Network Problem

barn63 · 05-27-2006, 01:20 AM

I have searched for days for a solution and have come up empty handed. I am having a difficult time with a network issue. I have a slackware machine that acts as a DHCP, DNS, Router. It connects to a switch that shares the internet connection just fine. I have 2 computer on the wired network and a wireless access point.(D-Link DI-524). My home network works fine and all lan machines in my house connect and ping anywhere on the internet. My neighboor and I share the connection and she bought a seperate computer with a wireless NIC and a wired NIC. I installed Slackware and configured the wireless and wired NICS. The wireless card connects and sees the world. However the wired NIC cannot ping the wireless NIC. I am using the following firewall script on both machines.

Code:

#!/bin/bash

################################################################################
# Default options
# These options configure the below script. It would be a good idea to move
# them to a conf file in /etc and then source it from this script.
################################################################################
echo 1 > /proc/sys/net/ipv4/ip_forward
# location of iptables command
ipt=/usr/sbin/iptables
#
# Interfaces
# Be sure to be accurate when defining these interfaces.
# ext is your external card, likely ppp0 for DSL or eth1 for cable
lo=lo
ext=eth1
int=eth0
#
# Spoofing protection. List all networks and IP addresses that should NOT exist
# in the real world.
#
spoofed="0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 255.255.255.255"
#
# List all ports to open ON your firewall
#
tcp_ports="22"
udp_ports=""
#
# These logging options will be used for all logged packets
#
logops="--log-leve=3 -m limit --limit 1/second --limit-burst=3"
################################################################################

################################################################################
# Set policies and delete, flush and zero chains
################################################################################
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
for table in filter nat mangle
do
$ipt -t $table -F # flush
$ipt -t $table -X # delete
$ipt -t $table -Z # zero
done
################################################################################

################################################################################
# BAD_IP
# Check and log all spoofed IP's from external hosts.
# !! Only call from external interface !!
################################################################################
$ipt -N BAD_IP
$ipt -A BAD_IP -j LOG --log-prefix "IPT: BAD IP: " $logops
$ipt -A BAD_IP -j DROP
$ipt -N SPOOF
for spf in $spoofed
do
$ipt -A SPOOF -s $spf -j BAD_IP
done
################################################################################

################################################################################
# IN_NETWORK
# These packets are entering our network
# 1. Allow related and established connections
# 2. Allow ICMP packets
# 3. Deny everything else.
################################################################################
$ipt -N IN_NETWORK
$ipt -A IN_NETWORK -m state --state INVALID -j DROP
$ipt -A IN_NETWORK -j SPOOF
$ipt -A IN_NETWORK -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A IN_NETWORK -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A IN_NETWORK -p icmp -j ACCEPT
$ipt -A IN_NETWORK -j LOG --log-prefix "IPT: IN_NETWORK: " $logops
$ipt -A IN_NETWORK -j DROP
################################################################################

################################################################################
# OUT_NETWORK
# These packets are leaving our network!
# 1. Allow all packets to leave our current network because we trust our users
################################################################################
$ipt -N OUT_NETWORK
$ipt -A OUT_NETWORK -i $int -j ACCEPT
$ipt -A OUT_NETWORK -j LOG --log-prefix "IPT: OUT_NETWORK: " $logops
$ipt -A OUT_NETWORK -j DROP
################################################################################

################################################################################
# EXT_FIREWALL
# Packets entering firewall machine
# 1. Allow established and related connections
# 2. Allow new connections on specified ports
# 3. Log and Drop everything else
################################################################################
$ipt -N EXT_FIREWALL
$ipt -A EXT_FIREWALL -m state --state INVALID -j DROP
$ipt -A EXT_FIREWALL -j SPOOF
$ipt -A EXT_FIREWALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A EXT_FIREWALL -p icmp -j ACCEPT
#
# Open ports
#
for tcp_p in $tcp_ports
do
$ipt -A EXT_FIREWALL -p tcp --dport $tcp_p -m state --state NEW -j ACCEPT
done
for udp_p in $udp_ports
do
$ipt -A EXT_FIREWALL -p udp --dport $udp_p -m state --state NEW -j ACCEPT
done
$ipt -A EXT_FIREWALL -j LOG --log-prefix "IPT: EXT_FIREWALL: " $logops
$ipt -A EXT_FIREWALL -j DROP
################################################################################

################################################################################
# INT_FIREWALL
# Connections from internal LAN
# 1. Allow all connections from the internal machines because they are trusted
################################################################################
$ipt -N INT_FIREWALL
$ipt -A INT_FIREWALL -m state --state INVALID -j DROP
$ipt -A INT_FIREWALL -j ACCEPT
################################################################################

################################################################################
# Main Rules
# 1. Allow all loopback traffic. This is safe.
# 2. Send internal connections to INT_FIREWALL chain
# 3. Send external connections to EXT_FIREWALL chain
# 4. Send connections entering LAN to IN_NETWORK
# 5. Send connections leaving LAN to OUT_NETWORK
# 6. Do not modify packets leaving computer to improve performance. It's safe.
################################################################################
$ipt -A INPUT -i lo -j ACCEPT
$ipt -A INPUT -i $int -j INT_FIREWALL
$ipt -A INPUT -i $ext -j EXT_FIREWALL
$ipt -A FORWARD -i $ext -j IN_NETWORK
$ipt -A FORWARD -i $int -j OUT_NETWORK
# $ipt -A OUTPUT -i lo -j ACCEPT
# $ipt -A OUTPUT -i $int -j ACCEPT
# $ipt -A OUTPUT -i $ext -j ACCEPT
################################################################################

################################################################################
# Masquerading
# Turn on Masquerading and port forwarding
################################################################################
$ipt -t nat -A POSTROUTING -o $ext -j MASQUERADE
################################################################################

eth1 is the wireless NIC and eth0 is the wired NIC. When I try to ping from eth0 to anywhere on the other subnet or wireless interface I get destination host unreachable.

ifconfig results

Code:

eth0      Link encap:Ethernet  HWaddr 00:04:75:AE:43:D8
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:6
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 b)  TX bytes:360 (360.0 b)
          Interrupt:11 Base address:0xe800

eth1      Link encap:Ethernet  HWaddr 00:0C:CE:93:39:71
          inet addr:192.168.1.3  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:638 errors:388 dropped:0 overruns:0 frame:388
          TX packets:91 errors:0 dropped:0 overruns:0 carrier:0
          collisions:2 txqueuelen:1000
          RX bytes:173442 (169.3 Kb)  TX bytes:5829 (5.6 Kb)
          Interrupt:10 Base address:0xe400

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:5 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:560 (560.0 b)  TX bytes:560 (560.0 b)

route results

Code:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.2.0     *               255.255.255.0   U     0      0        0 eth0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth1
loopback        *               255.0.0.0       U     0      0        0 lo
default         192.168.1.1     0.0.0.0         UG    0      0        0 eth1

Maybe I am going about this the wrong way. If so what would be a better way to share the connection to her house? BTW the wired NIC(eth0) will run to a switch for her home network.

Outline of network
[Intenet]------[slackware router]------[switch]------[D-Link DI-524]******[slackware router]-----[switch]

My slackware router:
eth0: public IP addess
eth1:192.168.1.1(static Address)

D-Link DI-524
:192.168.1.2(static Address)

Her slackware Router
eth0(192.168.2.1(static Address)(wired)
eth1(192.168.1.3(statically assigned)(wireless)

Previous attemp:
She bought a "wireless bridge" and it connected into a wired NIC on her computer. The server did everything it was suposed to the way I have it configured now. However that junk "bridge" was very iffy and she just got a wireless card instead. Now after a reinstall and setting it up the same way it will not work. I can't ping accross interfaces on her server. HELP ME!!!! thanks

I can provide any information if needed to help solve this problem.

hussar · 05-27-2006, 03:08 PM

Have you tried putting all the NICs on the same subnet? According to what you have provided, you are using two subnets, 192.168.2 and 192.168.1.

