Linux - Networking This forum is for any issue related to networks or networking.
Notices
Welcome to
LinuxQuestions.org , a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free.
Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please
contact us . If you need to reset your password,
click here .
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
#1
LQ Newbie
Registered: Oct 2004
Location: Chattanooga, TN
Distribution: rhel, ubuntu, opensuse
Posts: 13
Rep:
routing/iptables problem
192.168.1.1 is default gateway and wireless router
192.168.1.254 is a wireless bridge
192.168.1.2 is a linux box configured as a router
192.168.0.1 is the linux box's other nic
192.168.0.21 is a DHCP host on the linux box's 0.x network
From 0.21, I can ping 1.1:
Code:
C:\>ping 192.168.1.1
Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time=3ms TTL=63
Reply from 192.168.1.1: bytes=32 time=2ms TTL=63
Ping statistics for 192.168.1.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 3ms, Average = 2ms
Control-C
^C
C:\>
The problem is from 1.1, I can't ping 0.21
Code:
# ping 192.168.0.21
PING 192.168.0.21 (192.168.0.21): 56 data bytes
#
--- 192.168.0.21 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
This is the output of iptables --list on the linux box:
Code:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
The routing table on the linux box:
Code:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
link-local * 255.255.0.0 U 1000 0 0 eth0
default 192.168.1.1 0.0.0.0 UG 100 0 0 eth0
The routing table on the default gateway (1.1):
Code:
# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
75.90.0.1 * 255.255.255.255 UH 0 0 0 ppp0
192.168.1.0 * 255.255.255.0 U 0 0 0 br0
192.168.0.0 192.168.1.2 255.255.255.0 UG 0 0 0 br0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default h1.0.90.75.dyna 0.0.0.0 UG 0 0 0 ppp0
#
the output of iptables -t nat -L -v on the linux box:
Code:
Chain PREROUTING (policy ACCEPT 269K packets, 23M bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 918K packets, 48M bytes)
pkts bytes target prot opt in out source destination
175K 14M MASQUERADE all -- any any 192.168.0.0/24 anywhere
Chain OUTPUT (policy ACCEPT 918K packets, 48M bytes)
pkts bytes target prot opt in out source destination
the output of cat /proc/sys/net/ipv4/ip_forward is
1
Last edited by mk6032; 03-08-2009 at 11:23 AM .
Reason: added ip_forward output
#2
Member
Registered: Jun 2007
Posts: 359
Rep:
hi mk,
this routing table on 1.1 is correct :
Code:
192.168.0.0 192.168.1.2 255.255.255.0 UG 0 0 0 br0
but unfortunately it has been blocked/override by this iptables rule :
Code:
Chain POSTROUTING (policy ACCEPT 918K packets, 48M bytes)
pkts bytes target prot opt in out source destination
175K 14M MASQUERADE all -- any any 192.168.0.0/24 anywhere
your computer behind NAT can access outer world via this NAT/PAT mechanism - 1.1 see their traffic originated from 1.2 not from 0.21. and 1.2 act as a request broker between 0.0/24 subnet to the internet (including 1.0/24 subnet).
so - to overcome this : you dont need to put MASQ rule - since your 1.1 router already have that 0.0/24 route.
HTH.
#3
LQ Newbie
Registered: Oct 2004
Location: Chattanooga, TN
Distribution: rhel, ubuntu, opensuse
Posts: 13
Original Poster
Rep:
Quote:
Originally Posted by
rossonieri#1
so - to overcome this : you dont need to put MASQ rule - since your 1.1 router already have that 0.0/24 route.
Hello, thanks for taking a look at this. So you're saying get rid of the MASQ rule? OK... I'm flushing rules:
Code:
matt@ltsp:~$ sudo iptables --flush
matt@ltsp:~$ sudo iptables -t nat --flush
matt@ltsp:~$ sudo iptables -t mangle --flush
matt@ltsp:~$ sudo iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 269K packets, 23M bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 919K packets, 49M bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 919K packets, 49M bytes)
pkts bytes target prot opt in out source destination
Check ping from 1.1 again:
Code:
# ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1): 56 data bytes
#
--- 192.168.0.1 ping statistics ---
7 packets transmitted, 0 packets received, 100% packet loss
#4
Member
Registered: Jun 2007
Posts: 359
Rep:
hi mk,
Quote:
Check ping from 1.1 again: failed.
have you restart the iptables and ip_forward also? flushing the chain alone sometimes doesnt work.
keep me update.
