Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've searched for and read a bunch of posts, HOWTO's, and other sources, but still can't figure out what I'm doing wrong... so please help!
I'm running a multihomed FC3 box in the following configuration:
Actiontec DSL router (dhcp for IP wan port 10.0.0.254/255.0.0.0 lan port)
--connected to--
FC3 box with 3 NICs:
-eth2 "wan" 10.0.0.1/255.0.0.0 (connects to Actiontec router)
-eth1 "secure" 192.168.0.254/255.255.255.0 (connects to switch, then onto various devices)
-eth0 "unsecure" 10.1.0.254/255.255.0.0 (connects to switch, then onto various devices)
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
10.1.0.0 * 255.255.0.0 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth2
10.0.0.0 * 255.0.0.0 U 0 0 0 eth2
default dslmodem.domain 0.0.0.0 UG 0 0 0 eth2
I CAN access internet from the linux box, and I can ping all hosts on all networks from the linux box. From the separate networks (10., 10.2., 192.168.0.), I can ping the connected NIC (e.g. can ping the eth1 card from the 192.168.0 network), as well as all other eth interfaces.
However, I CANNOT ping to other hosts downstream from the linux box (i.e. from 192.168.0.1 cannot ping 10.0.0.100).
In order to isolate the problem, I have turn off IPTABLES (that way I don't have to learn the firewall at the same time). Turning off IPTABLES should give me full access to the entire network, right? I know I cannot masquerade without IPTABLES, but all I'm trying to do is be able to ping all hosts right now. I have also tried to set static routes for each eth if in the GUI network program, as well as tried adding routes via route add -net, to no avail.
What am I missing? Also, I can't figure out why there's a route for 169.254.0.0 set up, since I'm not using this network address for anything. Please help!
Good call on the overlapping subnet... didn't realize it, but makes sense that one is a part of another. I've fixed that, now I have the following ifconfig:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
169.254.0.0 * 255.255.0.0 U 0 0 0 eth2
10.0.0.0 * 255.0.0.0 U 0 0 0 eth2
default dslmodem.domain 0.0.0.0 UG 0 0 0 eth2
Quote:
What does the routing table on the boxes with the 192.x.x.x IPs look like? Maybe they dont even know that the 10.x.x.x network is there.
The routes on the WinXP box (192.168.0.1) don't have entries for the 10.x network, but the default route is to 192.168.0.254, which is eth1 on the Linux box. Is a static route on all devices on each subnet required? I had envisioned that the Linux box would be a 'router' and pass packets back and forth between the subnets?
Also, if it helps, here's my static config files:
Code:
[root@doraemon network-scripts]# more route-secure
10.0.0.0/8 via 10.0.0.1
192.168.1.0/24 via 192.168.1.254
[root@doraemon network-scripts]# more route-unsecure
10.0.0.0/8 via 10.0.0.1
192.168.0.0/24 via 192.168.0.254
[root@doraemon network-scripts]# more route-wan
192.168.1.0/24 via 192.168.1.254
192.168.0.0/24 via 192.168.0.254
Thanks for any additional insight anyone can provide!!
I had envisioned that the Linux box would be a 'router' and pass packets back and forth between the subnets?
OK I didn't know for sure thats what you were trying to do. There should be no problems doing that, but I think you need to tell that box that it should be routing traffic to the other subnets/interfaces. All the routing and firewalling I have setup has been on *BSD, so I'm not sure on the specifics of setting this up on a Linux box. I think there is a IP_forwarding, option you can set that will do this, but you may want to wait for someone else to post other details.
Fur - thanks for trying! I think I turned the ip forward on already...
net.ipv4.ip_forward = 1
Not sure if there's anthing else I need to do. This is actually pretty frustrating since I'm sure I'm missing something minor that will lead to a big 'DOH!' when this is fixed.
I have iptables turned off for now. This should open up everything, right? Or does it lock down everything? I was thinking that if I can prove it works w/o firewall, then I can at least isolate my problems down to rulesets. But even w/ service iptables stopped, still can't ping across subnets.
It looks like everything is configured properly on the Linux box. I think you need to use a packet sniffer such as Ethereal to diagnose the problem. It will tell you exactly where your pings are failing.
You can get Ethereal at http://www.ethereal.com. They have versions for both Linux and Windows. If you've never used a packet sniffer before, now is a good time to learn. They save you a tremendous amount of time in diagnosing network problems such as yours.
Am I correct in assuming that with iptables off, there should be no filtering of packets? It would be silly of me of I locked all routing by turning the firewall off?
I think with Red Hat, when you execute service iptables stop it will stop the firewall. You could execute iptables -F to flush the firewall to be sure.
