Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
04-11-2005, 12:33 AM
|
#1
|
Member
Registered: Feb 2003
Location: United States
Distribution: RHEL, Slackware, Gentoo, Fedora, CentOS, Ubuntu, Debian
Posts: 66
Rep:
|
Dual Xeon Slackware Linux Router
I am having serious problems and I hope you guys can help me out. I am helping a friend setup his Dual Xeon as a router. We have decided to set it up as follows:
Internet In --> Dual Xeon (eth0) --> Out (eth1) to Switch --> Switch to other machines.
We have set it up so that eth0 is the internet interface.
And eth1 is 192.168.0.1 using 192.168.0.0/24
I've worked on it all day and I have made progress but there are still little problems. One being other servers on the network are unable to perform DNS queries. Even if I manually set the DNS Server information for the server, the queries timeout:
(Dual Xeon Router)
root@silverstar:/home/darvocet# host google.com
google.com has address 216.239.57.99
google.com has address 216.239.39.99
google.com has address 216.239.37.99
root@silverstar:/home/darvocet# ping google.com
PING google.com (216.239.39.99) 56(84) bytes of data.
64 bytes from 216.239.39.99: icmp_seq=1 ttl=245 time=62.2 ms
--- google.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 62.256/62.256/62.256/0.000 ms
root@silverstar:/home/darvocet# ping 209.163.146.254
PING 209.163.146.254 (209.163.146.254) 56(84) bytes of data.
64 bytes from 209.163.146.254: icmp_seq=1 ttl=64 time=0.454 ms
--- 209.163.146.254 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.454/0.454/0.454/0.000 ms
(Misc Machine on network)
darvocet@redwood:~$ host google.com
;; connection timed out; no servers could be reached
darvocet@redwood:~$ ping 209.163.146.254
connect: Network is unreachable
darvocet@redwood:~$ cat /etc/resolv.conf
nameserver 209.163.146.254
darvocet@redwood:~$ ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=0.106 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=0.085 ms
--- 192.168.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.085/0.095/0.106/0.014 ms
---
Ok so obviously the machine (redwood) at 192.168.1.24 cannot communicate with the DNS server at 209.163.146.254, however it CAN communicate with the Xeon Router at 192.168.0.1.
Also the Router (Xeon) can communicate via DNS, Ping, and SSH to various internet servers.
Route (on Xeon):
root@silverstar:/home/darvocet# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
localnet * 255.255.255.0 U 0 0 0 eth0
loopback * 255.0.0.0 U 0 0 0 lo
default gw1.waldenweb.c 0.0.0.0 UG 1 0 0 eth0
IfConfig (on Xeon):
eth0 Link encap:Ethernet HWaddr 00:0E:0C:3E:10:ED
inet addr:209.163.146.xxx Bcast:209.163.146.255 Mask:255.255.255.0
inet6 addr: fe80::20e:cff:fe3e:10ed/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:50488 errors:0 dropped:0 overruns:0 frame:0
TX packets:7216 errors:1 dropped:0 overruns:0 carrier:1
collisions:69 txqueuelen:1000
RX bytes:4662351 (4.4 Mb) TX bytes:793765 (775.1 Kb)
Base address:0xec00 Memory:defa0000-defc0000
eth1 Link encap:Ethernet HWaddr 00:12:17:53:4F:32
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::212:17ff:fe53:4f32/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1347 errors:0 dropped:0 overruns:0 frame:0
TX packets:2065 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:178891 (174.6 Kb) TX bytes:195907 (191.3 Kb)
Interrupt:20 Memory:deff4000-0
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:70 errors:0 dropped:0 overruns:0 frame:0
TX packets:70 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:6322 (6.1 Kb) TX bytes:6322 (6.1 Kb)
--
Using quicktables script for firewall and NAT iptables config. As pasted below:
#!/bin/sh
#
# generated by ./quicktables-2.3 on 2005.04.10.13
#
# set a few variables
echo ""
echo " setting global variables"
echo ""
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
iptables="/usr/sbin/iptables"
# adjust /proc
echo " applying general security settings to /proc filesystem"
echo ""
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies; fi
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter; fi
if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward; fi
# load some modules
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o ]; then modprobe ip_conntrack_ftp; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_ftp.o ]; then modprobe ip_nat_ftp; fi
# flush any existing chains and set default policies
$iptables -F INPUT
$iptables -F OUTPUT
$iptables -P INPUT DROP
$iptables -P OUTPUT ACCEPT
# setup nat
echo " applying nat rules"
echo ""
$iptables -F FORWARD
$iptables -F -t nat
$iptables -P FORWARD DROP
$iptables -A FORWARD -i eth1 -j ACCEPT
$iptables -A INPUT -i eth1 -j ACCEPT
$iptables -A OUTPUT -o eth1 -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j SNAT --to-source 209.163.146.xxx ***(external static IP)
# allow all packets on the loopback interface
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT
# allow established and related packets back in
$iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# blocking reserved private networks incoming from the internet
echo " applying incoming internet blocking of reserved private networks"
echo ""
$iptables -I INPUT -i eth0 -s 10.0.0.0/8 -j DROP
$iptables -I INPUT -i eth0 -s 172.16.0.0/12 -j DROP
$iptables -I INPUT -i eth0 -s 127.0.0.0/8 -j DROP
$iptables -I FORWARD -i eth0 -s 10.0.0.0/8 -j DROP
$iptables -I FORWARD -i eth0 -s 172.16.0.0/12 -j DROP
$iptables -I FORWARD -i eth0 -s 127.0.0.0/8 -j DROP
# icmp
echo " applying icmp rules"
echo ""
$iptables -A OUTPUT -p icmp -m state --state NEW -j ACCEPT
$iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p icmp --icmp-type echo-request -i eth0 -j DROP
# apply icmp type match blocking
echo " applying icmp type match blocking"
echo ""
$iptables -I INPUT -p icmp --icmp-type redirect -j DROP
$iptables -I INPUT -p icmp --icmp-type router-advertisement -j DROP
$iptables -I INPUT -p icmp --icmp-type router-solicitation -j DROP
$iptables -I INPUT -p icmp --icmp-type address-mask-request -j DROP
$iptables -I INPUT -p icmp --icmp-type address-mask-reply -j DROP
# open ports to the firewall
echo " applying the open port(s) to the firewall rules"
echo ""
$iptables -A INPUT -p tcp --dport 22 -j ACCEPT
$iptables -A INPUT -p tcp --dport 53 -j ACCEPT
$iptables -A INPUT -p tcp --dport 6660 -j ACCEPT
$iptables -A INPUT -p tcp --dport 6667 -j ACCEPT
$iptables -A INPUT -p tcp --dport 6668 -j ACCEPT
$iptables -A INPUT -p tcp --dport 6669 -j ACCEPT
$iptables -A INPUT -p tcp --dport 7000 -j ACCEPT
$iptables -A INPUT -p udp --dport 53 -j ACCEPT
# open and forward ports to the internal machine(s)
echo " applying port forwarding rules"
echo ""
$iptables -A FORWARD -i eth0 -p tcp --dport 113 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth0 -p tcp -d 209.163.146.xxx ***(external static IP) --dport 113 -j DNAT --to-destination 192.168.0.5:113
# drop all other packets
echo " applying default drop policies"
echo ""
$iptables -A INPUT -i eth0 -p tcp --dport 0:65535 -j DROP
$iptables -A INPUT -i eth0 -p udp --dport 0:65535 -j DROP
echo "### quicktables is loaded ###"
echo ""
----------------------------------
Does anyone have any idea what I could be missing? I've spent all day working on this, and I get pings for the gateway to work on other machines but then DNS stops working or something similar. It is driving me crazy!!! Anyone help is very much appreciated.
Sorry for the question that I'm sure you've answered a thousand times, however I did search and was unable to find anything very useful.
Thanks,
Darvocet
|
|
|
04-11-2005, 12:38 AM
|
#2
|
Senior Member
Registered: May 2003
Location: /var/log/cabin
Distribution: All
Posts: 1,167
Rep:
|
It's nothing to do with DNS. Your route's are not routing. I don't have a solution yet. Lemme look at it for a bit. I typical set the LAN with eth0, since it loads that first.. but it shouldn't matter. Lemme check out your settings.
Last edited by Thoreau; 04-11-2005 at 12:40 AM.
|
|
|
04-11-2005, 12:40 AM
|
#3
|
Senior Member
Registered: May 2003
Location: /var/log/cabin
Distribution: All
Posts: 1,167
Rep:
|
Could you do a route -n on the server and post it, if you would. Need to see where you're hosed.
|
|
|
04-11-2005, 12:42 AM
|
#4
|
Member
Registered: Feb 2003
Location: United States
Distribution: RHEL, Slackware, Gentoo, Fedora, CentOS, Ubuntu, Debian
Posts: 66
Original Poster
Rep:
|
Quote:
Originally posted by Thoreau
Could you do a route -n on the server and post it, if you would. Need to see where you're hosed.
|
root@silverstar:/home/darvocet# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
209.163.146.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 209.163.146.1 0.0.0.0 UG 1 0 0 eth0
Thank you for helping
|
|
|
04-11-2005, 01:07 AM
|
#5
|
Senior Member
Registered: May 2003
Location: /var/log/cabin
Distribution: All
Posts: 1,167
Rep:
|
OK, so eth0 is the route out to the internet. It isn't, as configured.
0.0.0.0 209.163.146.1 0.0.0.0 UG 1 0 0 eth0
route add -net XXX.XXX.XXX.0 netmask 255.255.255.0 gw XXX.XXX.XXX.XXX dev eth0
The gateway should be the route out, not your server ip. The packet stops there, which is your server.
Gateway would be the first hop out(through your isp) for eth0.
|
|
|
04-11-2005, 01:23 AM
|
#6
|
Member
Registered: Feb 2003
Location: United States
Distribution: RHEL, Slackware, Gentoo, Fedora, CentOS, Ubuntu, Debian
Posts: 66
Original Poster
Rep:
|
Quote:
Originally posted by Thoreau
OK, so eth0 is the route out to the internet. It isn't, as configured.
0.0.0.0 209.163.146.1 0.0.0.0 UG 1 0 0 eth0
route add -net XXX.XXX.XXX.0 netmask 255.255.255.0 gw XXX.XXX.XXX.XXX dev eth0
The gateway should be the route out, not your server ip. The packet stops there, which is your server.
Gateway would be the first hop out(through your isp) for eth0.
|
Ok, so if I understand you correctly this is what you wanted from my route:
root@silverstar:/home/darvocet# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
209.163.146.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 209.163.146.1 0.0.0.0 UG 1 0 0 eth0
Now, on the network computer still unable to access the internet:
darvocet@redwood:~$ host google.com
darvocet@redwood:~$ ping 209.163.146.254
connect: Network is unreachable
Ifconfig (lan machine)
eth0 Link encap:Ethernet HWaddr 00:40:CA:6F:1A:21
inet addr:192.168.0.23 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2321767 errors:0 dropped:0 overruns:0 frame:0
TX packets:2275204 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:224550476 (214.1 Mb) TX bytes:456231711 (435.0 Mb)
Interrupt:10 Base address:0x3000
....
