Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
This is for a lab class and for the life of me I can't figure it out, been working at it a few hours a day for the past week and no avail.
Redhat 9.0
eth0: 172.31.46.1/16
eth1: 192.168.46.1/24
DHCP is running on eth1
Shorewall firewall, all other firewalls turned off
The idea of this lab is to build a mini internet, the multiple groups being different class B addresses (172.31.46.1, 172.31.48.1, etc) and for the linux box to provide routing for the 192 class C addresses. There is a Cisco PIX firewall with an IP of 172.31.34.2 which provides a gateway to the internet.
So ideally the group with an external address 172.31.46.1, one of their clients, say 192.168.46.2 can ping and otherwise connect to a client in the 172.31.48.1 group with an IP 192.168.48.2
Problem is I can't get ip_forward to work. The clients can ping both of the servers NIC cards but not any further. If I turn on IP masquerading in Shorewall the clients can ping the PIX server, unfortunately that will not work for the intergroup routing.
I have "1" set in the /proc/sys/net/ipv4/ip_forward.
In the /etc/sysctl.conf i have "net.ipv4.ip_forward=1"
Anything else I can attempt to get routing working?
I'm not familiar with shorewall, is that a complete distribution or just a firewall you install on top of somthing else?
Give us a bit more info. Presumably;
you are using an iptables based linux distro
the router has two ip addreses, one in each subnet bound to the coresponding network card
>the multiple groups
Pesumably you mean multiple groups of people. I take it the
172.31 machines are all on the same ethernet segment/switch and in the same subnet. I assume the PIX is just another host in that subnet.
The biggest problem I can see is the routing table in a 172.31 client.
If you try to configure it as normal with an ip, netmask and gateway
then you have a problem. To access the internet you need the default gateway set to the ip address of the PIX. To access the other subnet you
need the 172.31 client default gateway set to the ip of the linux router box.
You could set the 172.31 clients default gateway to the linux box then try to set the routing table in the linux box to bounce internet traffic to the PIX.
or you could make routing table entrys on all the clients (stiatic ip?)
Shorewall uses either IPchains or IPtables as a back end, i forget which. It just adds easier configuration basically.
Yes, multiple groups of people. We are all on the same network 172.31.0.0 with the PIX as the gateway to the T1 conections, all the group connections and the PIX are plugged into the same switch. The 172.31.46.1 card on the linux router is plugged into that switch, the 192.168.46.1 card is plugged into a hub that the clients are on.
The way I have it set up now is that the clients have 192.168.46.1 as the default gateway, the router has its default gateway set to the PIX. In the Gnome network config I set the gateway of the 192 card to the 172 card and the gateway of the 172 card to the PIX, still nothing.
the routes on the linux box (from memory)
destination \ gateway \ subnet \ adapter
127.0.0.0 \ 0.0.0.0 \ 255.0.0.0 \ lo
192.168.46.0 \ 0.0.0.0 \ 255.255.255.0 \ eth1
172.31.0.0 \ 0.0.0.0 \ 255.255.0.0 \ eth0
default \ 172.31.34.2 \ 255.255.0.0 \ eth0
The clients are running Win2000, and DHCP is a requirement unfortunately. What I don't understand is why am I able to ping the PIX with a client when I enable IPmasquerading and nothing else. Turn it off and the clients can't ping past the external NIC on the linux box.
Am I right in understanding there are 3 ways to route: NAT, IP masquerading, and IP_forward. Its like I have ip_forwarding enabled and all but it just isn't working for some reason.
To answer your last question, I don't think you should consider those 3 methods of forwarding connections. Why? Because masquerading is actually just a special form of NAT.
I can't help you with shorewall... but this script belwo will completely open up your firewall. Make sure that ext=eth? is your external (172.31.46.1) NIC. Set all of your 192.168.46.0/24 client maches to have 192.168.46.1 as their default gateway. Goodluck.
Hello,
What you need is a NAT.
You can enable NAT as follows
$ cd /etc/sysctl.conf
change "net.ipv4.ip_forward = 0" to "net.ipv4.ip_forward = 1" This will enable forwarding.
To make the changes effect without restarting echo it
$ echo 1 > /proc/sys/net/ipv4/ip_forward
Then setup the NAT using iptables or using squid
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -s 192.168.46.0/24 -j ACCEPT
iptables -A FORWARD -d 192.168.46.0/24 -j ACCEPT
iptables -A FORWARD -s 192.168.46.0/24 -j DROP
If you would like try out squid please let me know. I will help you
That depends on the aim of the exercise. If he needs the 172.31 machines to be able to open connections to the 192.168 machines then he needs to do proper routing.
As JordanH implies, I suspect shorewall has some firewall rules in place that are causing a problem.
Originally posted by zaphodiv >What you need is a NAT.
That depends on the aim of the exercise. If he needs the 172.31 machines to be able to open connections to the 192.168 machines then he needs to do proper routing.
As JordanH implies, I suspect shorewall has some firewall rules in place that are causing a problem.
Exactly, if I enable NAT the lab will not work. All the 192.168 machines need to be able to connect to all the other ones no matter which 172.31 server/address they are behind. I have already enabled Masquerading out of curiosity and the clients could get to the PIX and beyond but a lot of good that does if the other groups clients cannot get past the linux router due to the nature of NAT.
So, NAT/Masurerading must remain off and I must do "proper" routing. (well put)
I have Shorewall set to accept all from both NIC's, but I will try what is above to be sure.
routes on router1 (56), router 2 is just opposite:
destination net gateway
172.31.0.0 255.255.0.0 172.31.46.1
192.168.46.0 255.255.255.0 192.168.46.1
192.168.56.0 255.255.255.0 192.168.46.1
192.168.56.0 255.255.255.0 192.168.56.1
default 172.31.46.1
Now, the 172 card in the router can ping both cards in the other router and the other host. The host can ping all cards in both routers. The problem is when I ping one host with the other I get a message something like "reply from 192.168.46.1 : TTL destination time out" If I ping a IP of a host that is not there (such as 192.168.46.25) I get the same error message. Any idea's?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.