Is the bridging configured into the kernel you are running? It is under NETWORKING -> NETWORKING SUPPORT -> NETWORKING OPTIONS when using menuconfig. I don't know if bridging support is configured into the stock slack kernel, but I am sure someone else here will be able to tell us.

barn63 · 05-28-2006, 12:47 PM

I did try putting both NICs in the same subnet.

barn63 · 05-29-2006, 05:49 PM

I wonder if it has anything to do with the wireless NIC. It works fine with two wired NICs.

osor · 05-29-2006, 07:32 PM

Quote:

Originally Posted by barn63

Outline of network
[Intenet]------[slackware router]------[switch]------[D-Link DI-524]******[slackware router]-----[switch]

My slackware router:
eth0: public IP addess
eth1:192.168.1.1(static Address)

D-Link DI-524
:192.168.1.2(static Address)

Her slackware Router
eth0(192.168.2.1(static Address)(wired)
eth1(192.168.1.3(statically assigned)(wireless)

I can provide any information if needed to help solve this problem.

I'm confused about the topology. Here's what I think you're saying:

Code:

                                                         ||
       192.168.1.x               192.168.1.z             ||     [ computer3 ]-----------------
      [ computer1 ]-----        [your laptop]**          ||      192.168.2.a                 |
                       |                      **         ||                                  |
       192.168.1.y     -------------------     **        ||       [ computer4 ]------------- |
      [ computer2 ]--------------------  |      **       ||        192.168.2.b             | |
                                      |  |       **      ||                                | |
   \|/                                |  |        *      ||                                | |
   - ----------[  Your router  ]----[switch]----[WAP]***********[neighbor's router]------[switch]
   /|\         |               |                  |      ||     |                 |
              eth0            eth1                |      ||    eth1              eth0
   WWW      public ip     192.168.1.1        192.168.1.2 || 192.168.1.3      192.168.2.1
                                                         ||

Where x, y, and z are greater than 3, and a and b are greater than 1.

Your side of the picture works for the most part. Computer1, computer2, and your laptop can ping each other, 192.168.1.1, 192.168.1.2, 192.168.1.3, and are NAT'd such that they can all ping internet host addresses. Those three cannot ping your neighbor's subnet (computers 3 and 4). Your neighbor's router can ping everyone (hosts on your subnet, her subnet, and the internet). Compter3 and computer4, can (successfully) ping only each other and also 192.168.2.1. Tell me if this is right and how you changed it.

barn63 · 05-29-2006, 10:49 PM

Everything seems the way you mentioned it. Just to add eth1 on her router can ping everything on my network but not eth0 or anything past it. I can't seem to get anything to pass through from eth0 to eth1 or eth1 to eth0 on her router. But when I set it up with two wired NICs it worked fine.

osor · 05-30-2006, 12:01 AM

Quote:

Originally Posted by barn63

Everything seems the way you mentioned it. Just to add eth1 on her router can ping everything on my network but not eth0 or anything past it. I can't seem to get anything to pass through from eth0 to eth1 or eth1 to eth0 on her router. But when I set it up with two wired NICs it worked fine.

When you say that it worked with two wired NICs, does that mean you eliminated the WAP from the equation? I think the problem might not lie in the wireless NIC itself, but in your wireless access point. The WAP was not designed to be used this way, so it might be doing some weird routing that we're unaware of. Google tells me your WAP also has ethernet ports. Did you try going through those?

P.S.
Maybe this is a silly question, but how do you `ping' from a specific interface (without changing the kernel routing table)? I always thought the routing table tells `ping' (and other networking utilities) what path to use.

barn63 · 05-30-2006, 09:21 AM

Well here is the thing. I can connect to the world with the wireless NIC. But when I use the command "ping -I eth0 192.168.1.X" I get destination host unreachable. On my main server that connects directly to the world I can ping between the interfaces. So I am not sure if its something wrong with how i am using iptables or what. So I can ping between interfaces on my server but on hers I can not.

barn63 · 05-31-2006, 12:08 AM

Beings that her computer is behind my other firewall, is there anywhere to just forward traffic between interfaces and not have a firewall. I am just trying to make things simple.

barn63 · 05-31-2006, 10:11 PM

Well I deleted and re-downloaded the rc.firewall script and it works. I dont know what was different but it works.