Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
07-09-2015, 05:04 PM
|
#1
|
Member
Registered: May 2015
Posts: 31
Rep:
|
LAN clients have no Internet access!!
I’ve been trying to solve this problem for a long time now, but I have not been successful.
After a minimal install of CentOS 6.6 on my server, I’ve configured it as a DHCP server. Eth0 is set-up as DHCP, and eth1 is set-up as a static IP. Eth0 receives IP address from my Internet router, eth1 is directly wired to a LAN switch. I have Internet on the server, but not my LAN.
I have configured eth1 to be a trusted device as well as MASQUERADE device. I can successfully ping all Window clients, and Window clients can ping the server. I also replaced net.ipv4.ip_forward = 0 to net.ipv4.ip_forward = 1. I’ve set Selinux to disable and still no luck.
My Windows clients are wired to my LAN switch and all Windows clients get an IP address, but they do not have Internet access.
Here is my dhcpd.conf:
#
ddns-update-style interim;
subnet 172.16.1.0 netmask 255.255.255.0 {
option routers 172.16.1.1;
option subnet-mask 255.255.255.0;
option domain-name "cseproject.net";
option domain-name-servers 192.168.1.254,8.8.8.8,8.8.4.4;
option time-offset -25200, # Pacific Daylight Time
range 172.16.1.120 172.16.1.144;
default-lease-time 21600;
max-lease-time 43200;
}
What should I do?
|
|
|
07-09-2015, 08:18 PM
|
#2
|
LQ Addict
Registered: Nov 2013
Location: Tokyo
Distribution: Mostly Ubuntu and Centos
Posts: 6,316
|
Do you actually forward traffic from eth1 to eth0? You mention MASQUERADE, but still...
Do the windows clients have the correct routing table?
Anything in the log file on the server (/var/log/messages, usually)?
The router's log?
If you don't see anything obvious, do some network tracing. Wireshark is rather easy to operate, both on Windows and Linux. You also have the lighter-weight tcpdump on Linux. It's fun and instructive, too. Check DHCP traffic on eth1. If it looks ok, check packets that the clients want to send to the internet, on both eth0 and eth1. Perhaps your Centos server is correctly configured, but your router doesn't like the Client packets for dome reason.
|
|
|
07-10-2015, 06:05 PM
|
#3
|
Member
Registered: May 2015
Posts: 31
Original Poster
Rep:
|
Im only using two network interface cards. The first network interface card (NIC) eth0 will be connected to external network with dynamic IP addressing method (DHCP). External DHCP server will assign IP address for eth0. Network interface card eth1 will be connected with static IP addressing method. The IP address 172.16.1.1 will be assigned to eth1 with 255.255.255.0 subnet mask. The static IP address will be the gateway for the subnet.
Linux kernel has IP forwarding feature built in. The IP forwarding feature has Internet routing algorithm that determines which route a packet should be sent.
Firewall will be configured to allow IP forwarding and the network interface card eth1, and will be trusted and masqueraded.
The router will provide DHCP service to the internal networks (eth1). Even though, the router is the DHCP client itself (eth0). All the servers will use static IP addresses, but all other workstations will be the DHCP clients that configure network settings by DHCP server.
|
|
|
07-10-2015, 06:44 PM
|
#4
|
Member
Registered: Sep 2006
Location: Quetta, Pakistan
Distribution: RHEL, Ubuntu, Fedora
Posts: 368
Rep:
|
try to check the domain name of your ISP or the first DNS google name server on your dhcp server.
Last edited by shahz; 07-10-2015 at 06:54 PM.
|
|
|
07-10-2015, 07:42 PM
|
#5
|
Moderator
Registered: Aug 2002
Posts: 26,130
|
Even though the kernel is configured to forward packets and since you did not post your complete rule set I would guess the firewall is not.
Quote:
Firewall will be configured to allow IP forwarding
|
Does that mean it isn't yet?
|
|
|
07-10-2015, 11:59 PM
|
#6
|
LQ Addict
Registered: Nov 2013
Location: Tokyo
Distribution: Mostly Ubuntu and Centos
Posts: 6,316
|
Quote:
Originally Posted by berndbausch
Do you actually forward traffic from eth1 to eth0? You mention MASQUERADE, but still...
Do the windows clients have the correct routing table?
Anything in the log file on the server (/var/log/messages, usually)?
The router's log?
If you don't see anything obvious, do some network tracing. Wireshark is rather easy to operate, both on Windows and Linux. You also have the lighter-weight tcpdump on Linux. It's fun and instructive, too. Check DHCP traffic on eth1. If it looks ok, check packets that the clients want to send to the internet, on both eth0 and eth1. Perhaps your Centos server is correctly configured, but your router doesn't like the Client packets for dome reason.
|
One more: You can add logging rules to your netfilter ruleset. I.e. rules with a "-j LOG". Log those packets you are supposed to forward.
|
|
|
07-12-2015, 10:55 AM
|
#7
|
Member
Registered: May 2015
Posts: 31
Original Poster
Rep:
|
Hi michaelk,
Here's my /etc/sysconfig/iptables:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5:380]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j ACCEPT
COMMIT
Also I ran a cat /var/log/messages as berndbausch suggested and I received this:
Jan 19 15:08:29 hadrian dhcpd: to which interface eth0 is attached. **
Jan 19 15:08:29 hadrian dhcpd:
Jan 19 15:08:29 hadrian dhcpd: Sending on Socket/fallback/fallback-net
Jan 19 15:08:30 hadrian abrtd: Init complete, entering main loop
Jan 19 15:09:58 hadrian dhcpd: DHCPREQUEST for 172.16.1.171 from f0:de:f1:7e:90: 18 (edgarWorkstatio) via eth1
Jan 19 15:09:58 hadrian dhcpd: DHCPACK on 172.16.1.171 to f0:de:f1:7e:90:18 (edg arWorkstatio) via eth1
Jan 19 15:10:02 hadrian dhcpd: DHCPINFORM from 172.16.1.171 via eth1
Jan 19 15:10:02 hadrian dhcpd: DHCPACK to 172.16.1.171 (f0:de:f1:7e:90:18) via e th1
Jan 19 15:13:13 hadrian dhcpd: DHCPREQUEST for 172.16.1.171 from f0:de:f1:7e:90: 18 (edgarWorkstatio) via eth1
Jan 19 15:13:13 hadrian dhcpd: DHCPACK on 172.16.1.171 to f0:de:f1:7e:90:18 (edg arWorkstatio) via eth1
Jan 19 15:13:17 hadrian dhcpd: DHCPINFORM from 172.16.1.171 via eth1
Jan 19 15:13:17 hadrian dhcpd: DHCPACK to 172.16.1.171 (f0:de:f1:7e:90:18) via e th1
Jan 19 15:14:44 hadrian dhcpd: DHCPINFORM from 172.16.1.171 via eth1
Jan 19 15:14:44 hadrian dhcpd: DHCPACK to 172.16.1.171 (f0:de:f1:7e:90:18) via e
I'm still working on this issue. Also Window clients cannot ping my Internet router. They can ping eth0 and eth1, but ISP router.
|
|
|
07-12-2015, 07:23 PM
|
#8
|
LQ Addict
Registered: Nov 2013
Location: Tokyo
Distribution: Mostly Ubuntu and Centos
Posts: 6,316
|
Quote:
-A FORWARD -i eth0 -o eth1 -j ACCEPT
|
You are forwarding from eth0 to eth1, but if I understand you right, your Windows clients are connected to eth1 and the router to eth0. Shouldn't the forward be the other way around? Or both ways?
Also you talk about Masquerading but I don't see any such rules.
|
|
|
07-12-2015, 10:07 PM
|
#9
|
Member
Registered: May 2015
Posts: 31
Original Poster
Rep:
|
Yes, thats correct. Windows clients are connected to eth1, and my Internet router is wired to eth0.
You mention that the forwarding be the other way around. I'll test forwarding from eth1 to eth0.
I re-applied the Masquerading settings and Windows clients continue to fail to access the Internet.
Heres my updated IPtables with forwarding from eth1 to eth0:
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -o eth1 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
|
|
|
07-12-2015, 10:50 PM
|
#10
|
LQ Addict
Registered: Nov 2013
Location: Tokyo
Distribution: Mostly Ubuntu and Centos
Posts: 6,316
|
Quote:
Originally Posted by ep7network0819
Yes, thats correct. Windows clients are connected to eth1, and my Internet router is wired to eth0.
You mention that the forwarding be the other way around. I'll test forwarding from eth1 to eth0.
I re-applied the Masquerading settings and Windows clients continue to fail to access the Internet.
Heres my updated IPtables with forwarding from eth1 to eth0:
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -o eth1 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
|
Admittedly I am just an apprentice wizard as far as iptables is concerned, so don't base your work only on what I am saying. However:
- If your router is connected to eth0, it doesn't seem correct that you are masquerading packets going out on eth1. eth0 seems more logical to me.
- On second thought (or look), your FORWARD rules don't look like they would work. Back to the drawing board I suppose, and find a good tutorial about setting up forwarding.
E.g. here on Linuxquestions: http://www.linuxquestions.org/questi...routing-56453/
My other suggestion, tracing the packets from your windows client on eth0 and eth1, stands. I assume that your routing rules are wrong and nothing is forwarded in this server.
|
|
|
07-12-2015, 10:56 PM
|
#11
|
Moderator
Registered: Aug 2002
Posts: 26,130
|
The postrouting masquerade rule should be your external interface.
|
|
|
All times are GMT -5. The time now is 06:49 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|