| View previous topic :: View next topic |
| Author |
Message |
ukhan
n00b
Joined: 29 Sep 2003
Posts: 25
Location: Virginia
|
 Posted: Sat Jan 05, 2008 7:56 pm Post subject: [solved] Linux Router - IP Forwarding Fails |
 |
|
Hello,
I am trying to setup my gentoo(Linux Kernel 2.6.23-hardened-r4) machine as a router. I think I covered all the basis, but I cannot get machines in the private network to connect to the internet. The router has two Network Interfaces:
eth0 - connected to the cable modem
eth1 - connected to the private(192.168.1.0) network
Following is the router network configuration:
| Code: |
cobalt ~ # ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:50:DA:0C:EA:D7
inet addr:68.106.115.199 Bcast:68.106.127.255 Mask:255.255.240.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1115 errors:550 dropped:0 overruns:0 frame:595
TX packets:141 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:68600 (66.9 Kb) TX bytes:13698 (13.3 Kb)
Interrupt:18 Base address:0x6f80
eth1 Link encap:Ethernet HWaddr 00:50:DA:1D:45:7D
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:107 errors:0 dropped:0 overruns:1 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:10280 (10.0 Kb) TX bytes:360 (360.0 b)
Interrupt:19 Base address:0x8f00
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
cobalt ~ # netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
68.106.112.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 68.106.112.1 0.0.0.0 UG 0 0 0 eth0
|
From the private network I can ping 68.106.115.199(IP address received from the ISP). Following is the network configurations for a machine on the private network:
| Code: |
[root@sceptre ~]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:18:8B:B9:C1:E1
inet addr:192.168.1.101 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::218:8bff:feb9:c1e1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6 errors:0 dropped:0 overruns:0 frame:0
TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:536 (536.0 b) TX bytes:1232 (1.2 KiB)
[root@sceptre ~]# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
|
I made sure IP Forwarding was enabled:
| Code: |
cobalt tmp # cat /proc/sys/net/ipv4/ip_forward
1
cobalt ~ # sysctl -a | grep forward
error: permission denied on key 'net.ipv4.route.flush'
net.ipv4.ip_forward = 1
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 1
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
|
I built the kernel with Advanced Router and netfilter support. The kernel configuration is listed at the bottom.
| Code: |
#
# Core Netfilter Configuration
#
CONFIG_NETFILTER_NETLINK=y
CONFIG_NETFILTER_NETLINK_QUEUE=y
CONFIG_NETFILTER_NETLINK_LOG=y
CONFIG_NF_CONNTRACK_ENABLED=y
CONFIG_NF_CONNTRACK=y
CONFIG_NF_CT_ACCT=y
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_SECMARK=y
# CONFIG_NF_CONNTRACK_EVENTS is not set
CONFIG_NF_CT_PROTO_GRE=m
# CONFIG_NF_CT_PROTO_SCTP is not set
# CONFIG_NF_CT_PROTO_UDPLITE is not set
CONFIG_NF_CONNTRACK_AMANDA=m
CONFIG_NF_CONNTRACK_FTP=m
# CONFIG_NF_CONNTRACK_H323 is not set
CONFIG_NF_CONNTRACK_IRC=m
# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
CONFIG_NF_CONNTRACK_PPTP=m
# CONFIG_NF_CONNTRACK_SANE is not set
# CONFIG_NF_CONNTRACK_SIP is not set
CONFIG_NF_CONNTRACK_TFTP=m
# CONFIG_NF_CT_NETLINK is not set
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
CONFIG_NETFILTER_XT_TARGET_DSCP=m
CONFIG_NETFILTER_XT_TARGET_MARK=m
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
CONFIG_NETFILTER_XT_TARGET_NFLOG=m
CONFIG_NETFILTER_XT_TARGET_NOTRACK=m
CONFIG_NETFILTER_XT_TARGET_TRACE=m
CONFIG_NETFILTER_XT_TARGET_SECMARK=m
CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m
CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
CONFIG_NETFILTER_XT_MATCH_COMMENT=m
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
CONFIG_NETFILTER_XT_MATCH_DCCP=y
CONFIG_NETFILTER_XT_MATCH_DSCP=y
CONFIG_NETFILTER_XT_MATCH_ESP=y
CONFIG_NETFILTER_XT_MATCH_HELPER=y
CONFIG_NETFILTER_XT_MATCH_LENGTH=m
CONFIG_NETFILTER_XT_MATCH_LIMIT=m
CONFIG_NETFILTER_XT_MATCH_MAC=y
CONFIG_NETFILTER_XT_MATCH_MARK=y
CONFIG_NETFILTER_XT_MATCH_POLICY=m
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
CONFIG_NETFILTER_XT_MATCH_QUOTA=m
CONFIG_NETFILTER_XT_MATCH_REALM=m
