LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
Reload this Page routing/iptables problem
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 03-08-2009, 10:35 AM   #1
mk6032
LQ Newbie
 
Registered: Oct 2004
Location: Chattanooga, TN
Distribution: rhel, ubuntu, opensuse
Posts: 13

Rep: Reputation: 0
routing/iptables problem

192.168.1.1 is default gateway and wireless router
192.168.1.254 is a wireless bridge
192.168.1.2 is a linux box configured as a router
192.168.0.1 is the linux box's other nic
192.168.0.21 is a DHCP host on the linux box's 0.x network

From 0.21, I can ping 1.1:

Code:
C:\>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time=3ms TTL=63
Reply from 192.168.1.1: bytes=32 time=2ms TTL=63

Ping statistics for 192.168.1.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 3ms, Average = 2ms
Control-C
^C
C:\>
The problem is from 1.1, I can't ping 0.21

Code:
# ping 192.168.0.21
PING 192.168.0.21 (192.168.0.21): 56 data bytes
#
--- 192.168.0.21 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
This is the output of iptables --list on the linux box:

Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere
The routing table on the linux box:
Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0
192.168.0.0     *               255.255.255.0   U     0      0        0 eth1
link-local      *               255.255.0.0     U     1000   0        0 eth0
default         192.168.1.1     0.0.0.0         UG    100    0        0 eth0
The routing table on the default gateway (1.1):
Code:
# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
75.90.0.1       *               255.255.255.255 UH    0      0        0 ppp0
192.168.1.0     *               255.255.255.0   U     0      0        0 br0
192.168.0.0     192.168.1.2     255.255.255.0   UG    0      0        0 br0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         h1.0.90.75.dyna 0.0.0.0         UG    0      0        0 ppp0
#
the output of iptables -t nat -L -v on the linux box:
Code:
Chain PREROUTING (policy ACCEPT 269K packets, 23M bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain POSTROUTING (policy ACCEPT 918K packets, 48M bytes)
 pkts bytes target     prot opt in     out     source               destination 
 175K   14M MASQUERADE  all  --  any    any     192.168.0.0/24       anywhere   

Chain OUTPUT (policy ACCEPT 918K packets, 48M bytes)
 pkts bytes target     prot opt in     out     source               destination
the output of cat /proc/sys/net/ipv4/ip_forward is
1
Last edited by mk6032; 03-08-2009 at 11:23 AM. Reason: added ip_forward output
 
Old 03-08-2009, 11:30 AM   #2
rossonieri#1
Member
 
Registered: Jun 2007
Posts: 359

Rep: Reputation: 34
hi mk,

this routing table on 1.1 is correct :
Code:
192.168.0.0     192.168.1.2     255.255.255.0   UG    0      0        0 br0
but unfortunately it has been blocked/override by this iptables rule :
Code:
Chain POSTROUTING (policy ACCEPT 918K packets, 48M bytes)
 pkts bytes target     prot opt in     out     source               destination 
 175K   14M MASQUERADE  all  --  any    any     192.168.0.0/24       anywhere
your computer behind NAT can access outer world via this NAT/PAT mechanism - 1.1 see their traffic originated from 1.2 not from 0.21. and 1.2 act as a request broker between 0.0/24 subnet to the internet (including 1.0/24 subnet).

so - to overcome this : you dont need to put MASQ rule - since your 1.1 router already have that 0.0/24 route.

HTH.
 
Old 03-08-2009, 11:42 AM   #3
mk6032
LQ Newbie
 
Registered: Oct 2004
Location: Chattanooga, TN
Distribution: rhel, ubuntu, opensuse
Posts: 13

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by rossonieri#1 View Post
so - to overcome this : you dont need to put MASQ rule - since your 1.1 router already have that 0.0/24 route.

HTH.
Hello, thanks for taking a look at this. So you're saying get rid of the MASQ rule? OK... I'm flushing rules:

Code:
matt@ltsp:~$ sudo iptables --flush
matt@ltsp:~$ sudo iptables -t nat --flush
matt@ltsp:~$ sudo iptables -t mangle --flush
matt@ltsp:~$ sudo iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 269K packets, 23M bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain POSTROUTING (policy ACCEPT 919K packets, 49M bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain OUTPUT (policy ACCEPT 919K packets, 49M bytes)
 pkts bytes target     prot opt in     out     source               destination
Check ping from 1.1 again:
Code:
# ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1): 56 data bytes

#
--- 192.168.0.1 ping statistics ---
7 packets transmitted, 0 packets received, 100% packet loss
 
Old 03-08-2009, 03:11 PM   #4
rossonieri#1
Member
 
Registered: Jun 2007
Posts: 359

Rep: Reputation: 34
hi mk,

Quote:
Check ping from 1.1 again: failed.
have you restart the iptables and ip_forward also? flushing the chain alone sometimes doesnt work.

keep me update.