Internet still seems to work fine from the Xeon Router. Now with that route added it appears pretty much the same is happening. The Xeon is able to communicate to the entire LAN, and the internet. The LAN machines are able to communicate with the LAN but not the internet.
hehe what is it that I am still missing? I know its something stupid
|
|
|
04-11-2005, 01:30 AM
|
#7
|
Member
Registered: Feb 2003
Location: United States
Distribution: RHEL, Slackware, Gentoo, Fedora, CentOS, Ubuntu, Debian
Posts: 66
Original Poster
Rep:
|
Also not sure if this could cause any of the problems that I'm experiencing, this is the route for the lan machine that I am using to test.
root@redwood:/home/darvocet# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 192.168.0.1 255.255.255.0 UG 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
|
|
|
04-11-2005, 01:43 AM
|
#8
|
Senior Member
Registered: May 2003
Location: /var/log/cabin
Distribution: All
Posts: 1,167
Rep:
|
0.0.0.0 -----------------> 209.163.146.1 <------------ 0.0.0.0 UG 1 0 0 eth0
Nothing has changed.. unless I'm going blind. The gatway is still 209.163.146.1. That packets will stop there. The gateway should be the next hop up.
tracert google.com to find the IP.
|
|
|
04-11-2005, 01:49 AM
|
#9
|
Member
Registered: Feb 2003
Location: United States
Distribution: RHEL, Slackware, Gentoo, Fedora, CentOS, Ubuntu, Debian
Posts: 66
Original Poster
Rep:
|
traceroute to google.com (216.239.57.99), 30 hops max, 38 byte packets
1 gw1.waldenweb.com (209.163.146.1) 1.364 ms 0.955 ms 0.986 ms
2 tagg-02-at-4-0-0-17.hsto.twtelecom.net (207.235.32.109) 16.977 ms 12.215 ms 14.103 ms
3 dist-02-so-3-2-1-0.hsto.twtelecom.net (168.215.55.197) 16.726 ms 22.225 ms 25.837 ms
Hmm so your saying I should put the route with the gateway as 207.235.32.109? The gateway for the static IP is 209.163.146.1.
|
|
|
04-11-2005, 02:04 AM
|
#10
|
Senior Member
Registered: May 2003
Location: /var/log/cabin
Distribution: All
Posts: 1,167
Rep:
|
Not exactly. If you have a static IP, your ISP(your IP) has a gateway address. You would want to use that as the eth0 gateway, rather than the static IP. The gateway isn't the same as your eth0's given IP.
The gateway address allows your internal routes out to the internet.
|
|
|
04-11-2005, 02:14 AM
|
#11
|
Member
Registered: Feb 2003
Location: United States
Distribution: RHEL, Slackware, Gentoo, Fedora, CentOS, Ubuntu, Debian
Posts: 66
Original Poster
Rep:
|
Quote:
Originally posted by Thoreau
Not exactly. If you have a static IP, your ISP(your IP) has a gateway address. You would want to use that as the eth0 gateway, rather than the static IP. The gateway isn't the same as your eth0's given IP.
The gateway address allows your internal routes out to the internet.
|
Well thats how I believe I have it... For argument sake lets say...
My Static IP is: 209.163.146.150
My Gateway IP is: 209.163.146.1
My Subnet is: 255.255.255.0
DNS Server: 209.163.146.254
So the route I have setup to route all traffic 'through' eth0 to 209.163.146.1 should be correct. 'I believe'.
so in route I have:
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
209.163.146.0 209.163.146.1 255.255.255.0 UG 0 0 0 eth0
209.163.146.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 209.163.146.1 0.0.0.0 UG 1 0 0 eth0
..
I'm not sure where the other gateway came from, maybe boot up script, but even if I remove that I still dont get any different result on the other machines.
Again I appreacite your continuted help :P
|
|
|
04-11-2005, 02:25 AM
|
#12
|
Senior Member
Registered: May 2003
Location: /var/log/cabin
Distribution: All
Posts: 1,167
Rep:
|
OK, I got confused. I thought that was your IP, but I realized you never posted your IP. So, .1 is your gateway from your ISP. You have no router above you, and .1 is the gateway from your ISP. Works for me.
Now let's try this again. The gateway is fine(if accurate). You have a DNS server on 254. You aren't caching DNS on .150. You are not a DNS server at .150. You are not a DHCP server on .150. You are just internet routing without DNS or DHCPD.
I'm going to assume that DNS(.254) is hard coded into each client, as well as .150 as the gateway out. Can you verify the IP setup for the client?
|
|
|
04-11-2005, 02:38 AM
|
#13
|
Member
Registered: Feb 2003
Location: United States
Distribution: RHEL, Slackware, Gentoo, Fedora, CentOS, Ubuntu, Debian
Posts: 66
Original Poster
Rep:
|
Quote:
Originally posted by Thoreau
OK, I got confused. I thought that was your IP, but I realized you never posted your IP. So, .1 is your gateway from your ISP. You have no router above you, and .1 is the gateway from your ISP. Works for me.
Now let's try this again. The gateway is fine(if accurate). You have a DNS server on 254. You aren't caching DNS on .150. You are not a DNS server at .150. You are not a DHCP server on .150. You are just internet routing without DNS or DHCPD.
I'm going to assume that DNS(.254) is hard coded into each client, as well as .150 as the gateway out. Can you verify the IP setup for the client?
|
Ok yea no problem, sorry for the confusion.
I am a DNS Server on .150 and am running a DHCP server with the config:
root@silverstar:/home/darvocet# cat /etc/dhcpd.conf
# dhcpd.conf
#
# Configuration file for ISC dhcpd (see 'man dhcpd.conf')
#
default-lease-time 86400;
max-lease-time 86400;
ddns-update-style none;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.0.0;
option routers 192.168.0.1;
option domain-name-servers 192.168.0.1, 209.163.146.254, 151.164.1.8, 151.164.11.201;
option domain-name "wesbox.com";
option netbios-node-type 1;
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.2 192.168.0.25;
}
For the other machines I AM using the hardocded method to get it working. The DHCP assigns the IP and the GW (gw as .150) DNS is hardcoded in as .254. DHCP runs with "dhcpd eth1" and starts without any obvious errors. Logs appear fine. DNS is configured and running correctly as well. As for the caching part I've never totally gotten that working exactially as i'd like it so for the time being the servers all have .254 in their settings. DNS localhost and LAN 0.168.192.in-addr.arpa are correctly loaded.
Sorry if it just got more complicated
|
|
|
04-11-2005, 03:48 AM
|
#14
|
Senior Member
Registered: May 2003
Location: /var/log/cabin
Distribution: All
Posts: 1,167
Rep:
|
OK, well. I'm out of ideas. We're back to the routing or lack thereof again. For what you are doing, I'm going to take a cheap shot and give you a way to get it working at go. For what you are doing, on a SMP machine, give this a shot.
http://optusnet.dl.sourceforge.net/s...pcop-1.4.5.iso
This is heresey in a slackware forum, but something is not stirring the routes and services properly for this setup. All the services/routes that you need, and are lacking here, are setup by default with IPCOP from go. That's the quick fix, or we can contemplate this setup all night.
If you are set on slackware though, please ignore this option. Perhaps another forum user will come up with a solution and post it later. Sorry for the cheap shot, but I don't see anything obvious besides the lack of DNS namecaching and confused routes. Which IPCOP does well as I've tested it. Also, clarkconnect is good- but costs money for automagical updates.
|
|
|
04-11-2005, 12:22 PM
|
#15
|
Member
Registered: Feb 2003
Location: United States
Distribution: RHEL, Slackware, Gentoo, Fedora, CentOS, Ubuntu, Debian
Posts: 66
Original Poster
Rep:
|
Well many thanks, I will give that a shot. I do prefer slack Ive used it more than the other distros, tho I am not adverse to using another distro. Anyone who may have an idea why this doesnt work, I would be very greateful for the help
Darv
|
|
|
All times are GMT -5. The time now is 01:19 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|