This is for a lab class and for the life of me I can't figure it out, been working at it a few hours a day for the past week and no avail.

Redhat 9.0
eth0: 172.31.46.1/16
eth1: 192.168.46.1/24
DHCP is running on eth1
Shorewall firewall, all other firewalls turned off


The idea of this lab is to build a mini internet, the multiple groups being different class B addresses (172.31.46.1, 172.31.48.1, etc) and for the linux box to provide routing for the 192 class C addresses. There is a Cisco PIX firewall with an IP of 172.31.34.2 which provides a gateway to the internet.

So ideally the group with an external address 172.31.46.1, one of their clients, say 192.168.46.2 can ping and otherwise connect to a client in the 172.31.48.1 group with an IP 192.168.48.2

Problem is I can't get ip_forward to work. The clients can ping both of the servers NIC cards but not any further. If I turn on IP masquerading in Shorewall the clients can ping the PIX server, unfortunately that will not work for the intergroup routing.

I have "1" set in the /proc/sys/net/ipv4/ip_forward.
In the /etc/sysctl.conf i have "net.ipv4.ip_forward=1"



Anything else I can attempt to get routing working?

I'm not familiar with shorewall, is that a complete distribution or just a firewall you install on top of somthing else?

Give us a bit more info. Presumably;
you are using an iptables based linux distro
the router has two ip addreses, one in each subnet bound to the coresponding network card

>the multiple groups
Pesumably you mean multiple groups of people. I take it the
172.31 machines are all on the same ethernet segment/switch and in the same subnet. I assume the PIX is just another host in that subnet.

The biggest problem I can see is the routing table in a 172.31 client.
If you try to configure it as normal with an ip, netmask and gateway
then you have a problem. To access the internet you need the default gateway set to the ip address of the PIX. To access the other subnet you
need the 172.31 client default gateway set to the ip of the linux router box.

You could set the 172.31 clients default gateway to the linux box then try to set the routing table in the linux box to bounce internet traffic to the PIX.

or you could make routing table entrys on all the clients (stiatic ip?)

Shorewall uses either IPchains or IPtables as a back end, i forget which. It just adds easier configuration basically.

Yes, multiple groups of people. We are all on the same network 172.31.0.0 with the PIX as the gateway to the T1 conections, all the group connections and the PIX are plugged into the same switch. The 172.31.46.1 card on the linux router is plugged into that switch, the 192.168.46.1 card is plugged into a hub that the clients are on.

The way I have it set up now is that the clients have 192.168.46.1 as the default gateway, the router has its default gateway set to the PIX. In the Gnome network config I set the gateway of the 192 card to the 172 card and the gateway of the 172 card to the PIX, still nothing.

the routes on the linux box (from memory)
destination \ gateway \ subnet \ adapter
127.0.0.0 \ 0.0.0.0 \ 255.0.0.0 \ lo
192.168.46.0 \ 0.0.0.0 \ 255.255.255.0 \ eth1
172.31.0.0 \ 0.0.0.0 \ 255.255.0.0 \ eth0
default \ 172.31.34.2 \ 255.255.0.0 \ eth0

The clients are running Win2000, and DHCP is a requirement unfortunately. What I don't understand is why am I able to ping the PIX with a client when I enable IPmasquerading and nothing else. Turn it off and the clients can't ping past the external NIC on the linux box.

Am I right in understanding there are 3 ways to route: NAT, IP masquerading, and IP_forward. Its like I have ip_forwarding enabled and all but it just isn't working for some reason.

To answer your last question, I don't think you should consider those 3 methods of forwarding connections. Why? Because masquerading is actually just a special form of NAT.

I can't help you with shorewall... but this script belwo will completely open up your firewall. Make sure that ext=eth? is your external (172.31.46.1) NIC. Set all of your 192.168.46.0/24 client maches to have 192.168.46.1 as their default gateway. Goodluck.

#!/bin/bash
echo 1 > /proc/sys/net/ipv4/ip_forward
ext=eth0
# Set policies
$ipt -P INPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -P OUTPUT ACCEPT

# Delete table rules, chains and counters
for table in filter nat mangle
do
$ipt -t $table -F # flush
$ipt -t $table -X # delete
$ipt -t $table -Z # zero
done
$ipt -t nat -A POSTROUTING -o $ext -j MASQUERADE

That will turn on NAT/masquerading? Or did i read it wrong. I must leave both off for the lab to work.

Unfortunely I can't try anything till next week as the school is closed for the weekend.

Hello,
What you need is a NAT.
You can enable NAT as follows

$ cd /etc/sysctl.conf

change "net.ipv4.ip_forward = 0" to "net.ipv4.ip_forward = 1" This will enable forwarding.

To make the changes effect without restarting echo it

$ echo 1 > /proc/sys/net/ipv4/ip_forward


Then setup the NAT using iptables or using squid
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -s 192.168.46.0/24 -j ACCEPT
iptables -A FORWARD -d 192.168.46.0/24 -j ACCEPT
iptables -A FORWARD -s 192.168.46.0/24 -j DROP

If you would like try out squid please let me know. I will help you

-Thank You.
-Sam
B.Sc,B.Tech,R.H.C.E

>What you need is a NAT.

That depends on the aim of the exercise. If he needs the 172.31 machines to be able to open connections to the 192.168 machines then he needs to do proper routing.

As JordanH implies, I suspect shorewall has some firewall rules in place that are causing a problem.

Exactly, if I enable NAT the lab will not work. All the 192.168 machines need to be able to connect to all the other ones no matter which 172.31 server/address they are behind. I have already enabled Masquerading out of curiosity and the clients could get to the PIX and beyond but a lot of good that does if the other groups clients cannot get past the linux router due to the nature of NAT.

So, NAT/Masurerading must remain off and I must do "proper" routing. (well put)

I have Shorewall set to accept all from both NIC's, but I will try what is above to be sure.

Some updates

host router1 router2 host
192.168.56.2-----192.168.56.1 192.168.46.1-----192.168.46.2
172.31.56.1------172.31.46.1

routes on router1 (56), router 2 is just opposite:
destination net gateway
172.31.0.0 255.255.0.0 172.31.46.1
192.168.46.0 255.255.255.0 192.168.46.1
192.168.56.0 255.255.255.0 192.168.46.1
192.168.56.0 255.255.255.0 192.168.56.1
default 172.31.46.1


Now, the 172 card in the router can ping both cards in the other router and the other host. The host can ping all cards in both routers. The problem is when I ping one host with the other I get a message something like "reply from 192.168.46.1 : TTL destination time out" If I ping a IP of a host that is not there (such as 192.168.46.25) I get the same error message. Any idea's?