Dear Linux Experts,

I am building a Linux Router based on RedHat 9.
the router has 2 Ethernet Interface with different IP.

Network layout looks like this

---------------
- Windows XP -
--------------
202.0.0.2/255.255.255.0 ; Default Gateway 202.0.0.1
|
|
eth1 : 202.0.0.1/255.255.255.0
----------------
- Linux Router -
----------------
eth0 : 192.168.1.12/255.255.255.0
|
|
192.168.1.1 : Windows 2000 Server ( have Apache web server )
192.168.1.10 : Other Router for main gateway
-----------
Internal LAN

from Windows XP, I can ping 192.168.1.12 successfully,
but cannot ping to 192.168.1.1 or 192.168.1.10.
other test is using web. Since the Router also have Webmin installed,
I can access
http://202.0.0.1:10000
and
http://192.168.1.12:10000
from my Windows XP computer browser.
but connecting to apache WebServer on 192.168.1.1 ( Windows 2000 Server ) is not possible at all.

Conclusion :
From Windows XP (202.0.0.1) I can ONLY connect to 192.168.0.12 on network 192.168.1.xx .

Where did I do wrong on the routing table ?
Any suggestions would be appreciated.
Thank you in advance.

------------------------------------------
Notes
Routing table list look like this :

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
202.0.0.1 127.0.0.1 255.255.255.255 UGH 0 0 0 lo
192.168.1.255 192.168.1.12 255.255.255.255 UGH 0 0 0 eth0
192.168.1.12 127.0.0.1 255.255.255.255 UGH 0 0 0 lo
202.0.0.255 202.0.0.1 255.255.255.255 UGH 0 0 0 eth1
192.168.1.0 192.168.1.12 255.255.255.0 UG 0 0 0 eth0
202.0.0.0 202.0.0.1 255.255.255.0 UG 0 0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.1.10 0.0.0.0 UG 0 0 0 eth0


IPtables firewall is disabled by using command line :
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

just wondering, do you have the kernel ip forwarding enabled? you can do a

$ cat /proc/sys/net/ipv4/ip_forward

and if it tells 1, it is ok, if it tells 0, then do a

# echo 1 > /proc/sys/net/ipv4/ip_forward

and then try.

hope this works.

A key to routing is to consider where the far end machines will look to send replies...
They may have different default gateways set and be passing the replies into another router.

The answer is to set up a static route in each of 192.168.1.1 & 192.168.1.10 that points to network 202.0.0.0 netmask 255.255.255.0 via 192.168.1.12, or, to host 202.0.0.2 via 192.168.1.12

Hi,

After adding instructions in the /etc/rc.d/rc.local


route add -net 202.0.0.1 gateway 127.0.0.1 netmask 255.255.255.255
route add -net 202.0.0.255 gateway 202.0.0.1 netmask 255.255.255.255
route add -net 202.0.0.0 gateway 202.0.0.1 netmask 255.255.255.0

route add -net 192.168.1.255 gateway 192.168.1.12 netmask 255.255.255.255
route add -net 192.168.1.12 gateway 127.0.0.1 netmask 255.255.255.255
route add -net 192.168.1.0 gateway 192.168.1.12 netmask 255.255.255.0


and setting the default gateway of eth0 to 192.168.1.10 via webmin.
Webmin->Network->Routing and Gateway
I set the default gateway of eth0 to 192.168.1.10

It works.

for shahriar :
I checked the /proc/sys/net/ipv4/ip_forward
it reports 1

for peter_robb
There are nothing to change for the other router gateway ( on 192.168.1.10 ).

Thank you for the replies.
---

Except you have one problem. You have redudent entries because you specified -net, you also have to specify a netmask, but in fact it's a /32 netmask (i.e. a single IP) so what you're really doing is adding host routes, not network routes. If you would have simply used -host, you wouldn't need the netmask.

route add -net 202.0.0.1 gateway 127.0.0.1 netmask 255.255.255.255
route add -net 202.0.0.255 gateway 202.0.0.1 netmask 255.255.255.255
route add -net 202.0.0.0 gateway 202.0.0.1 netmask 255.255.255.0

route add -net 192.168.1.255 gateway 192.168.1.12 netmask 255.255.255.255
route add -net 192.168.1.12 gateway 127.0.0.1 netmask 255.255.255.255
route add -net 192.168.1.0 gateway 192.168.1.12 netmask 255.255.255.0


This isn't a very elegant way of doing it as chort mentioned...
and it is working by accident...

