cannot route through the box!

dmdb · 03-15-2006, 05:15 AM

Hello,

I'm new here and I hope i do i right.

I'm trying to make my box to route the traffic from internet to my local net. Make the box act like connection sharing router.

It's got 2 NICs:

wlan0: 192.168.1.X - the internet access with default gateway: 192.168.1.1

eth0: 10.0.0.X - the local network access connected to the switch with access to my internal network.

I've enabled the ip forwarding by editing the sysctl.conf - file, but when I restart the network service I get the Disabling the IP Forwarding message, does that mean that the forwarding is disabled?

what route command should i use?
what iptables tables shoud i use?

I've been strugling with this problmem for 2 weeks now, I hope some of you could lead me to the root of the problem...

Thanks in advance.

Fil.

morgolis · 03-15-2006, 02:31 PM

Well first off, if you have IPtables running, remove it from the equation. Flush the IPTables out if there is a question about it. Next, check your IP Routes. Next try to ping the gateway of 192.168.1.1 from one of your 10.0.0.X machines to see if it's even routing past. If you can't ping 192.168.1.1 but you can ping 192.168.1.x (WLAN interface) then your gateway needs the IPRoute as it doesn't know the 10.0.0.X network exists and needs to know how to route traffic back.

So from my understanding your networking looks something like this:

192.168.1.1 (Gateway machine) ----- 192.168.1.x (WLAN Interface on different machine)---- 10.0.0.X (Same machine as WLAN interface)

Is this correct? Please tell us what you can ping from the 10.0.0.X network.

camh · 03-15-2006, 05:07 PM

I have a similar setup at home that works flawlessly. Assuming network connectivity between your 10.0.0.x subnet is working:

Create an IPTables Firewall similar to below, and call it whatever you want. Make it executable:

Code:

#!/bin/bash

IPTABLES=/sbin/iptables
EXTIF=wlan0
INTIF=eth0

echo "1" > /proc/sys/net/ipv4/ip_forward

$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

Run the script.

Next, make sure that your default route is 192.168.1.1

Code:

route del default ; route add default gw 192.168.1.1

And add the line 'nameserver 192.168.1.1' to your /etc/resolv.conf if it isn't there already.

On all the computers that you want to use to access the internet through this linux box, you will also need to add a DNS entry (192.168.1.1 might work, however I prefer to hardcode my ISP's DNS server IP in). You should be able to access the internet from any 10.0.0.x machine.

Hope this helps.

EDIT: I forgot to add...all your 10.0.0.0 machines wishing to access the net will also have to have the 10.0.0.x IP of your eth0 device, set as their gateway.

fr_laz · 03-15-2006, 05:23 PM

Hi,

I assume your network is set up like this:
10.0.0.1-253 / 255.255.255.0 Clients
10.0.0.254 / 255.255.255.0 Eth0 of your Linux box
192.168.1.2 / 255.255.255.0 Wlan0 of your Linux box
192.168.1.1 / 255.255.255.0 WLan adapter of the modem/router

then your routing table must look like:

Code:

# route -n
Destination     Gateway      Genmask         Indic Metric Ref    Use Iface
10.0.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 wlan0
0.0.0.0         192.168.1.1   0.0.0.0         UG    0      0        0 wlan0

to configure the default gateway, if it hasn't been already done, the command line is "route add default gw 192.168.1.1"
this command won't be kept after restarting the network (or the machine), you have to write that in some config file (depends on your distro...)

then you want to be able to forward packets from wlan0 to eth0 and vice versa... that's what you tried to do by editing sysctl.conf. As far as I'm concerned, i'm doing it manually (well in my iptables script) by doing "echo 1 > /proc/sys/net/ipv4/ipforward".

so to check if forwarding is enabled, you can always do a "cat /proc/sys/net/ipv4/ipforward". Whatever the method used to enable forwarding, the answer should be 1.
If the file doesn't exist, then you're missing some module i'd guess.

once this is done/checked, you've got 2 solutions, depending on whether you can reconfigre the modem/router or not. If you can, then the easiest (but unsecure) way to achieve what you want is, as morgolis said, to add the route info for the 10.0.0.0 network in your modem/router. Unfortunatly, I won't be able to help unless you tell us what kind of machine it is...

if you can't do that, then you'll need to NAT the 10.0.0.x machines. It means that all packets coming from 10.0.0.x will have their source IP address changed to the one of your Linux wlan adapter. This way the router/modem won't even know that there are some machines in the 10.0.0.0 network.
to make things simple, this is done by using the following iptable command:
iptables -t nat -A FORWARD -o wlan0 -j MASQUERADE

to do that, you need to have at least the CONFIG_IP_NF_TARGET_MASQUERADE module enabled in your kernel.

Note that NATing is not firewalling, if you want to add some security, you'll still need to filter which packets are allowed and which are not.