[SOLVED] CentOS 6.4 Router

networkexperiment · 07-23-2013, 08:57 PM

Hello Everyone,

I've been searching the web for 3 days now but am unable to find a solution. I have setup a home lab environment with 3 subnets and am using CentOS to route between 2 of them.

The internet gateway (AT&T router) is 172.31.251.225/29

CentOS eth2 is 172.31.251.227/29, eth0 is 172.31.251.233/29,

Linksys WRT54G WAN 172.31.251.234/29, LAN/WIFI 172.31.251.241/28

Destination Printer 172.31.251.254/28
=======================================================================
Connectivity so far:

Laptop with IP 172.31.251.226/29 is able to ping the Printer 172.31.251.254/28.

CentOS can ping 172.31.251.225/29, 172.31.251.254/28, google (74.125.224.194)

Linksys Diagnostic page is able to ping 172.31.251.233/29, 172.31.251.227/29
========================================================================
PROBLEM:
Packets can only travel one way. Linksys is unable to get to the AT&T router (172.31.251.225) or the internet. It can get to the interface facing the router but not past it. Attached is the output from "route", "iptables -L" and "sysctl.conf" on CentOS 6.4
========================================================================
Appreciate any help possible.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Code:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
172.31.251.232  *               255.255.255.248 U     0      0        0 eth0
172.31.251.224  *               255.255.255.248 U     0      0        0 eth2
172.31.251.240  172.31.251.234  255.255.255.240 UG    0      0        0 eth0
link-local      *               255.255.0.0     U     1002   0        0 eth0
link-local      *               255.255.0.0     U     1004   0        0 eth2
default         homeportal      0.0.0.0         UG    0      0        0 eth2
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     all  --  172.31.251.224/27    anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere   
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls IP packet forwarding
net.ipv4.ip_forward = 1 

# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1

# Disable netfilter on bridges.
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

# Controls the default maxmimum size of a mesage queue
kernel.msgmnb = 65536

# Controls the maximum size of a message, in bytes
kernel.msgmax = 65536

# Controls the maximum shared segment size, in bytes
kernel.shmmax = 4294967295

# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 268435456

Ser Olmy · 07-24-2013, 02:46 PM

It took me some time to get my head around your setup, I actually had to make a drawing. You sure are conserving those RFC 1918 addresses.

Since the laptop in the first subnet/segment can reach the printer in the third subnet, the routing on the CentOS server and the WRT54G is obviously working (the latter needs only a default gateway entry). By the way, what did you use as the default gateway on the laptop? I would assume 172.31.251.227, the CentOS PC?

The reason you can't reach the AT&T router or the Internet from the Linksys router (or from the subnet with the printer) is probably that the AT&T router lacks the necessary routing table entries. If it lacks return routes for the two subnets behind the CentOS PC, it will send reply packets to the only gateway it knows: the upstream (Internet) router.

You will need to add two entries, one for 172.31.251.232/29 and one for 172.31.251.240/28, both with 172.31.251.227 as the next-hop address. If for some reason you can't access or modify the routing table, you'll need to configure NAT on the CentOS PC.

networkexperiment · 07-25-2013, 01:45 PM

Hello Ser Olmy:

Thanks for the insight into routing. I saw the issue but could not recognize the problem. thank you. You were right the packets do not have a return route to the linksys router because they were searching for the 172.31.251.232/29 subnet from the ~224/29 subnet. There was no route. AT&T wont allow routing in the internal network. The way I solved that problem was to use just the MASQUERADE call in iptables. Here is the final script that I am running to get the router to work:

I am looking to break into Network Administration and that's why am trying to unnecessarily complicate the situation (by conserving IP addresses) to serve as a learning platform. :-)

Code:

#!/bin/bash
#
#
#
# IPtables router configuration script
#
# Flush all current rules from iptables
#
 iptables -v -F
 iptables -v -t nat -F
 iptables -v --delete-chain
 iptables -v -t nat --delete-chain
#
# Allow ssh connections on tcp port 22
#
 iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#
# Default policies for INPUT, FORWARD & OUTPUT chains
#
 iptables -P INPUT DROP 
 iptables -P FORWARD ACCEPT
 iptables -P OUTPUT ACCEPT 
#
# Accept packets belonging to established and related connections
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Accept packets from trusted IP addresses
#
 iptables -A INPUT -s 172.31.251.224/27 -j ACCEPT

# Set forwarding for local lan segments
#
 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
 iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
#
#
#
# Save Settings
 /sbin/service iptables save
#
# List Rules
#
 iptables -L -v
#
# Add a static route to 172.31.251.240/28
 route add -net 172.31.251.240/28 gw 172.31.251.234
#
# end script
#