LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 03-14-2008, 11:36 AM   #1
void4ever
LQ Newbie
 
Registered: Nov 2003
Posts: 12

Rep: Reputation: 0
iptables routing issue


Good morning,

I need a little assistance on tracking down a problem with an iptables script i've wrote. It's extremely basic, but doesn't seem to be working. I should note that i am very new to iptables though so i must have something wrong somewhere.

Background:
I'm setting up this box as a qos machine for our network. I will be putting it in between a pix501 and the rest of the network. The pix does our firewalling as well as routing public IP's to our various servers.

I need the qos box to pass all traffic unmodified to the pix so that the ip routing remains unaffected, so no MASQ setups.

pix 172.16.1.1
eth0 LAN : 172.16.1.200
eth1 WAN : 172.16.1.201

I have eth1 connected to the pix while the rest of the network runs into eth0.

My script :
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t filter -F
iptables -t mangle -F
iptables -t nat -F
iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i eth1 -o eth0 -j ACCEPT

Part of this i wrote myself and part of it i took from other examples i found around the net, which could be my issue.

My current routes, this i've been staring at for hours and not sure if i have it right either.

ip route
172.16.1.1 dev eth1 scope link
172.16.0.0/16 dev eth0 proto kernel scope link src 172.16.1.200
127.0.0.0/8 dev lo scope link
default via 172.16.1.1 dev eth1

With this setup i'm able to ping both eth0 and eth1 from the lan side, however i cannot ping the pix. The linux box itself can ping the pix and machines on the lan.

It seems to me if i can ping 172.16.1.201 from the lan side, then part of my routing is working, it's just once it trys to go past eth1 it stops.

I ran a tcpdump when trying to ping the pix and all i would see were arp requests, but no replys.

Any idea's would be much appreciated.

Void4ever
 
Old 03-14-2008, 11:47 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984
you have both nic's on the same subnet? that's illegal, doesn't make any sense at all. do you actually want this box to be a transparent bridge? if so, iptales isn't what you're after, but ebtables to do packet filtering on pair of bridged interfaces.
 
Old 03-14-2008, 11:47 AM   #3
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984
http://ebtables.sourceforge.net/examples/example5.html
 
Old 03-14-2008, 04:25 PM   #4
void4ever
LQ Newbie
 
Registered: Nov 2003
Posts: 12

Original Poster
Rep: Reputation: 0
I've setup bridging before and it was working perfectly for routing however it broke my qos script (prometheus) so i was attempting to do it with iptables. But as you can see my knowledge of subnetting isn't quite up to par.

I had never seen ebtables before but based on the link you provided i think i might be able to write up a very basic qos script, instead of using a prepackaged one. Unless you know of any qos scripts based off ebtables because that would make life much easier

Thank you for the suggestions, i think i'll poke around the net some more for info on ebtables and possibly a qos script based on that. If you have anymore suggestions i would love to hear them.

Thanks again.

Void4ever
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Routing with IPTables help jet-lee Linux - Networking 9 01-18-2008 12:48 AM
routing by iptables ali_dd15 Linux - Networking 14 10-14-2005 05:38 AM
Routing with iptables logo Linux - Networking 4 11-01-2004 06:21 AM
iptables and routing palhope Linux - Networking 2 07-10-2003 12:01 PM
iptables / routing hakcenter Linux - Networking 13 05-01-2003 04:16 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:08 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration