LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
LinkBack Search this Thread
Old 03-07-2006, 09:56 PM   #1
jrd426
LQ Newbie
 
Registered: Mar 2006
Distribution: rh9.0
Posts: 10

Rep: Reputation: 0
help please :) Problem routing through Linux box


hey guys, my question\prob is probably more of a problem with understanding ip\routing then it is with linux itself but maybe someone will have some pointers for me. I've got redhat 9 installed on a pc and what i'm trying to do is have it setup on my home network between my dsl router and the network pc's. My original config or topology\layout is all pc's feeding to a hub which connects to my netgear dsl router. All ip's on my network are static assigned using the typical 192.168.0.* and the dsl router is set at 192.168.0.1 which is the current gateway on all pc's.

I've installed 2 nic cards in the linux box which come up fine (eth0\1). I was told that both nics in the linux box need to be configured on different networks. So, i setup eth1 (network side) as 192.168.0.2 255.255.255.0 and then configured eth0 (internet\dsl router side) as 172.16.0.2 255.255.0.0 and changed the ip on my router to 172.16.0.1

i then went into the "network" tabs for both nic cards though the gnome gui and tried adding each others ip to the nic cards etc and can't get any traffic to pass through the 2 nics and out to the net\router. A friend told me that i need to assign routes in the routing table using "route add -net etc" and i'm lost here bigtime...with no idea as to which routes need to be added with the destination\gateway\netmask etc..

I dont need the linux box to do nat, as my router is doing it..all i'm trying to achive here, and maybe completly pointless is to have a linux firewall setup behind my netgear dsl router. Once i get traffic flowing through the linux box, i would like to just use the gui firewall settings (med\high) as i'm not ready to start making my own rules in the iptables area at this time..maybe what i'm trying to achieve here is more of a gateway? i'm not sure..but i would like to make it work and play around with it..when i'm on the linux box i can ping both the router and the otherway to a pc on the net..just no flow between the 2 nics from a to b.

sorry to be so long here..help on the "route" entries for my network ip's would be appreciated

thanks, Jr
 
Old 03-08-2006, 12:31 AM   #2
pljvaldez
Guru
 
Registered: Dec 2005
Location: Somewhere on the String
Distribution: Debian Squeeze (x86)
Posts: 6,092

Rep: Reputation: 269Reputation: 269Reputation: 269
You are actually creating a router/firewall, if my understanding is correct, simply because you have to pass all the packets from one connection to the other.

I use fwbuilder for both router and firewall scripts. It's a pretty easy gui that should help you create the rules you need (i.e. pass everything from eth1 --> eth0 and everything from eth0 --> eth1, basic firewalling).
 
Old 03-08-2006, 02:43 AM   #3
TigerOC
Senior Member
 
Registered: Jan 2003
Location: Devon, UK
Distribution: Debian Etc/kernel 2.6.18-4K7
Posts: 2,380

Rep: Reputation: 49
You have got the basics correct by having 2 subnets. Next you need to enable forwarding of requests and really you should have a basic iptables firewall implemented. You will find the details of how to do this here. Having got forwarding implemented you need to configure the gateways for the boxes. On the linux box the gateway will be router address (172.16.0.1) and for boxes behind the linux box the gateway will be the ethernet card that serves them (192.168.0.2), effectively perfroming NAT for the network. I run the same configuration and have used MonMotha's firewall script to do the work. I have a writeup on it which is Debian specific on my site which you may find useful. It contains links to MonMotha's pages.
 
Old 03-08-2006, 07:37 AM   #4
ScooterB
Member
 
Registered: Sep 2003
Location: NW Arkansas
Distribution: Linux Redhat 9.0, Fedora Core 2,Debian 3.0, Win 2K, Win95, Win98, WinXp Pro
Posts: 344

Rep: Reputation: 31
If I am understanding your configuration correctly and one thing that everyone who has posted seems to have forgotten is that you must establish a default route. The default route is the route "out". Since you have more than one interface, the pc, now the "router", needs to know what to do with all the traffic that comes in. So, there are actually a couple of thinigs to do:

1) Check that you have both interfaces listed in your routing tables
2) Make sure that you have a default route. The default route is the one that will show destination=0.0.0.0/0. In routing language that means destination everywhere/anywhere.
3) Since you are already behind another router, your gateway will have to be the next hop (i.e., the in interface of the next router)
4) Decide which interface is going to be the "world" and which is going to be the "private" and source NAT (this is where the firewall comes in) behind the "world".
5) In your firewall, leave the input, forwarding, and output chains at the default (which is "accept") You can play with these as your comfort level goes up.

Good luck and have fun! Repost if you have anymore questions.
 