# CONFIG_NETFILTER_XT_MATCH_SCTP is not set
CONFIG_NETFILTER_XT_MATCH_STATE=y
CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
CONFIG_NETFILTER_XT_MATCH_STRING=m
CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
CONFIG_NETFILTER_XT_MATCH_U32=m
CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m
#
# IP: Netfilter Configuration
#
CONFIG_NF_CONNTRACK_IPV4=y
CONFIG_NF_CONNTRACK_PROC_COMPAT=y
# CONFIG_IP_NF_QUEUE is not set
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_IPRANGE=y
CONFIG_IP_NF_MATCH_TOS=y
CONFIG_IP_NF_MATCH_RECENT=y
CONFIG_IP_NF_MATCH_ECN=y
CONFIG_IP_NF_MATCH_AH=y
CONFIG_IP_NF_MATCH_TTL=y
CONFIG_IP_NF_MATCH_OWNER=y
CONFIG_IP_NF_MATCH_ADDRTYPE=y
CONFIG_IP_NF_MATCH_STEALTH=y
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_IP_NF_TARGET_ULOG=y
CONFIG_NF_NAT=y
CONFIG_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_TARGET_REDIRECT=y
CONFIG_IP_NF_TARGET_NETMAP=y
# CONFIG_IP_NF_TARGET_SAME is not set
CONFIG_NF_NAT_SNMP_BASIC=y
CONFIG_NF_NAT_PROTO_GRE=m
CONFIG_NF_NAT_FTP=m
CONFIG_NF_NAT_IRC=m
CONFIG_NF_NAT_TFTP=m
CONFIG_NF_NAT_AMANDA=m
CONFIG_NF_NAT_PPTP=m
# CONFIG_NF_NAT_H323 is not set
# CONFIG_NF_NAT_SIP is not set
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_TTL=m
# CONFIG_IP_NF_TARGET_CLUSTERIP is not set
CONFIG_IP_NF_RAW=y
CONFIG_IP_NF_ARPTABLES=y
CONFIG_IP_NF_ARPFILTER=y
CONFIG_IP_NF_ARP_MANGLE=y
#
# Networking options
#
CONFIG_PACKET=y
CONFIG_PACKET_MMAP=y
CONFIG_UNIX=y
CONFIG_XFRM=y
CONFIG_XFRM_USER=m
# CONFIG_XFRM_SUB_POLICY is not set
# CONFIG_XFRM_MIGRATE is not set
# CONFIG_NET_KEY is not set
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
|
[/code]
I cannot figure out what I am doing wrong. Any help is greatly appreciated.
Last edited by ukhan on Mon Jan 07, 2008 3:54 pm; edited 1 time in total |
|
| Back to top |
|
 |
cyrillic
Watchman
Joined: 19 Feb 2003
Posts: 7301
Location: Groton, Massachusetts USA
|
| Posted: Sat Jan 05, 2008 9:28 pm Post subject: |
|
|
You didn't mention anything about your iptables rules.
This is pretty much the minimum you need for your machine to function as a router.
| Code: | | # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE |
|
|
| Back to top |
|
|
Hu
Watchman
Joined: 06 Mar 2007
Posts: 6345
|
| Posted: Sat Jan 05, 2008 10:01 pm Post subject: |
|
|
| If routing still fails after you apply the change from cyrillic, please post the output of iptables-save -c so that we can see how netfilter is configured on your router. |
|
| Back to top |
|
|
ukhan
n00b
Joined: 29 Sep 2003
Posts: 25
Location: Virginia
|
| Posted: Mon Jan 07, 2008 3:58 pm Post subject: [solved] Linux Router - IP Forwarding Fails |
|
|
I didn't have any iptables rules in place. I thought enabling ipforwarding would be sufficient enough. Once I applied the iptable rule cyrillic mentioned:
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
everything started working. Many thanks to cyrillic |
|
| Back to top |
|
|
Hu
Watchman
Joined: 06 Mar 2007
Posts: 6345
|
| Posted: Tue Jan 08, 2008 3:43 am Post subject: |
|
|
Be aware that if you do not add any other rules, your internal systems may be vulnerable to outside attacks. Some ISPs incorrectly forward private range traffic, which would allow systems outside your network to request a connection to a system inside the network. Since you do not have any rules to deny such a connection, your router will allow it and a connection will be created between an external machine and an internal one. I suggest adding rules to your PREROUTING chain in the nat table to disallow such traffic.
This concern may not apply if all your internal machines are individually protected. You do not say what types of machines are inside the LAN. If you have any Windows machines on the LAN, I strongly suggest applying rules to protect them from Internet traffic. |
|
| Back to top |
|
|
Simba7
Guru
Joined: 22 Jan 2007
Posts: 592
Location: Billings, MT, USA
|
| Posted: Tue Jan 08, 2008 3:49 am Post subject: |
|
|
I followed this: http://www.gentoo.org/doc/en/home-router-howto.xml
I just adapted it for my Public Wireless (eth2), my Private Wireless (ath0), and my Internal Wired Network (eth1) with my internet being on ports eth3-eth10.
..now if I could get it to forward my darn packets.. |
|
| Back to top |
|
|
|
Networking & Security
