1
10.14.136.0/24 dev eth0 proto kernel scope link src 10.14.137.91
169.254.0.0/16 dev eth1 scope link metric 1002 #i believe this entry is from a past ipclash 
169.254.0.0/16 dev eth0 scope link metric 1003 #that i have since sorted?


So to sum up.

How can i get traffic (lets say a ping) moving from Tunis to mascara and vice versa?

Last edited by borgy95; 08-14-2012 at 06:55 AM.
 
Old 08-14-2012, 07:01 AM   #2
roger_heslop
Member
 
Registered: Oct 2009
Location: Leander, TX
Distribution: Fedora 20
Posts: 97

Rep: Reputation: 35
To forward across Alexandria, you'll need to tell it to route:

First, modify your /etc/sysctl.conf file, and change
Code:
net.ipv4.ip_forward = 0
to
Code:
net.ipv4.ip_forward = 1.
Run sysctl -p to get the changes to take affect immediately.


Second, I normally add the following to my firewall:
Code:
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -o eth1 -j ACCEPT
You may not need this step, as I'm not seeing any REJECT statements. That might take care of the Linux side, that's what I'm most familiar with. That's just vanilla routing, you'd need to do more for masquerading and/or port-forwarding, but if you're interested in more details, I happen to just write a blog about this the other day here:

Hopefully that helps some, hopefully someone else may be able to fill in the other bits.
 
Old 08-14-2012, 07:57 AM   #3
borgy95
Member
 
Registered: Mar 2012
Location: England
Distribution: Debian, Kali, CentOS 7
Posts: 64

Original Poster
Rep: Reputation: Disabled
In addition to the above i have now tried flushing the iptables and adding the following rules -

Code:
 
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
but still no joy!

what am i missing? anyhelp wopuld be greatly appreciated. even if it were so i can simply get 192.168.5.9 to ping 10.14.136.1 via alexandria which is mean tto act as the router for all traffic crossing from 192.168.5.0/26 to 10.14.136.0/24
 
Old 08-14-2012, 08:33 AM   #4
roger_heslop
Member
 
Registered: Oct 2009
Location: Leander, TX
Distribution: Fedora 20
Posts: 97

Rep: Reputation: 35
Be sure that you restart the iptables service if you edit /etc/sysconfig/iptables directly. If you are typing the commands in, then ensure that you type
Code:
service iptables save
service iptables restart
You'll need routes on both hosts unless your masquerading, which it appears you are, in which case make sure you have a route for the host on your stub network.

Also, if you're troubleshooting, you can use tcpdump to see what's happening on the linux box, as far as packets go, this way you can trace where the problem occurs. For example:

Code:
tcpdump -i eth0
will display all traffic occuring on eth0. Download wireshark for your Windows clients to get complete visibility.

Last edited by roger_heslop; 08-14-2012 at 08:37 AM. Reason: additional material
 
Old 08-14-2012, 10:09 PM   #5
KinnowGrower
Member
 
Registered: May 2008
Location: Toronto
Distribution: Centos && Debian
Posts: 347

Rep: Reputation: 34
Quote:
Originally Posted by borgy95 View Post
In addition to the above i have now tried flushing the iptables and adding the following rules -

Code:
 
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
but still no joy!

what am i missing? anyhelp wopuld be greatly appreciated. even if it were so i can simply get 192.168.5.9 to ping 10.14.136.1 via alexandria which is mean tto act as the router for all traffic crossing from 192.168.5.0/26 to 10.14.136.0/24
2nd and 3rd IP tables rules have different incoming and outgoing interfaces. e.g in 2nd rule -i eth1 but 3rd rule has -i eth0 . Make sure that is correct
 
1 members found this post helpful.
Old 08-15-2012, 03:17 AM   #6
borgy95
Member
 
Registered: Mar 2012
Location: England
Distribution: Debian, Kali, CentOS 7
Posts: 64

Original Poster
Rep: Reputation: Disabled
Thanks for the help guys...

Managed to get there in the end.

It was a combination of the underlyign static routes not being correct and Kinnowgrowers suggestion.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Subnets lildude89 Linux - Networking 6 04-15-2012 02:34 PM
Forwarding to diffrent subnets Durham Linux - Networking 3 11-06-2006 11:57 AM
Simple Port Forwarding Firewall - not forwarding MadTurki Linux - Security 14 04-09-2006 12:08 PM
help on subnets HappyGilmore Linux - Networking 12 07-07-2005 09:33 AM
port forwarding and packet forwarding syrtsardo Linux - Newbie 2 07-03-2003 10:37 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 11:33 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration