LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   External nic unreachable from local network (https://www.linuxquestions.org/questions/linux-networking-3/external-nic-unreachable-from-local-network-781423/)

naquad 01-11-2010 04:29 AM
External nic unreachable from local network
 
Hi.

I've got router with: eth2 - local network (192.168.1.1), ppp0 - uplink (x.y.z.a)

my firewall:
Code:
# Generated by iptables-save v1.4.5 on Mon Jan 11 12:22:25 2010
*raw
:PREROUTING ACCEPT [1038480:666298388]
:OUTPUT ACCEPT [52176:5482685]
COMMIT
# Completed on Mon Jan 11 12:22:25 2010
# Generated by iptables-save v1.4.5 on Mon Jan 11 12:22:25 2010
*mangle
:PREROUTING ACCEPT [14108:12047521]
:INPUT ACCEPT [96646:92066698]
:FORWARD ACCEPT [1111826:653133089]
:OUTPUT ACCEPT [3326:235073]
:POSTROUTING ACCEPT [1181462:660486512]
COMMIT
# Completed on Mon Jan 11 12:22:25 2010
# Generated by iptables-save v1.4.5 on Mon Jan 11 12:22:25 2010
*nat
:PREROUTING ACCEPT [160:13709]
:POSTROUTING ACCEPT [28:1911]
:OUTPUT ACCEPT [20:1430]
-A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j MASQUERADE
COMMIT
# Completed on Mon Jan 11 12:22:25 2010
# Generated by iptables-save v1.4.5 on Mon Jan 11 12:22:25 2010
*filter
:INPUT ACCEPT [4442:6226870]
:FORWARD ACCEPT [9621:5816943]
:OUTPUT ACCEPT [3326:235073]
COMMIT
# Completed on Mon Jan 11 12:22:25 2010
internal network has access to internet and works pretty fine, but
external interface ip is unreachable, i.e. clients can't reach x.y.z.a.
according to tcpdump packets are transmitted to router, but there's no response.

somehow iptables -t nat -A PREROUTING -i eth2 -d x.y.z.a -j DNAT --to-destination 192.168.1.1 helps, but imho there should be some other solution.

any ideas?

kernel is 2.6.31.6, architecture is x86_64.

P.S. i've also tried iptables -A POSTROUTING ! -d x.y.z.a -s 192.168.1.0/24 -j MASQUERADE that didn't help either.

nimnull22 01-11-2010 11:13 AM
Quote:
Originally Posted by naquad (Post 3822209)
Hi.

I've got router with: eth2 - local network (192.168.1.1), ppp0 - uplink (x.y.z.a)
...
internal network has access to internet and works pretty fine, but
external interface ip is unreachable, i.e. clients can't reach x.y.z.a.
according to tcpdump packets are transmitted to router, but there's no response.
"external interface ip is unreachable, i.e. clients can't reach x.y.z.a" - are you talking about your router interface?

Your route may respond nothing, and it is good. Try to ping it interface, but check if ICMP is enabled.

jeff_k 01-11-2010 02:05 PM
I'm afraid I am beyond my understanding with this suggestion, but the example iptables scripts that I can find does not specify a source parameter in the nat POSTROUTING line, so try instead of (in the *nat section):
-A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j MASQUERADE
just:
-A POSTROUTING -o ppp0 -j MASQUERADE
and see if that helped. Perhaps the address gets translated before the postrouting occurs? If this is correct I am sure there is someone here that can provide insight.
Regards

naquad 01-13-2010 05:56 AM
Quote:
Originally Posted by nimnull22 (Post 3822640)
"external interface ip is unreachable, i.e. clients can't reach x.y.z.a" - are you talking about your router interface?

Your route may respond nothing, and it is good. Try to ping it interface, but check if ICMP is enabled.
yes, i'm talking about my router external nic.
i'm doing ping, pings are enabled, but it doesn't work.

Quote:
Originally Posted by jeff_k (Post 3822840)
I'm afraid I am beyond my understanding with this suggestion, but the example iptables scripts that I can find does not specify a source parameter in the nat POSTROUTING line, so try instead of (in the *nat section):
-A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j MASQUERADE
just:
-A POSTROUTING -o ppp0 -j MASQUERADE
and see if that helped. Perhaps the address gets translated before the postrouting occurs? If this is correct I am sure there is someone here that can provide insight.
Regards
i tried to do this too. didn't help :(

nimnull22 01-13-2010 10:13 AM
Are you trying to ping it from outside or from LAN?
If from LAN pings really may not return, and from LAN you should ping LAN interface of you router.
I also suggest to turn firewall OFF for test period.

naquad 01-14-2010 04:01 AM
Quote:
Originally Posted by nimnull22 (Post 3825247)
Are you trying to ping it from outside or from LAN?
If from LAN pings really may not return, and from LAN you should ping LAN interface of you router.
I also suggest to turn firewall OFF for test period.
i'm trying to ping it from lan. ping doesn't return. disabling firewall doesn't help. i did a dirty hack:

Code:
iptables -t nat -A PREROUTING -i eth2 -d x.y.z.a -j DNAT --to-destination 192.168.1.1
and that helps, but imho thats wrong

nimnull22 01-14-2010 10:19 AM
What do you want exactly to achieve?
Do you want someone from outside be able to connect to your LAN?

naquad 01-15-2010 04:57 AM
no, i want someone from inside (lan) to be able to connect to routers external interface

beadyallen 01-15-2010 08:46 AM
Have you got ip forwarding enabled on the server?
Code:
sudo echo 1 > /proc/sys/net/ipv4/ip_forward

nimnull22 01-15-2010 10:39 AM
Quote:
Originally Posted by naquad (Post 3827332)
no, i want someone from inside (lan) to be able to connect to routers external interface
Wait a second, but why? What for?
If you want to manage your router you have to connect to it LAN interface, which is GW for your network.

naquad 01-22-2010 03:28 PM
iptables -t nat -A PREROUTING -i eth2 -d x.y.z.a -j DNAT --to-destination 192.168.1.1


All times are GMT -5. The time now is 09:44 AM.