HTH.
 
Old 03-08-2009, 03:26 PM   #5
mk6032
LQ Newbie
 
Registered: Oct 2004
Location: Chattanooga, TN
Distribution: rhel, ubuntu, opensuse
Posts: 13

Original Poster
Rep: Reputation: 0
Just out of curiosity, I added a static route on the wireless bridge (1.254) and tried to ping and it worked, but not from 1.1! WTF?!

Code:
# ifconfig br0
br0        Link encap:Ethernet  HWaddr 00:12:17:E2:8A:D5  
           inet addr:192.168.1.254  Bcast:192.168.1.255  Mask:255.255.255.0
           UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST  MTU:1500  Metric:1
           RX packets:52329 errors:0 dropped:0 overruns:0 frame:0
           TX packets:16763 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0 
           RX bytes:6607650 (6.3 MiB)  TX bytes:4977548 (4.7 MiB)

# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
75.90.8.1       gateway.mattkey 255.255.255.255 UGH   1      0        0 br0
192.168.1.0     *               255.255.255.0   U     0      0        0 br0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         gateway.mattkey 0.0.0.0         UG    0      0        0 br0
# route add -net 192.168.0.0 netmask 255.255.255.0 gw 192.168.1.2
# ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1): 56 data bytes
64 bytes from 192.168.0.1: seq=0 ttl=64 time=1.416 ms
64 bytes from 192.168.0.1: seq=1 ttl=64 time=1.109 ms
64 bytes from 192.168.0.1: seq=2 ttl=64 time=1.152 ms
64 bytes from 192.168.0.1: seq=3 ttl=64 time=1.119 ms
64 bytes from 192.168.0.1: seq=4 ttl=64 time=1.119 ms
# 
--- 192.168.0.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 1.109/1.183/1.416 ms
on 1.1 ...

Code:
# ifconfig br0
br0        Link encap:Ethernet  HWaddr 00:0F:66:0C:83:4F  
           inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:15527 errors:0 dropped:0 overruns:0 frame:0
           TX packets:15043 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0 
           RX bytes:1509174 (1.4 MiB)  TX bytes:3292206 (3.1 MiB)

# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
75.90.8.1       *               255.255.255.255 UH    0      0        0 ppp0
192.168.1.0     *               255.255.255.0   U     0      0        0 br0
192.168.0.0     192.168.1.2     255.255.255.0   UG    0      0        0 br0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         h1.8.90.75.dyna 0.0.0.0         UG    0      0        0 ppp0
# ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1): 56 data bytes
# 
--- 192.168.0.1 ping statistics ---
25 packets transmitted, 0 packets received, 100% packet loss

#
 
Old 03-08-2009, 03:45 PM   #6
mk6032
LQ Newbie
 
Registered: Oct 2004
Location: Chattanooga, TN
Distribution: rhel, ubuntu, opensuse
Posts: 13

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by rossonieri#1 View Post
hi mk,



have you restart the iptables and ip_forward also? flushing the chain alone sometimes doesnt work.

keep me update.

HTH.
I deleted the masq rule from boot time options, then rebooted. Checked ip_forward and it's still 1.

Code:
matt@ltsp:~$ iptables -L -v & iptables -L -v -t nat
[1] 21956
Chain INPUT (policy ACCEPT 33654 packets, 2758K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 37406 packets, 8329K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 32617 packets, 3561K bytes)
 pkts bytes target     prot opt in     out     source               destination         
Chain PREROUTING (policy ACCEPT 4577 packets, 335K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 9762 packets, 631K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 7608 packets, 473K bytes)
 pkts bytes target     prot opt in     out     source               destination         
[1]+  Done                    sudo iptables -L -v
matt@ltsp:~$ cat /proc/sys/net/ipv4/ip_forward 
1
matt@ltsp:~$
Last edited by mk6032; 03-08-2009 at 03:50 PM. Reason: added detail of console
 
Old 04-19-2009, 06:44 PM   #7
mk6032
LQ Newbie
 
Registered: Oct 2004
Location: Chattanooga, TN
Distribution: rhel, ubuntu, opensuse
Posts: 13

Original Poster
Rep: Reputation: 0
solved
whoops, i replied to the wrong thread. i can't find the delete thread button
Last edited by mk6032; 04-19-2009 at 06:49 PM.
 
  


Reply

Tags
iptables, masquerade, route


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Routing Problem with IPTables ALInux Linux - Networking 6 06-01-2007 09:48 AM
Iptables routing problem GGery Linux - Networking 4 03-28-2006 01:49 AM
iptables 1 to 1 DNAT routing problem MarleyGPN Linux - Networking 3 12-13-2005 04:24 PM
iptables/routing problem Mephisto123 Linux - Networking 1 07-18-2005 07:50 AM
Routing and IPtables problem RajaRC Linux - Networking 10 01-10-2005 07:17 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 07:35 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration