Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am using centos box as a router. WAN side has a public ip and lan side also using a public ip. I configured dhcp server on the LAN side and it is working perfectly, pcs on the LAN side can able to access the internet.
Problem: Considering the fact that LAN IPs is using Public IP and it is presumed that from the internet it can be able to ping IPs inside the LAN but, alas, it couldn't.
No firewall has been config!
Question: What config should be done on the box so that IPs inside the LAN can be ping from the internet?
Last edited by jdelacruz68; 03-04-2010 at 08:10 AM.
Reason: spelling and grammar
This sounds a bit fishy. When you say 'Public IP', do you mean IPs granted to you by your ISP or some other authority? If not, then you shouldn't be doing what you are doing. If you are using local IPs (192.168.x.x/16, 10.x.x.x/24, or 172.16.x.x/20), then you should not be able to do what you want. Is your problem limited to just ICMP traffic, or all traffic? What actually does happen if you try to ping one of your LAN IPs from outside the router? You and/or your ISP may need to set up DNS to permit the WAN side to find your 'LAN' hosts.
This sounds a bit fishy. When you say 'Public IP', do you mean IPs granted to you by your ISP or some other authority? If not, then you shouldn't be doing what you are doing. If you are using local IPs (192.168.x.x/16, 10.x.x.x/24, or 172.16.x.x/20), then you should not be able to do what you want. Is your problem limited to just ICMP traffic, or all traffic? What actually does happen if you try to ping one of your LAN IPs from outside the router? You and/or your ISP may need to set up DNS to permit the WAN side to find your 'LAN' hosts.
--- rod.
We had just applied for a public IP for our LAN side and we are granted by our ISP, that's why have both Public IPs on WAN and LAN.
SO as I said Linux is used as router and on the LAN side dhcp server is working fine using the Public IP and the all the stations on the LAN side were able to access smoothly.
Since we are using public IPs on the LAN I pressumed that it can be ping from the internet, but, it cannot. No firewall has been set on the box, so what configuration should be done on the box so that server with public ip on the LAN can be accessed fron the internet
So, then the first thing to do is see if any traffic at all destined for the Public IPs reaches the WAN side of your router. Set up tcpdump on the WAN interface, and see what happens when you ping or otherwise try to access the Public IPs from the WAN. If it isn't getting at least to the router, you will have to get the ISP involved.
Post here, the output of
Code:
iptables -L
on your router (root privileges required).
You say no firewall, but there must be some routing going on if traffic is passing from the LAN to the WAN side. It might be as simple as removing some rules.
So, then the first thing to do is see if any traffic at all destined for the Public IPs reaches the WAN side of your router. Set up tcpdump on the WAN interface, and see what happens when you ping or otherwise try to access the Public IPs from the WAN. If it isn't getting at least to the router, you will have to get the ISP involved.
Post here, the output of
Code:
iptables -L
on your router (root privileges required).
You say no firewall, but there must be some routing going on if traffic is passing from the LAN to the WAN side. It might be as simple as removing some rules.
With those rules, it is hard to imagine that any traffic is passing through your router. Is the router actually separating the two networks, with two NICs, one attached to each network? And just to confirm - your LAN traffic is presently traversing the router and accessing WAN hosts (LAN hosts initiating connections)? If so, then you must have another parallel router, or you're inaccurate about something.
At any rate, to capture traffic on an interface you simply run, as root:
Code:
/usr/sbin/tcpdump -i eth0
Substitute eth1, eth2, etc. as appropriate for your setup. While you are monitoring the interface, get a host on the WAN to try to access one of your Public IP LAN hosts. You either will or will not see the traffic. If not, then you probably need some help from your ISP. If you do, then you will need to set up some iptables rules. Post your findings here.
Perhaps you should consider the use of a canned router package, if you are not acquainted with the nuances of assembling a router for production use. The benefits are that you get a system that should work right out of the box, and if it is a mature system, you will be leveraging the experience and expertise of many skilled developers. One such package that I have had success with in the past is Coyote Linux. The are numerous others, and a Google search should turn up more. This Wikipedia page is also a good starting point.
Hmmm. Sorry, I misread the rules originally posted. I feel shame.
Those rules should pass all traffic between the LAN & WAN. This is probably not good, if it propagates non-public IPs onto the public net. Also, it will propagate traffic onto the LAN which needn't be there.
This explains why the LAN hosts are able to get access to the WAN. It does not explain why the LAN Public IP hosts are not reachable from outside the LAN. My present hypothesis is that the original poster's adventures with tcpdump should verify that the traffic is not reaching the router from the WAN.
For the sake of interest, would the OP please repeat the iptables dump with greater verbosity:
Hmmm. Sorry, I misread the rules originally posted. I feel shame.
Those rules should pass all traffic between the LAN & WAN. This is probably not good, if it propagates non-public IPs onto the public net. Also, it will propagate traffic onto the LAN which needn't be there.
This explains why the LAN hosts are able to get access to the WAN. It does not explain why the LAN Public IP hosts are not reachable from outside the LAN. My present hypothesis is that the original poster's adventures with tcpdump should verify that the traffic is not reaching the router from the WAN.
For the sake of interest, would the OP please repeat the iptables dump with greater verbosity:
well i think the masquerading is the cause of not having to ping public ip inside lan.
is there a config aside from masquerade in order to access the public ip's inside the lan.
Do you see evidence that masquerading is occurring? How do you think this is a cause of problems? As I read the existing rules, masquerading should not be required, although if there are rules in the nat table, perhaps they are broken. Can you post them. Is the problem you cite restricted to ICMP, or to all traffic in general? What is the result of your tcpdump test?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.