A static route is for a remote network, accessed via a local gateway/router, eg
route add -net 202.0.0.0 netmask 255.255.255.0 gw 192.168.1.12

The two machines in the 192.168.1.0 network need this to find 202.0.0.0 machines.

And if you have MASQUERADE or SNAT running on eth0 on the Linux router, it is doing all the hard work by translating all the 202.0.0.0 ip numbers into 192.168.1.12, which everyone can find.

& a couple of points to clarify route rules...
- using 127.0.0.1 as a gw would only work if you have bound another transport (eg ssh tunnel) to the lo interface..
- try not to set up overlapping -net definitions. The first one will win, when usually the tightest netmask (eg 255.255.255.255) wins..
- don't place broadcast numbers into a route definition

Dear Peter_Robb and Chort,

After reading the replies several times I still could not understand the explanation ( sorry ). I am a newbie in Linux, especially in IP Networking.
I got the idea of those IP settings from my Microsoft ISA Server routing table.
I already surfed the Internet to look for this specific issue.
I already got and read some materials from :
1) http://linux-ip.net/html/ ( about Linux Advanced IP networking ).
2) http://www.tldp.org -> The Linux System Administrators' Guide and The Linux Network Administrator's Guide, Second Edition
3) www.google.com -> searching for the same specific material.

I felt my solution is strange even though it works.

If you know any site that provide the concept of routing and setting the IP tables especially for the same issue, I would be appreciated.

Thank you.
---

That explains a lot...

Look, when you add the "-net" flag to route, that means "this is a network of IPs", i.e. more than one IP. When you specify a netmask of "255.255.255.255" that means "this IP address matches exactly with no wildcards at all", i.e. "this is a single IP address". So using -net combine with netmask 255.255.255.255 is contradictory. You're saying it's a network of one IP (which is not a network).

Dear chort,

Is these routing table have some side effect on the network
or
is it simply ( accidentally ) works but not the right thing ?

I just wonder what is the right routing table entries based on my network condition.

Thank you.

A couple of routes need to be added to the machines in the 192.168.1.x network,
and a suggestion about using 202.x.x.x on the M$ XP machine...

Apart from the normal interface entries, all the machines in the 192.168.1.x network need to be able to find the M$ XP machine..
Unfortunately, coz it's using an "Internet" number, you should only reference it by it's number, rather than it's network, to avoid blocking valid Internet numbers in 202.0.0.x that don't exist in your net.

So, add.. route add -host 202.0.0.2 gw 192.168.1.12 to all machines in the 192.168.1.x network (except the Linux router 192.168.1.12)

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
202.0.0.2 192.168.1.12 255.255.255.255 UGH 0 0 0 eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.1.10 0.0.0.0 UG 0 0 0 eth0

If it's possible, change the M$ XP network back to a Class A,B or C network
Using Internet routable numbers inside a local net leads to trouble, eg if a real www site just happens to have the same number, etc..

Dear Peter_Robb,

I am sorry that this reply tooks several days from your last posting.
I have some task assignment and it has just been done.
I hope you still follow this thread.

By the time of writing this reply I am beginning to investigate the routing table. Further reply (from me) would be posted shortly.

Thank you.

Hi,

I did clean install the Linux router and I tried to re-do the same thing on the routing table. It DID NOT WORK.

Do I have to use NAT-IP Masquerading on to build the router ?
Is there anyone who can explain to me what is NAT, SNAT, DNAT & IP Masquerading ?
Brief explanation would be appreciated.
Any URLs to some guide/tutorial/howto on that topic will also help ( I am a patient learner ).


For Peter_Robb :

the Linux machine that I tried to build is intended to replace my Internet Gateway ( using M$ ISA Server and Exchange Server 2000 ).
The current machine has functions as
1. E-Mail Server ( I successfully build MailScanner, PostFix, ClamAV, SpamAssassin and SASL on Linux as replacement of Exchange Server ).
2. Internet Firewall ( I use NetFilter to replace ISA firewall ).
3. Internet Sharing ( I use the routing table -> This thread is used to solve this function. Correct me if I am wrong ).

The Linux box configuration above is intended to simulate that purpose. Once I finished building, integrating and testing all the functions, the Windows box will be decomissioned.

Network 202.0.0.x will represent the local intranet network.
Network 192.168.1.x will represent the Internet.

Since 192.168.1.x would be the Internet Networks, it is impossible to add such route from each node in the Internet.

Thank you.