Of course, iptables isn't the only firewall available. I helped one guy troubleshoot a network problem that acted like a firewall but he had iptables shut off. It turned out that he was running Shorewall on his machine. Once he stopped it, he solved his problem.
Check out this link:
You may want to double check the default gateway and subnet mask settings on all your workstations to be sure you haven't made a typo there that could cause the problem.
These commands should return the rules of your firewall. If they are totally empty they should show three chains each, INPUT, OUTPUT, FORWARD, POSTROUTING and PREROUTING.
Check also that each of them has the policy ACCEPT.
I receive the result "Firewall is stopped". I think this opens open the whole system?
cowanrl: Thanks for your continued support. I'll check for additional firewalls as soon as I get home... I don't think I installed any, but I could be wrong!! :-)
On my subnets, the machines are configured thusly:
Linux eth0 (192.168.1.254/24)-->nothing attached right now.
Linux eth1 (192.168.0.254/24)-->D-Link Switch-->WinXP (192.168.0.1/24, default route 192.168.0.254/24)
Linux eth2 (10.0.0.1/8)-->Actiontec broadband router (Lan addy static 10.0.0.254/8, static route set for 192.168.0.0/24 via 10.0.0.1/8)-->Win98 (10.0.0.100/8, default route 10.0.0.1/8).
I can ping all devices on each subnet from Linux, and can ping the Linux box from both the WinXP and Win98 machine (can ping all three eth addys), but cannot ping from WinXP to Win98 or vice-versa.
I also tried to run Ethereal as you suggested, but couldn't get it running (it wanted me to install GTK+, which requires Glib, which requires Pango, which requires Glib... circular reference!) After a couple hours, I decided to put installing Ethereal aside for another day, perhaps will do a more complete Fedora install so I have all these packages ready to go.
Also, I'm reconsidering if I'm going about this the right way. What I'd like to do is to create 3 networks, the 10. network will be the DMZ, run a firewall, eventually serve a website via the linux box, etc. The 192.168.0 network will be a secured zone that runs personal information (family PCs, with their associated personal contents), and will have strict firewall rulesets. I don't much care if I can't play network games out of this zone. The 192.168.1 network will be a less secured zone that hosts general devices (networked X-Box, online storage of media files that will be shared among devices, provide WLAN service, host IP cameras, etc.) This zone should be accessible from the Internet upon authentication (thinking of doing free Radius from the Linux box, but that's much further down the road). Ideally, I'd spend $$$ for a router or layer 3 switch, but I'm hoping Linux can do it for me for free. Do you think I'm going down the right path to achieve the setup I'm proposing?
and be sure it returns a 1. This setting, net.ipv4.ip_forward = 1, in sysctl is supposed to place a 1 in the file. If the command returns a zero, then for some reason the setting in your sysctl file isn't working. In that case, execute:
echo 1 > /proc/sys/net/ipv4/ip_forward and see it if starts routing.
Ethereal may have been included with your FC distribution. If you can find a package there, it will install all the prerequisites.
I'm not sure if Ethereal will run on Win9x machines. I've never tried it.
There doesn't seem to be anything wrong with the logic of your network.
I've already checked the ip forwarding setting (see previous posts). I did see an Ethereal for Windows machines... is this something I can run on Windows to diagnose problems on the linux box, or do I have to run it on Linux since that box is where the packets appear to be disappearing?
I know Ethereal will run on Windows XP so you could install it there. Start capturing packets on it, then ping the XP machine from Win98 machine. You could then see if you are receiving/sending ICMP packets from the XP machine. If you receive the packets, you know the Linux machine is forwarding them. If you don't receive them, that's when you need to be running Ethereal on the Linux machine to see if the packets are moving in and out of it.
You can also look at your arp cache on any machine to see if it is sending packets. On your XP machine, you can view the arp cache from the command line with:
arp -a
You can clear the entire arp cache with:
arp -d *
Then ping the XP machine from the 98 machine and look at the arp cache on the XP machine again. If it received and replied to the ping, you should see an entry in the arp cache for it's default gateway. You need to be sure that nothing else is going on on your network so you don't get entries in the arp cache from other network activity.
You can also do the same thing on the Linux machine. I don't have a Linux machine here at work so I'm not sure about the syntax for it. You'll need to do a man arp or arp --help to see how to use it.
By looking at the arp cache for the interface on the Linux machine that the XP machine is connected to, you could see if it transmitted packets on that interface. Always be sure to clear the arp cache before you do any testing.
An arp cache can also help you trouble shoot network problems. I think it's a little more cumbersome than using a packet sniffer though. On a busy network, it's sometimes hard to keep the arp cache empty so you can test.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.