[SOLVED] new to route command

bucovaina78 · 12-18-2011, 03:36 PM

Hi I'm trying to route a connection but it doesn't work. I don't really understand what goes wrong.

I've got a switch on 192.168.2.0. All my computers are on that network.

However there is one server that has 192.168.2.7 on eth0 and 192.168.1.1 on eth1. Through eth1 it connects with a crossover to 192.168.1.2 (that computer isn't connected to 192.168.2.0)

On one of my computers on 192.168.2.0 i entered the command:

Code:

route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.2.7

I thought that would do the trick to connect straight away to my crossed over computer but it doesn't work yet. I think I need to put something in the routing table of 192.168.2.7 as well but what?

acid_kewpie · 12-18-2011, 03:39 PM

you need to configure the intermediary machine to forward packets.

test with:

echo 1 > /proc/sys/net/ipv4/ip_forward

and set permanently in /etc/sysctl.conf:

net.ipv4.ip_forward = 1

bucovaina78 · 12-18-2011, 03:51 PM

No that doesn't work. I tried to ssh directly and mount a drive on the computer behind the intermediate computer but that doesn't work.

bucovaina78 · 12-18-2011, 04:40 PM

I've done some more google-ing. I'm suspecting I need to configure iptables for NAT. But I've got no experience whatsoever with iptables. So I found this:

Code:

# /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# /sbin/iptables -A FORWARD -i eth0 -o eth1 -m state 
   --state RELATED,ESTABLISHED -j ACCEPT
# /sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

eth0 is my 192.168.2.0 network where all my computers are attached, eth1 is the cross over connection. is this right then?

rayfordj · 12-18-2011, 04:44 PM

Quote:

Originally Posted by bucovaina78

No that doesn't work. I tried to ssh directly and mount a drive on the computer behind the intermediate computer but that doesn't work.

Two very critical core components need to be satisfied on the intermediary (gateway/router) system (192.168.2.7/eth0 192.168.1.1/eth1).

First, as acid_kewpie already indicated, IP-forwarding (routing) should be enabled.
Second, forwarding should be permitted via netfilter rules using iptables.

Code:

[root@192.168.2.7 ~]# iptables -I FORWARD -j ACCEPT

Without knowing what the routing system is we may guess and provide examples similar to our experiences, but they may not work exactly as demonstrated. Additionally, does the 192.168.1.2 system have a default route gateway of 192.168.1.1?

rayfordj · 12-18-2011, 04:50 PM

Quote:

Originally Posted by bucovaina78

I've done some more google-ing. I'm suspecting I need to configure iptables for NAT. But I've got no experience whatsoever with iptables. So I found this:

eth0 is my 192.168.2.0 network where all my computers are attached, eth1 is the cross over connection. is this right then?

It depends. Do you want to actually route (each network knows about the other) or have 192.168.2.7 handle the address translation (192.168.1.2 does not know or care about 192.168.2.x -- similar to what most home router/firewall/access-points/modems do to connect systems to the Internet)?

With routing the intermediary system simply passes the packets, but with NATing/MASQUERADEing the intermediary system will actually take the packet and change the ip from 192.168.2.x to 192.168.1.1. Then 192.168.1.2 will reply to 192.168.1.1, upon receiving it 192.168.1.1/192.168.2.7 will identify that the packet is actually destined for 192.168.2.x, change the ip to that of 192.168.2.7 and kick it out on the wire to the intended IP on 192.168.2.x network.

bucovaina78 · 12-19-2011, 01:27 AM

I want to know all the hosts at 192.168.2.0 to know about the host(s) at 192.168.1.0 (I want to mount a CIFS)

I added the

Code:

IPTABLES -I FORWARD -j ACCEPT

and it doesn't work so far. I checked again the ip_forward variable in /proc/sys/net/ipv4 and it's still on 1. My routing table mentions 192.168.1.0 and 192.168.2.0 with the right devices.

Code:

root@intermediate:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere                      

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
root@intermediate:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.2.0     0.0.0.0         255.255.255.0   U     1      0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
0.0.0.0         192.168.2.7     0.0.0.0         UG    0      0        0 eth0
0.0.0.0         192.168.2.1     0.0.0.0         UG    0      0        0 eth0
root@intermediate:~# cat /proc/sys/net/ipv4/ip_forward 
1
root@intermediate:~#

acid_kewpie · 12-19-2011, 02:31 AM

right, but the missing link is if then 1 subnet knows about the machines on 2. Either those machines need to know how to get back to that other network by having a route on them, OR you use a nat or masquerade on the router device so that all traffic from the 2 subnet appears to come from that router instead, which the 1 machines already know about.

Try to avoid using a nat if you can, you can possibly get away with adding a route onto default gateway device of the 1 machines, although this could result in unsuccessful attempts at asymmetric routing.

bucovaina78 · 12-19-2011, 04:15 AM

yes!! It's working now!!

Thanks a lot acid_kewpie & rayfordj

bucovaina78 · 12-19-2011, 04:48 AM

Just to be complete:

I tried to mount the drive on 192.168.1.2 (remote computer) and I got an error connection refused (-111). So I added a line in /etc/hosts.allow:

Code:

192.168.2.0/24

Now the problem is solved.

Thanks to you all!