LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   routing/iptables problem (https://www.linuxquestions.org/questions/linux-networking-3/routing-iptables-problem-710040/)

mk6032 03-08-2009 10:35 AM
routing/iptables problem
 
192.168.1.1 is default gateway and wireless router
192.168.1.254 is a wireless bridge
192.168.1.2 is a linux box configured as a router
192.168.0.1 is the linux box's other nic
192.168.0.21 is a DHCP host on the linux box's 0.x network

From 0.21, I can ping 1.1:

Code:
C:\>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time=3ms TTL=63
Reply from 192.168.1.1: bytes=32 time=2ms TTL=63

Ping statistics for 192.168.1.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 3ms, Average = 2ms
Control-C
^C
C:\>
The problem is from 1.1, I can't ping 0.21

Code:
# ping 192.168.0.21
PING 192.168.0.21 (192.168.0.21): 56 data bytes
#
--- 192.168.0.21 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
This is the output of iptables --list on the linux box:

Code:
Chain INPUT (policy ACCEPT)
target    prot opt source              destination
ACCEPT    icmp --  anywhere            anywhere

Chain FORWARD (policy ACCEPT)
target    prot opt source              destination

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination
ACCEPT    icmp --  anywhere            anywhere
The routing table on the linux box:
Code:
Kernel IP routing table
Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
192.168.1.0    *              255.255.255.0  U    0      0        0 eth0
192.168.0.0    *              255.255.255.0  U    0      0        0 eth1
link-local      *              255.255.0.0    U    1000  0        0 eth0
default        192.168.1.1    0.0.0.0        UG    100    0        0 eth0
The routing table on the default gateway (1.1):
Code:
# route
Kernel IP routing table
Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
75.90.0.1      *              255.255.255.255 UH    0      0        0 ppp0
192.168.1.0    *              255.255.255.0  U    0      0        0 br0
192.168.0.0    192.168.1.2    255.255.255.0  UG    0      0        0 br0
127.0.0.0      *              255.0.0.0      U    0      0        0 lo
default        h1.0.90.75.dyna 0.0.0.0        UG    0      0        0 ppp0
#
the output of iptables -t nat -L -v on the linux box:
Code:
Chain PREROUTING (policy ACCEPT 269K packets, 23M bytes)
 pkts bytes target    prot opt in    out    source              destination

Chain POSTROUTING (policy ACCEPT 918K packets, 48M bytes)
 pkts bytes target    prot opt in    out    source              destination
 175K  14M MASQUERADE  all  --  any    any    192.168.0.0/24      anywhere 

Chain OUTPUT (policy ACCEPT 918K packets, 48M bytes)
 pkts bytes target    prot opt in    out    source              destination
the output of cat /proc/sys/net/ipv4/ip_forward is
1

rossonieri#1 03-08-2009 11:30 AM
hi mk,

this routing table on 1.1 is correct :
Code:
192.168.0.0    192.168.1.2    255.255.255.0  UG    0      0        0 br0
but unfortunately it has been blocked/override by this iptables rule :
Code:
Chain POSTROUTING (policy ACCEPT 918K packets, 48M bytes)
 pkts bytes target    prot opt in    out    source              destination
 175K  14M MASQUERADE  all  --  any    any    192.168.0.0/24      anywhere
your computer behind NAT can access outer world via this NAT/PAT mechanism - 1.1 see their traffic originated from 1.2 not from 0.21. and 1.2 act as a request broker between 0.0/24 subnet to the internet (including 1.0/24 subnet).

so - to overcome this : you dont need to put MASQ rule - since your 1.1 router already have that 0.0/24 route.

HTH.

mk6032 03-08-2009 11:42 AM
Quote:
Originally Posted by rossonieri#1 (Post 3468739)
so - to overcome this : you dont need to put MASQ rule - since your 1.1 router already have that 0.0/24 route.

HTH.
Hello, thanks for taking a look at this. So you're saying get rid of the MASQ rule? OK... I'm flushing rules:

Code:
matt@ltsp:~$ sudo iptables --flush
matt@ltsp:~$ sudo iptables -t nat --flush
matt@ltsp:~$ sudo iptables -t mangle --flush
matt@ltsp:~$ sudo iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 269K packets, 23M bytes)
 pkts bytes target    prot opt in    out    source              destination

Chain POSTROUTING (policy ACCEPT 919K packets, 49M bytes)
 pkts bytes target    prot opt in    out    source              destination

Chain OUTPUT (policy ACCEPT 919K packets, 49M bytes)
 pkts bytes target    prot opt in    out    source              destination
Check ping from 1.1 again:
Code:
# ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1): 56 data bytes

#
--- 192.168.0.1 ping statistics ---
7 packets transmitted, 0 packets received, 100% packet loss

rossonieri#1 03-08-2009 03:11 PM
hi mk,

Quote:
Check ping from 1.1 again: failed.
have you restart the iptables and ip_forward also? flushing the chain alone sometimes doesnt work.

keep me update.

HTH.

mk6032 03-08-2009 03:26 PM
Just out of curiosity, I added a static route on the wireless bridge (1.254) and tried to ping and it worked, but not from 1.1! WTF?!

Code:
# ifconfig br0
br0        Link encap:Ethernet  HWaddr 00:12:17:E2:8A:D5 
          inet addr:192.168.1.254  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:52329 errors:0 dropped:0 overruns:0 frame:0
          TX packets:16763 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:6607650 (6.3 MiB)  TX bytes:4977548 (4.7 MiB)

# route
Kernel IP routing table
Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
75.90.8.1      gateway.mattkey 255.255.255.255 UGH  1      0        0 br0
192.168.1.0    *              255.255.255.0  U    0      0        0 br0
127.0.0.0      *              255.0.0.0      U    0      0        0 lo
default        gateway.mattkey 0.0.0.0        UG    0      0        0 br0
# route add -net 192.168.0.0 netmask 255.255.255.0 gw 192.168.1.2
# ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1): 56 data bytes
64 bytes from 192.168.0.1: seq=0 ttl=64 time=1.416 ms
64 bytes from 192.168.0.1: seq=1 ttl=64 time=1.109 ms
64 bytes from 192.168.0.1: seq=2 ttl=64 time=1.152 ms
64 bytes from 192.168.0.1: seq=3 ttl=64 time=1.119 ms
64 bytes from 192.168.0.1: seq=4 ttl=64 time=1.119 ms
#
--- 192.168.0.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 1.109/1.183/1.416 ms
on 1.1 ...

Code:
# ifconfig br0
br0        Link encap:Ethernet  HWaddr 00:0F:66:0C:83:4F 
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:15527 errors:0 dropped:0 overruns:0 frame:0
          TX packets:15043 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1509174 (1.4 MiB)  TX bytes:3292206 (3.1 MiB)

# route
Kernel IP routing table
Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
75.90.8.1      *              255.255.255.255 UH    0      0        0 ppp0
192.168.1.0    *              255.255.255.0  U    0      0        0 br0
192.168.0.0    192.168.1.2    255.255.255.0  UG    0      0        0 br0
127.0.0.0      *              255.0.0.0      U    0      0        0 lo
default        h1.8.90.75.dyna 0.0.0.0        UG    0      0        0 ppp0
# ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1): 56 data bytes
#
--- 192.168.0.1 ping statistics ---
25 packets transmitted, 0 packets received, 100% packet loss

#

mk6032 03-08-2009 03:45 PM
Quote:
Originally Posted by rossonieri#1 (Post 3468900)
hi mk,



have you restart the iptables and ip_forward also? flushing the chain alone sometimes doesnt work.

keep me update.

HTH.
I deleted the masq rule from boot time options, then rebooted. Checked ip_forward and it's still 1.

Code:
matt@ltsp:~$ iptables -L -v & iptables -L -v -t nat
[1] 21956
Chain INPUT (policy ACCEPT 33654 packets, 2758K bytes)
 pkts bytes target    prot opt in    out    source              destination       

Chain FORWARD (policy ACCEPT 37406 packets, 8329K bytes)
 pkts bytes target    prot opt in    out    source              destination       

Chain OUTPUT (policy ACCEPT 32617 packets, 3561K bytes)
 pkts bytes target    prot opt in    out    source              destination       
Chain PREROUTING (policy ACCEPT 4577 packets, 335K bytes)
 pkts bytes target    prot opt in    out    source              destination       

Chain POSTROUTING (policy ACCEPT 9762 packets, 631K bytes)
 pkts bytes target    prot opt in    out    source              destination       

Chain OUTPUT (policy ACCEPT 7608 packets, 473K bytes)
 pkts bytes target    prot opt in    out    source              destination       
[1]+  Done                    sudo iptables -L -v
matt@ltsp:~$ cat /proc/sys/net/ipv4/ip_forward
1
matt@ltsp:~$

mk6032 04-19-2009 06:44 PM
solved
 
whoops, i replied to the wrong thread. i can't find the delete thread button


All times are GMT -5. The time now is 03:30 PM.