| View previous topic :: View next topic |
| Author |
Message |
stegerpl
Apprentice
Joined: 25 Jun 2005
Posts: 177
Location: 48°19'30"N 14°20'18"E
|
 Posted: Sat Jul 26, 2008 2:24 pm Post subject: IP-Forwarding - network not passing through [SOLVED] |
 |
|
Hi,
I have the following configuration:
PC-1 (video recorder) with two interfaces with static ip-adresses, eth1 is connected to PC-2, /etc/conf.d/net looks like:
| Code: | dns_servers_eth1=( "195.96.0.4" "195.70.224.45" "213.90.38.3" )
dns_servers_eth0=( "195.96.0.4" "195.70.224.45" "213.90.38.3" )
config_eth0=( "192.168.130.4/24" )
config_eth1=( "192.168.140.5/24" )
routes_eth1=( "192.168.140.0 via 192.168.140.5" )
routes_eth1=( "default via 192.168.140.5" ) |
PC-2 (main computer) which is connected to my DSL-Modem and should act as router for PC-1:
/etc/conf.d/net looks like this:
| Code: | config_eth0=( "dhcp" )
mtu_eth0="1420"
dns_servers_eth0=( "192.168.130.1" )
config_eth1=( "192.168.140.1/24" )
routes_eth0=( "default via 192.168.130.1" )
routes_eth1=( "192.168.140.0 via 192.168.140.1" ) |
I set up iptables by this script:
| Code: | #### Variablen setzen
EXT_IF="eth0" # Schnittstelle zum Internet
INT_IF="eth1" # Schnittstelle zum internen LAN
IPRANGE="192.168.140.1/24" # IP Bereich im internen Netzwerk
#### IPv4 forwarding einschalten
echo 1 > /proc/sys/net/ipv4/ip_forward
#### Vorhandene Regeln l�schen
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
#### Policies setzen
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
# Input (Pakete gerichtget an Router)
/sbin/iptables -A INPUT -p ALL -i lo -j ACCEPT
/sbin/iptables -A INPUT -p ALL -i $INT_IF -j ACCEPT
/sbin/iptables -A INPUT -p ALL -i $EXT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
# /sbin/iptables -A INPUT -p ALL -i $EXT_IF --dport 22 -j ACCEPT
# Output (Pakete vom Router)
# Da Policy fuer OUTPUT auf ACCEPT steht ist keine eigenen Regel notwendig
# Forward (Pakete vom Netzwerk ins Internet oder umgekehr)
/sbin/iptables -A FORWARD -p ALL -i $INT_IF -j ACCEPT
/sbin/iptables -A FORWARD -p ALL -i $EXT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
# Postrouting (Weiterleitung zwischen Netzwerk und Internet)
/sbin/iptables -t nat -A POSTROUTING -o $EXT_IF -s $IPRANGE -j MASQUERADE |
and this leads to the following output:
| Code: | linux # iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT)
target prot opt source destination |
and
| Code: | linux # iptables-save -c
# Generated by iptables-save v1.4.0 on Sat Jul 26 16:04:40 2008
*nat
:PREROUTING ACCEPT [4587:1236290]
:POSTROUTING ACCEPT [3090830:217371510]
:OUTPUT ACCEPT [3099756:218663088]
[0:0] -A POSTROUTING -s 192.168.140.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Sat Jul 26 16:04:40 2008
# Generated by iptables-save v1.4.0 on Sat Jul 26 16:04:40 2008
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [4789:363080]
[0:0] -A INPUT -i lo -j ACCEPT
[1098:123442] -A INPUT -i eth1 -j ACCEPT
[4125:684439] -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -i eth1 -j ACCEPT
[0:0] -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Sat Jul 26 16:04:40 2008
# Generated by iptables-save v1.4.0 on Sat Jul 26 16:04:40 2008
*mangle
:PREROUTING ACCEPT [50521:26834175]
:INPUT ACCEPT [50521:26834175]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [47744:3677682]
:POSTROUTING ACCEPT [47886:3697628]
COMMIT
# Completed on Sat Jul 26 16:04:40 2008 |
I can ping only interface eth1 of PC-2 from PC-1.
I can not pass through to the internet and I can even not reach the ip-address designed to my main interface by my ISP as well as the DSL-Modem with 192.168.130.1 or eth0 of PC-2 - all giving "Destination Host Unreachable".
I also tried to set the dns_servers_eth0 and eth1 to 192.168.130.1 on PC-1 (as on PC-2)
It sems that something is blocking - however the /var/log/messages does not show anything during my pings.
Any suggestions - please help!