HTH.
#5
LQ Newbie
Registered: Oct 2004
Location: Chattanooga, TN
Distribution: rhel, ubuntu, opensuse
Posts: 13
Original Poster
Rep:
Just out of curiosity, I added a static route on the wireless bridge (1.254) and tried to ping and it worked, but not from 1.1! WTF?!
Code:
# ifconfig br0
br0 Link encap:Ethernet HWaddr 00:12:17:E2:8A:D5
inet addr:192.168.1.254 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:52329 errors:0 dropped:0 overruns:0 frame:0
TX packets:16763 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:6607650 (6.3 MiB) TX bytes:4977548 (4.7 MiB)
# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
75.90.8.1 gateway.mattkey 255.255.255.255 UGH 1 0 0 br0
192.168.1.0 * 255.255.255.0 U 0 0 0 br0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default gateway.mattkey 0.0.0.0 UG 0 0 0 br0
# route add -net 192.168.0.0 netmask 255.255.255.0 gw 192.168.1.2
# ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1): 56 data bytes
64 bytes from 192.168.0.1: seq=0 ttl=64 time=1.416 ms
64 bytes from 192.168.0.1: seq=1 ttl=64 time=1.109 ms
64 bytes from 192.168.0.1: seq=2 ttl=64 time=1.152 ms
64 bytes from 192.168.0.1: seq=3 ttl=64 time=1.119 ms
64 bytes from 192.168.0.1: seq=4 ttl=64 time=1.119 ms
#
--- 192.168.0.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 1.109/1.183/1.416 ms
on 1.1 ...
Code:
# ifconfig br0
br0 Link encap:Ethernet HWaddr 00:0F:66:0C:83:4F
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:15527 errors:0 dropped:0 overruns:0 frame:0
TX packets:15043 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1509174 (1.4 MiB) TX bytes:3292206 (3.1 MiB)
# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
75.90.8.1 * 255.255.255.255 UH 0 0 0 ppp0
192.168.1.0 * 255.255.255.0 U 0 0 0 br0
192.168.0.0 192.168.1.2 255.255.255.0 UG 0 0 0 br0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default h1.8.90.75.dyna 0.0.0.0 UG 0 0 0 ppp0
# ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1): 56 data bytes
#
--- 192.168.0.1 ping statistics ---
25 packets transmitted, 0 packets received, 100% packet loss
#
#6
LQ Newbie
Registered: Oct 2004
Location: Chattanooga, TN
Distribution: rhel, ubuntu, opensuse
Posts: 13
Original Poster
Rep:
Quote:
Originally Posted by
rossonieri#1
hi mk,
I deleted the masq rule from boot time options, then rebooted. Checked ip_forward and it's still 1.
Code:
matt@ltsp:~$ iptables -L -v & iptables -L -v -t nat
[1] 21956
Chain INPUT (policy ACCEPT 33654 packets, 2758K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 37406 packets, 8329K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 32617 packets, 3561K bytes)
pkts bytes target prot opt in out source destination
Chain PREROUTING (policy ACCEPT 4577 packets, 335K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 9762 packets, 631K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 7608 packets, 473K bytes)
pkts bytes target prot opt in out source destination
[1]+ Done sudo iptables -L -v
matt@ltsp:~$ cat /proc/sys/net/ipv4/ip_forward
1
matt@ltsp:~$
Last edited by mk6032; 03-08-2009 at 03:50 PM .
Reason: added detail of console
#7
LQ Newbie
Registered: Oct 2004
Location: Chattanooga, TN
Distribution: rhel, ubuntu, opensuse
Posts: 13
Original Poster
Rep:
solved
whoops, i replied to the wrong thread. i can't find the delete thread button
Last edited by mk6032; 04-19-2009 at 06:49 PM .
Thread Tools
Search this Thread
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
All times are GMT -5. The time now is 07:56 PM .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know .