Old 03-08-2006, 02:07 PM   #5
jrd426
LQ Newbie
 
Registered: Mar 2006
Distribution: rh9.0
Posts: 10

Original Poster
Rep: Reputation: 0
thanks for your help guys...i appreciate it..I will give it another go.

jr
 
Old 03-08-2006, 05:20 PM   #6
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: KirraMail Live Email Server
Posts: 1,275

Rep: Reputation: 61
Quote:
Originally Posted by ScooterB
If I am understanding your configuration correctly and one thing that everyone who has posted seems to have forgotten is that you must establish a default route. The default route is the route "out". Since you have more than one interface, the pc, now the "router", needs to know what to do with all the traffic that comes in. So, there are actually a couple of thinigs to do:

1) Check that you have both interfaces listed in your routing tables
2) Make sure that you have a default route. The default route is the one that will show destination=0.0.0.0/0. In routing language that means destination everywhere/anywhere.
3) Since you are already behind another router, your gateway will have to be the next hop (i.e., the in interface of the next router)
4) Decide which interface is going to be the "world" and which is going to be the "private" and source NAT (this is where the firewall comes in) behind the "world".
5) In your firewall, leave the input, forwarding, and output chains at the default (which is "accept") You can play with these as your comfort level goes up.

Good luck and have fun! Repost if you have anymore questions.

Also if your do not want to nat on the pc now internal router, you will need a put route in the routing table of the main router (the one that connects to the internet), otherwise it wont know how to get back to the 172.16.0.0 network, by default it will send any packets that do not have the 192.168.0.0 network back out it's default gateway (out to the internet).
 
Old 03-08-2006, 10:48 PM   #7
navaburo
LQ Newbie
 
Registered: Mar 2006
Posts: 16

Rep: Reputation: 0
Dedicated Router/Firewall Distro suggested

I would suggest using a dedicated machine and distro to do routing for better speed, uptime, latencies, security, etc. I use Coyote linux from a boot floppy on a 200Mhz pentium machine. It can run headless (that is, w/ no monitor or kbrd), and can be accessed via a http interface much like linksys routers. Definiately worth a try.
 
Old 03-09-2006, 08:09 AM   #8
ScooterB
Member
 
Registered: Sep 2003
Location: NW Arkansas
Distribution: Linux Redhat 9.0, Fedora Core 2,Debian 3.0, Win 2K, Win95, Win98, WinXp Pro
Posts: 344

Rep: Reputation: 31
You are correct fotoguy. Thanks for pointing that out! It is sometimes easy to forget all of the steps when you are trying to tell someone else how to do something, whereas you would probably just do it without thinking! Hope he reads the post again.
 
Old 03-09-2006, 10:39 AM   #9
jrd426
LQ Newbie
 
Registered: Mar 2006
Distribution: rh9.0
Posts: 10

Original Poster
Rep: Reputation: 0
"I've installed 2 nic cards in the linux box which come up fine (eth0\1). I was told that both nics in the linux box need to be configured on different networks. So, i setup eth1 (network side) as 192.168.0.2 255.255.255.0 and then configured eth0 (internet\dsl router side) as 172.16.0.2 255.255.0.0 and changed the ip on my router to 172.16.0.1"

hi guys, well i played around with things last night for some time..I must be missing something still. I started off by vi the file /etc/sysctl.conf and set ipv4 ip_forward=1 (it was at 0)..

Then i added the following lines
route add -net 192.168.0.2 netmask 255.255.255.255 dev eth1
route add -net 172.16.0.2 netmask 255.255.255.255 dev eth0

after doing this still no ip forwarding was happening from my network side out to the dsl router so i added the following line

route add -net default gw 172.16.0.1 dev eth0
and still nothing...at one point after putting in different lines with the "route" command i was actually finally able to ping the eth0 172.16.0.2(linux interface to internet connected to dsl router 172.16.0.1) but not able to ping through it to the router. I'm obviously missing something, and i'm thinking its incorrect route entries in the routing table but not positive. Also when i reboot the system, my entries that i manually put in using the "route add etc" are gone...I'm not sure where or what file needs to be edited to save the route table entries.
so, am i getting closer???...maybe a little..lol
any ideas?
thanks in advance, jr
 
Old 03-09-2006, 07:31 PM   #10
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: KirraMail Live Email Server
Posts: 1,275

Rep: Reputation: 61
Quote:
Originally Posted by ScooterB
You are correct fotoguy. Thanks for pointing that out! It is sometimes easy to forget all of the steps when you are trying to tell someone else how to do something, whereas you would probably just do it without thinking! Hope he reads the post again.

Yep done that a few times before

Ok jrd426 you need to add an entry to your internet/adsl router that will tell it were to forward any packets that it receives for the 192.168.0.0 network, add this entry:

route add -net 192.168.0.0 netmask 255.255.255.0 gw 172.16.0.2

How this works is, say a machine on your 192.168.0.0 network want to find www.google.com, it sends the packet out through it's default gateway which you have set up the routes for.

This then brings the packet onto the 172.16.0.0 network. The 172.16.0.0 network says, hey your are not the same ip address as this network, I will send you out my default gateway. So now the packet will travel out the internet/dsl modem and then makes it's way to the google site.

Now when the packet returns it will come through the dsl router to the 172.16.0.0 network, it checks the ipaddress and says, ok your not a 172.16.0.0 network I will send you back through the default gateway. Now this is where the command above will tell it what to do if it receives a packet that has a 192.168.0.0 address. It will then send it to the 172.16.0.2 machine which will then check its nat table entrie to see if this packet originated from this network and then process the packet.

Hope this helps to get a better understanding



If you want the entries to be permanent place them in the /etc/rc.d/rc.local file and they will be loaded everytime you reboot.
 
Old 03-09-2006, 11:15 PM   #11
jrd426
LQ Newbie
 
Registered: Mar 2006
Distribution: rh9.0
Posts: 10

Original Poster
Rep: Reputation: 0
I appreciate the responces guys, but still not having any luck getting a pc 192.168.0.5
out to the internet. My dsl router 172.16.0.1 is currently setup to do nat so maybe thats a prob? seeing that the pc's are now seeing the linux box\router and maybe the linux box is not performing nat?..just guessing at this point. Below is everything i have touched in hopes of getting network traffic to pass through the linux box..maybe someone can see the problem. I know the routing table is a mess, but i'm not positive on what exactly i need to have in there.
thanks, jr

172.16.0.2 * 255.255.255.255 UH 0 0 0 eth0
192.168.0.2 * 255.255.255.255 UH 0 0 0 eth1
192.168.0.0 172.16.0.2 255.255.255.0 UG 0 0 0 eth0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
172.16.0.0 * 255.255.0.0 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 172.16.0.1 0.0.0.0 UG 0 0 0 eth0

ifconfig
eth0 Link encap:Ethernet HWaddr 00:60:97:37:A7:EB
inet addr:172.16.0.2 Bcast:172.16.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

eth1 Link encap:Ethernet HWaddr 00:50:BF:18:73:6E
inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

sysctl.conf

# Kernel sysctl configuration file for Red Hat Linux
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

[root@Bob sysconfig]# more network
NETWORKING=yes
FORWARD_IPV4=yes
HOSTNAME=Brutus
GATEWAY=172.16.0.1
GATEWAYDEV=eth0

[root@Bob network-scripts]# more ifcfg-eth0
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=none
IPADDR=172.16.0.2
NETMASK=255.255.0.0
TYPE=Ethernet
USERCTL=no
PEERDNS=no
NETWORK=172.16.0.0
BROADCAST=172.16.255.255
GATEWAY=172.16.0.1

[root@Bob network-scripts]# more ifcfg-eth1
DEVICE=eth1
ONBOOT=yes
BOOTPROTO=none
IPADDR=192.168.0.2
NETMASK=255.255.255.0
TYPE=Ethernet
USERCTL=no
PEERDNS=no
NETWORK=192.168.0.0
BROADCAST=192.168.0.255
HWADDR=00:50:bf:18:73:6e
GATEWAY=172.16.0.1
 
Old 03-10-2006, 02:30 AM   #12
TigerOC
Senior Member
 
Registered: Jan 2003
Location: Devon, UK
Distribution: Debian Etc/kernel 2.6.18-4K7
Posts: 2,380

Rep: Reputation: 49
Quote:
Originally Posted by jrd426

[root@Bob network-scripts]# more ifcfg-eth0
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=none
IPADDR=172.16.0.2
NETMASK=255.255.0.0
TYPE=Ethernet
USERCTL=no
PEERDNS=no
NETWORK=172.16.0.0
BROADCAST=172.16.255.255
GATEWAY=172.16.0.1

[root@Bob network-scripts]# more ifcfg-eth1
DEVICE=eth1
ONBOOT=yes
BOOTPROTO=none
IPADDR=192.168.0.2
NETMASK=255.255.255.0
TYPE=Ethernet
USERCTL=no
PEERDNS=no
NETWORK=192.168.0.0
BROADCAST=192.168.0.255
HWADDR=00:50:bf:18:73:6e
GATEWAY=172.16.0.1
The mistake is on the last line for eth1. You must not specify the gateway here as the gateway for the box is already specified by the configuration for eth0. So all you need is the ip and the netmask. For boxes connected to eth1 via a hub etc their gateway will be 192.168.0.2.
The path from a box 192.168.0.3 would be;

