-   Linux - Networking (
-   -   Slackware router: lan eth1 works, lan eth2 doesnt! Iptables config issue (

slugman 06-20-2011 01:33 AM

Slackware router: lan eth1 works, lan eth2 doesnt! Iptables config issue
Hey whats up fellow LQ readers!

This weekend I finally gathered the courage to create my very own router, from scratch. I installed Slack 13.37_x86 on my roomates Dell P4. After doing my research from posts here on LQ, and a couple others on the web, I was able to get my router mostly working!

My problem is: my router has 2 lan facing ethernet interfaces, however I can only get 1 lan interface to work at a time. The interface can assign dhcp leases no problem, but I can't connect to anything through this interface. Upon further inspection, I realized I cannot ping anything behind this interface either--including the gateway!

I am using dhcpd to serve dhcp, and iptables to enable nat. I pretty much based my dhcpd.conf file from alien-bob's guide on a pxe-server setup.

My dhcpd server is working just fine (verified on my other slack boxes, and my roomates Win7 box). After performing some troubleshooting, I noticed that my lan interface works depending on the order of my lan facing interfaces in my iptables script. The following is a copy of my script:

(I know, its a bit weird but for whatever reason udev wanted to make the integrated nic eth1, and my gigabit nics eth0 and eth2.)


# iptables script
# This script will enable iptables settings for our router
# Notes:
# WAN interface: eth1
# Lan interface: eth0, eth2
# Last Modified: 061811

iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

# Enable IP Masquerading

iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
iptables --append FORWARD --in-interface eth0 -j ACCEPT
iptables --append FORWARD --in-interface eth2 -j ACCEPT

My big problem is the last line of my script! Systems connected to eth0 will work, but eth2 doesn't. If I switch the order of the interfaces in my script, eth2 will work but eth0 won't. This verifies that this is a) an iptables configuration issue, and b) my hardware is working correctly.

Whichever --in-interface is listed 2nd is the one which bites the dust. Like I mentioned above, this interface can assign dhcp lease information no problem, but I can't ping anything through the interface, not even the gateway! (My dhcpd.conf file lists both of my lan interfaces as a gateway,, and The latter takes precedence in dhcpd.conf).

I would be most grateful for any advice anyone is willing to offer. If there are any network admin's, iptables gurus, or *nix junkies who happen chance upon this thread, your advice will be most greatly appreciated!

These problems aside, this is a bad ass solution for a router. I know my current iptables script pretty much leaves my box wide open--I intend to fix this once I get a better grip on iptables configuration. My router also serves as my tftp/bootp server. I'm sure there's some readers out here who would like to get started on this project on their own. I intend to share my experiences in the form of a guide in a thread--as soon as I can figure this out!

slugman 06-20-2011 02:38 PM

you know, I was just thinking.. I believe the solution to my problem is to bridge eth0 & eth2. I just realized this when I was discussing my router with one of my colleagues here at my lab. I'll give this a go once I'm home and report my results.

slugman 06-21-2011 01:37 AM

hooray, physdev here we come
hey chums thanks for all the help--I finally figured it out! I admit it took some reading, but I was finally able to break it down.

So, turns out a bridge is exactly what I needed. (I should have mentioned, my goals was to render both lan facing ethernet interfaces a 'ethernet-switch'.) However, my iptables script didn't quite work right away. After reading up the man pages, I discovered that bridge's require you to use the physdev module. I'm by no means a iptables expert yet--blatantly obvious by the wide gaping whole port scanners and bot spammers alike will no doubt be barging through (i'm refering to my iptables config of course). Networking is not my strong suite by a longshot, but I'm hoping some weekend tinkering and a few bowls of kind will help fix that.

So, first I create bridge interface:


brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth2

Make sure both eth0 and eth2 are set to (via ifconfig), then enable br0 as gateway via ifconfig:


ifconfig br0 up; ifconfig br0
.. and finally, the money maker (the big enchilada folks):


iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
iptables -A FORWARD -m physdev --physdev-in eth2 -j ACCEPT
iptables -A FORWARD -m physdev --physdev-in eth0 -j ACCEPT

I'll put up a guide sometime during the week when I have some free time. Now I'm off to download the interwebs :) --happy slacking!

All times are GMT -5. The time now is 06:46 PM.