Routing...........

Dasha · 05-10-2005, 12:09 AM

Hi,

Need some help.........

I have a Core 3 machine set up with 2 nics. I want to set it up as a router between 2 networks. I've set up a squid on that machine for internet and also have Firestarter set up for ipforwarding.

I have networks 192.168.8.0 and 192.168.1.0. I can get it to work one way by setting the gateways appropriately.....ie. can ping 192.168.1.0 from 192.168.8.0 but can't ping 168.8. from 168.1. network.

Any ideas would be most helpful.

Thanx.

michaelsanford · 05-10-2005, 01:11 AM

I'm not sure what rules Firestarter uses for forwarding, type the parts in bold into the terminal and post the results here, mine are included as a reference. Also I assume that your networks are getting IP addresses from this FC3 machine; if they aren't forget the last part about dhcpd.

This will tell us what rules the firewall is using to marshall traffic between your interfaces:

Code:

root@gateway:~# iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 34740 packets, 11M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 78 packets, 5107 bytes)
 pkts bytes target     prot opt in     out     source               destination
 1300 79005 MASQUERADE  all  --  any    eth0    anywhere             anywhere

Chain OUTPUT (policy ACCEPT 1156 packets, 70442 bytes)
 pkts bytes target     prot opt in     out     source               destination

This will tell us if ip_forwarding is enabled properly:

Code:

root@gateway:~# cat /proc/sys/net/ipv4/ip_forward
1

This will tell us how your dhcp server is handing out addresses.

Code:

root@gateway:~# cat /etc/dhcpd.conf
subnet 192.168.1.0 netmask 255.255.255.0 {
        option routers 192.168.1.1;
        option domain-name-servers 206.47.244.12, 206.47.244.42;
        option ip-forwarding on;
        range 192.168.1.100 192.168.1.254;
}

Dasha · 05-10-2005, 02:48 AM

Hi, thanx for your reply..........here is the output. No DHCP, all my machines are static.
Note I have VPN and VNC forwarded to other machines.
Cheers.

[root@ ~]# iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 106 packets, 4353 bytes)
pkts bytes target prot opt in out source
destination
0 0 DNAT tcp -- eth0 any anywhere
anywhere tcp dpt:1723 to:192.168.2.6:1723
0 0 DNAT udp -- eth0 any anywhere
anywhere udp dpt:1723 to:192.168.2.6:1723
0 0 DNAT tcp -- eth0 any anywhere
anywhere tcp dpt:5904 to:192.168.2.3:5900
0 0 DNAT udp -- eth0 any anywhere
anywhere udp dpt:5904 to:192.168.2.3:5900

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
42 1860 MASQUERADE all -- any eth0 anywhere
anywhere

Chain OUTPUT (policy ACCEPT 14 packets, 892 bytes)
pkts bytes target prot opt in out source
destination
[root@ ~]# cat /proc/sys/net/ipv4/ip_forward
1

michaelsanford · 05-10-2005, 01:03 PM

Yeah, see, it's MASQUERADEing traffic out from one NIC which means you'd need to forward ports to go between the two networks (or more specifically to go from the eth0-attached network to the other one).

Maybe this thread will help you. You can forward two networks with NETMAP (though, as my post says, I've never tried it so it might not work er as expected).
http://www.linuxquestions.org/questi...95#post1634995

PS I don't know how that will affect your VPN forwards though...