192.168.0.3 -> 192.168.0.2 -> 172.16.0.2 -> 172.16.0.1
 
Old 03-10-2006, 08:58 AM   #13
jrd426
LQ Newbie
 
Registered: Mar 2006
Distribution: rh9.0
Posts: 10

Original Poster
Rep: Reputation: 0
hi TigerOC, well i adjusted the error for the gateway i had and i'm noticing that from the linux box which i'm on typing this, that i am able to ping my eth1 interface (192.168.0.2) but not able to ping through it to any of the pcs on the 192.168.0.* I'm thinking maybe i'm still missing something in the routing table?

thanks, Jr
 
Old 03-10-2006, 10:42 AM   #14
ScooterB
Member
 
Registered: Sep 2003
Location: NW Arkansas
Distribution: Linux Redhat 9.0, Fedora Core 2,Debian 3.0, Win 2K, Win95, Win98, WinXp Pro
Posts: 344

Rep: Reputation: 31
One thing that we might be forgetting is to ask from where are you trying to ping? If you have adjusted the ipaddresses & gateways as recommended, then you might not actually be having any problems. Lets set up an example:

Let's assume that you are on a PC that has the address of 192.168.0.3. Your eth0 ifconfig should be as follows:

address 192.168.0.3
netmask 255.255.255.0
broadcast 192.168.0.255
gateway 192.168.0.2

Now lets look at the router eth0:

address 192.168.0.2
netmask 255.255.255.0
broadcast 192.168.0.255
gateway 172.16.0.2

eth1:

address 172.16.0.2
netmask 255.255.255.0
broadcsast 172.16.0.255
gateway 172.16.0.1

now the info on your router:

ethX

address 172.16.0.1
netmask 255.255.255.0
broadcast 172.16.0.255
gateway This will be whatever IP address exists on the other side of that router.

So lets make a picture:

PC>>>>|routereth0>>>>>|routereth1>>>>>|outsideroutereth0>>>>>>|outsideroutereth1>>>>|world

Now, each router needs to know where each network exists at. Your "inside traffic" (i.e., coming from the PC network) needs to be NATed behind the routereth1 address. Nating is a firewall component. Nating is also done before any routing takes place (mostly, depending on the router). So when you NAT something, it bypasses the INPUT and OUTPUT chain and will be addressed by the FORWARD chain. So you will need to make sure that FORWARDing is defaulted to ACCEPT.

Now, you need to look at the routing tables. There should be statements in the inside router about each interface and should have a "default" route. The default route is the action that router takes when a packet of information hits one of the interfaces and it has to decide what to do with it. If say you were wanting to go to a website, and their IP address resolved to 69.253.157.235 (don't know if that is really anything or not; just an example) the router would say to itself, "That isn't on either of my networks, what do I need to do with it?". The default route is what tells it what to do. In this case, if the default route is set correctly, it will pass it to the eth0 interface of your "outside router". That router, being connected to the world (and hopefully having it's DNS set correctly) will go ahead and pass it on to the outside connection. Now all of the traffic that comes from your outside router should be NATed behind it's outside interface. So when the return traffic hits the outside interface of your outside router, it will accept it as it came form it's interface. Then it needs to know what to do with it. Since your original transmission cam from an inteface that was NATed behind the eth1 of your inside router and has an address on that network, it should pass it on to the inside router's eth1 interface. Then, since the original transmission came from a PC on the network attached to the eth0 interface of itself, it should hand it off to that interface, and it should come back to you. And all of this should happen in miliseconds. I hope I have explained this better. Investigate all of the interfaces concerned and all of the routing and firewall rules of the devices concerned and as long as I haven't missed something, if you make it like we've talked about, it should work. Take a look at these items; really study them to make sure that they are correct and then repost with the results. Good luck and remember that this is supposed to be fun!
 
Old 03-10-2006, 11:20 AM   #15
jrd426
LQ Newbie
 
Registered: Mar 2006
Distribution: rh9.0
Posts: 10

Original Poster
Rep: Reputation: 0
tks for the reply ScooterB, i've checked over everything you have said except for the iptables. I just don't understand why a pc on the network side say 192.168.0.3 cannot ping the eth1 interface 192.168.0.2 which is basically a direct physical connection between the two. From the linux box again i can ping both its interfaces eth1 192.168.0.2(inside network side) and eth0 172.16.0.2(outside interface heading to router 172.16.0.1)

so at this point i don't even think routing is an issue yet as i'm just trying to have the internal pc's ping their first interface.

thanks for you time, jr
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Setting up an old box to do IP routing Agrajag9 Linux - Networking 1 11-26-2004 01:06 AM
routing two isp connection to lan using linux box tisson Linux - Networking 2 09-08-2004 08:39 PM
Routing network connection to OSX via a SuSE box shankar13 Linux - Networking 2 09-02-2004 12:12 PM
routing http traffic to the correct box on subnet nodine Linux - Security 1 07-15-2004 09:51 AM
A routing Linux to win system problem jarethfox Linux - Networking 2 08-03-2003 09:08 PM


All times are GMT -5. The time now is 09:02 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration