IP Forwarding not working in CentOS 5

tomwerner · 05-13-2008, 05:22 PM

I have been trying (and failing) to get a simple IP forward setup in my home network. Here is the network layout:

+----------------+
| Netgear Router
|
| External IP:
| 78.xx.xx.xx
|
| Internal IP:
| 192.168.0.1
+----------------+

|
v
+----------------+
| CentOS Server
| (DHCP, DNS)
|
| eth0 (RED)
| 192.168.0.20
| eth1 (GREEN)
| 192.168.1.1
+----------------+

|
v

LAN PCs - 192.168.1.2-192.168.1.10

The router is a standard ADSL modem with DHCP and Wireless, however everything apart from ADSL will be disabled so that the server can take it over, the main reason is so that I can have the option of doing more complex firewall configuration than the router. I also want to be able to do transparent proxying.

To try and config it I have:

Enabled IP Forwarding

/etc/sysconfig/network

Code:

FORWARD_IPV4=YES

Configured the Network Interfaces

cat /proc/sys/net/ipv4/ip_forward
reports 1

eth0

Code:

GATEWAY=192.168.0.1
TYPE=Ethernet
DEVICE=eth0
HWADDR=00:0e:0c:76:53:0a
BOOTPROTO=none
NETMASK=255.255.255.0
IPADDR=192.168.0.20
ONBOOT=yes
USERCTL=no
IPV6INIT=no
PEERDNS=yes

eth1

Code:

GATEWAY=192.168.0.1
TYPE=Ethernet
DEVICE=eth1
HWADDR=00:1c:c0:2a:5e:b7
BOOTPROTO=none
NETMASK=255.255.255.0
IPADDR=192.168.1.1
ONBOOT=yes
USERCTL=no
IPV6INIT=no
PEERDNS=yes

Configured routes

Code:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     *               255.255.255.0   U     0      0        0 eth1
192.168.0.0     *               255.255.255.0   U     0      0        0 eth0
169.254.0.0     *               255.255.0.0     U     0      0        0 eth1
default         192.168.0.1     0.0.0.0         UG    0      0        0 eth0

Firewall configuration

I have tried no firewall and configuring the firewall using FireHOL, both have no affect.

I don't think I need to iptables to get things working as all I am trying to get is packets to hop from one interface to another, the router is handling the NAT, surely I don't need to NAT twice do I?

Any suggestions on bad assumptions or poor config is appreciated.

Many thanks in advance,

Tom

Brian1 · 05-13-2008, 05:57 PM

Don't set a gateway in the ifcfg-eth1 file. Ip_fowarding handles the routing for you. Also to make sure all lan machines 192.168.1.2-10 set the gateway on them to 192.168.1.1

Brian

tomwerner · 05-13-2008, 06:48 PM

Brian, thanks for the quick reply, unfortunately, no change.

This is the output of ipconfig /all from a Windows machine sitting on the DHCP served LAN:

Code:

Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : Broadcom NetLink (TM) Gigabit Ethern

Physical Address. . . . . . . . . : 00-1E-37-21-53-A1
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.254
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.1
Lease Obtained. . . . . . . . . . : 14 May 2008 00:37:29
Lease Expires . . . . . . . . . . : 14 May 2008 06:37:29

I have updated the sections as suggested above. I also tried changing the DNS servers on the DHCP, wondering whether everything went through the gateway and then on. My main test which shows that there is something definetely weird happening is the fact that at present there are some machines connected to the 192.168.0.1 network, I however cannot ping any of those with an error of 'Destination Host Unreachable', but I can ping 192.168.0.1??!!?! I have also tried different firewall settings, I have now left it as Disabled.

datopdog · 05-14-2008, 01:58 AM

You need NAT on your centos box because your netgear router does not have a route back to the 192.168.1.0/24 range.

tomwerner · 05-15-2008, 05:05 AM

To setup masquerading I tried:

Code:

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

Taking the assumption that the output interface is the target network's interface (eth1). I also tried eth0 in case my assumption was incorrect, still no joy.

I tried doing a ping while logged into the server to the other machines on the 192.168.0.1/24 network and I am still getting the same error. I can ping 192.168.1.1, however, I don't know whether this is working because the config is correct or becuase it is being pumped through localhost without saying so.

Code:

PING 192.168.0.3 (192.168.0.3) 56(84) bytes of data.
From 192.168.0.20 icmp_seq=2 Destination Host Unreachable
From 192.168.0.20 icmp_seq=3 Destination Host Unreachable

I am starting to think that there is something wrong with the router as this is simple stuff that I have managed to get working before.

tomwerner · 05-15-2008, 05:14 AM

I forgot to add, in the final setup I don't need any kind of access for machines connected to the 192.168.0.1/24 network apart from the server, in essence, I am cascading the two routers, with the netgear being my wan termination point and my linux box doing the more complex firewall rules, serving the private network.

datopdog · 05-15-2008, 05:29 AM

From what i can see the linux machine which is directly connected to the netgear cannot even ping it, is your cable working ?

tomwerner · 05-15-2008, 05:53 AM

I gave the server a reboot and I can now ping everything on the 192.168.0.1 network, I will attempt to hook up something onto the 1.1 network tonight and see whether things have improved :-). Many thanks datapdog and Brian so far, hopefully I can put this sorry saga to bed...

tomwerner · 05-17-2008, 03:17 AM

Many thanks for your help, I think adding the extra route fixed the problem.

Cheers,

Tom

lsteacke · 05-19-2008, 11:47 AM

What extra route did you add? Just curious, I've been following the thread.