Thanks Peter[/code]
_________________
[1]... AMD Phenon X4-9950 on asus M3N78-EM with 4 GB of RAM - gentoo 10.1 - kernel 2.6.32 - kde 4.3.4
[2]... AMD Athlon XP 2500+ mobile on ASUS A7N8X with 512 kB RAM and 2xTT S-2300 - vdr-1.6.0 based on gentoo-2008.0
Last edited by stegerpl on Sat Jul 26, 2008 6:47 pm; edited 1 time in total |
|
| Back to top |
|
 |
Hu
Watchman
Joined: 06 Mar 2007
Posts: 6345
|
| Posted: Sat Jul 26, 2008 4:32 pm Post subject: |
|
|
You will not receive any diagnostics in /var/log/messages because you do not have any LOG rules in your iptables setup. I do not see any iptables rules that would direct the kernel to return an ICMP host unreachable error, so I think your current problem is not with iptables. Please post the output of ip addr ; ip route from both PC-1 and PC-2.
Your routes definition for PC-2 eth1 looks a bit odd. Are you trying to add a route for only one IP address? The kernel should be able to automatically set up the proper route for eth1 traffic based on the netmask for the IP address on eth1. |
|
| Back to top |
|
|
stegerpl
Apprentice
Joined: 25 Jun 2005
Posts: 177
Location: 48°19'30"N 14°20'18"E
|
| Posted: Sat Jul 26, 2008 5:06 pm Post subject: |
|
|
@ Hu
could you please inform which command or package you are thinking about, because
#ip => command not found
routes_eth1=( "192.168.140.0 via 192.168.140.5" ) ==> I thought this will connect all Interfaces within 192.168.140.xxx by routing via 192.168.149.5 - in fact I have two interfaces in PC-2 (eth0 with 100 and eth1 with 1000 MBits).
routes_eth1=( "default via 192.168.140.5" ) ==> should direct all acesses via 192.168.140.5 just in case when eth0 will be used for another static connection in future
I missed the netmasks, because I had some trouble in the past (I really did not understand these things  )
_________________
[1]... AMD Phenon X4-9950 on asus M3N78-EM with 4 GB of RAM - gentoo 10.1 - kernel 2.6.32 - kde 4.3.4
[2]... AMD Athlon XP 2500+ mobile on ASUS A7N8X with 512 kB RAM and 2xTT S-2300 - vdr-1.6.0 based on gentoo-2008.0 |
|
| Back to top |
|
|
think4urs11
Administrator
Joined: 25 Jun 2003
Posts: 6657
Location: above the cloud
|
| Posted: Sat Jul 26, 2008 6:29 pm Post subject: Re: IP-Forwarding - network not passing through |
|
|
| stegerpl wrote: | PC-1:
| Code: | routes_eth1=( "192.168.140.0 via 192.168.140.5" )
routes_eth1=( "default via 192.168.140.5" ) |
|
the routes_eth0 for 192.168.140.0/24 shouldn't be needed, it is normally automagically generated; the default route should be | Code: | | routes_eth1=( "default via 192.168.140.1" ) |
same with PC-2; the dedicated route for eth1 isn't needed
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
| Back to top |
|
|
stegerpl
Apprentice
Joined: 25 Jun 2005
Posts: 177
Location: 48°19'30"N 14°20'18"E
|
| Posted: Sat Jul 26, 2008 6:47 pm Post subject: |
|
|
@ Think4UrS11
BINGO - that resolved it ! Things are so easy if you just know it
typical example that double istn't better !
Thanks a lot for your help !
Peter
_________________
[1]... AMD Phenon X4-9950 on asus M3N78-EM with 4 GB of RAM - gentoo 10.1 - kernel 2.6.32 - kde 4.3.4
[2]... AMD Athlon XP 2500+ mobile on ASUS A7N8X with 512 kB RAM and 2xTT S-2300 - vdr-1.6.0 based on gentoo-2008.0 |
|
| Back to top |
|
|
think4urs11
Administrator
Joined: 25 Jun 2003
Posts: 6657
Location: above the cloud
|
| Posted: Sat Jul 26, 2008 6:52 pm Post subject: |
|
|
| stegerpl wrote: | | #ip => command not found |
| Code: | me@box ~ $ equery b /sbin/ip
[ Searching for file(s) /sbin/ip in *... ]
sys-apps/iproute2-2.6.22.20070710 (/sbin/ip) |
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
| Back to top |
|
|
stegerpl
Apprentice
Joined: 25 Jun 2005
Posts: 177
Location: 48°19'30"N 14°20'18"E
|
| Posted: Sat Jul 26, 2008 7:12 pm Post subject: |
|
|
OK I found it...
| Code: | * sys-apps/iproute2
Latest version available: 2.6.25.20080417
Latest version installed: [ Not Installed ]
Size of files: 350 kB
Homepage: http://linux-net.osdl.org/index.php/Iproute2
Description: kernel routing and traffic control utilities
License: GPL-2 |
up to now I am using ifconfig, but I will hava a look to it...
_________________
[1]... AMD Phenon X4-9950 on asus M3N78-EM with 4 GB of RAM - gentoo 10.1 - kernel 2.6.32 - kde 4.3.4
[2]... AMD Athlon XP 2500+ mobile on ASUS A7N8X with 512 kB RAM and 2xTT S-2300 - vdr-1.6.0 based on gentoo-2008.0 |
|
| Back to top |
|
|
|
Networking & Security
