I am using centos box as a router. WAN side has a public ip and lan side also using a public ip. I configured dhcp server on the LAN side and it is working perfectly, pcs on the LAN side can able to access the internet.

Problem: Considering the fact that LAN IPs is using Public IP and it is presumed that from the internet it can be able to ping IPs inside the LAN but, alas, it couldn't.

No firewall has been config!

Question: What config should be done on the box so that IPs inside the LAN can be ping from the internet?

This sounds a bit fishy. When you say 'Public IP', do you mean IPs granted to you by your ISP or some other authority? If not, then you shouldn't be doing what you are doing. If you are using local IPs (192.168.x.x/16, 10.x.x.x/24, or 172.16.x.x/20), then you should not be able to do what you want. Is your problem limited to just ICMP traffic, or all traffic? What actually does happen if you try to ping one of your LAN IPs from outside the router? You and/or your ISP may need to set up DNS to permit the WAN side to find your 'LAN' hosts.

--- rod.

We had just applied for a public IP for our LAN side and we are granted by our ISP, that's why have both Public IPs on WAN and LAN.

SO as I said Linux is used as router and on the LAN side dhcp server is working fine using the Public IP and the all the stations on the LAN side were able to access smoothly.

Since we are using public IPs on the LAN I pressumed that it can be ping from the internet, but, it cannot. No firewall has been set on the box, so what configuration should be done on the box so that server with public ip on the LAN can be accessed fron the internet

So, then the first thing to do is see if any traffic at all destined for the Public IPs reaches the WAN side of your router. Set up tcpdump on the WAN interface, and see what happens when you ping or otherwise try to access the Public IPs from the WAN. If it isn't getting at least to the router, you will have to get the ISP involved.
Post here, the output of
on your router (root privileges required).
You say no firewall, but there must be some routing going on if traffic is passing from the LAN to the WAN side. It might be as simple as removing some rules.

--- rod.

Here is my firewall:

[root@batman ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[sysops@batman ~]$ exit

I don't know how to setup tcpdump as you mention, please give procedure also.

Thanks.

John

With those rules, it is hard to imagine that any traffic is passing through your router. Is the router actually separating the two networks, with two NICs, one attached to each network? And just to confirm - your LAN traffic is presently traversing the router and accessing WAN hosts (LAN hosts initiating connections)? If so, then you must have another parallel router, or you're inaccurate about something.
At any rate, to capture traffic on an interface you simply run, as root:
Substitute eth1, eth2, etc. as appropriate for your setup. While you are monitoring the interface, get a host on the WAN to try to access one of your Public IP LAN hosts. You either will or will not see the traffic. If not, then you probably need some help from your ISP. If you do, then you will need to set up some iptables rules. Post your findings here.

Perhaps you should consider the use of a canned router package, if you are not acquainted with the nuances of assembling a router for production use. The benefits are that you get a system that should work right out of the box, and if it is a mature system, you will be leveraging the experience and expertise of many skilled developers. One such package that I have had success with in the past is Coyote Linux. The are numerous others, and a Google search should turn up more. This Wikipedia page is also a good starting point.

--- rod.

Question: What config should be done on the box so that IPs inside the LAN can be ping from the internet?

Then you'd have to allow icmp packets between the subnets/nic's.


I agree that you may be better off with a dedicated package. Look also at untangle.

Hmmm. Sorry, I misread the rules originally posted. I feel shame.
Those rules should pass all traffic between the LAN & WAN. This is probably not good, if it propagates non-public IPs onto the public net. Also, it will propagate traffic onto the LAN which needn't be there.
This explains why the LAN hosts are able to get access to the WAN. It does not explain why the LAN Public IP hosts are not reachable from outside the LAN. My present hypothesis is that the original poster's adventures with tcpdump should verify that the traffic is not reaching the router from the WAN.
For the sake of interest, would the OP please repeat the iptables dump with greater verbosity:
If the traffic from the WAN is appearing at the router NIC, then we will want this anyway.

--- rod.

well i think the masquerading is the cause of not having to ping public ip inside lan.

is there a config aside from masquerade in order to access the public ip's inside the lan.

john

Do you see evidence that masquerading is occurring? How do you think this is a cause of problems? As I read the existing rules, masquerading should not be required, although if there are rules in the nat table, perhaps they are broken. Can you post them. Is the problem you cite restricted to ICMP, or to all traffic in general? What is the result of your tcpdump test?

--- rod.