| View previous topic :: View next topic |
| Author |
Message |
eMPee584
Apprentice
Joined: 01 Nov 2003
Posts: 152
Location: Aachen, Germany
|
 Posted: Mon Nov 24, 2008 1:58 pm Post subject: problem: iptables NAT router (one NIC w switch) strangeness |
 |
|
Hi fellow gent0oianz,
there is a serious problem  here. I tried configuring a simple routing setup but it ain't working. My workstation is hooked up to a LAN providing it with quality inet. Inserting a switch obviously does not change anything. Hooking up my laptop to that same switch is not enough as i do have just one IP and no admin rights to change the lap's config from DHCP, so i RTFM and tried to set up dhcpd and iptables with NAT masquerading on a virtual subnet. This is the configuration in /etc/conf.d/net:
| Code: |
config_eth0=(
"137.226.149.42 netmask 255.255.254.0 broadcast 137.226.149.255"
"192.168.42.1 netmask 255.255.255.0 broadcast 192.168.42.255"
)
routes_eth0="default via 137.226.148.1"
|
and this is my /etc/dhcp/dhcpd.conf:
| Code: | default-lease-time 60000;
max-lease-time 72000;
ddns-update-style none;
authoritative;
log-facility local7;
subnet 192.168.42.0 netmask 255.255.255.0 {
range 192.168.42.2 192.168.42.254;
option domain-name-servers 134.130.4.1, 137.226.149.1;
option broadcast-address 192.168.42.255;
option routers 192.168.42.1, 137.226.148.1;
option subnet-mask 255.255.255.0;
}
|
My iptables setup is
| Code: |
# iptables -vL -t filter
Chain INPUT (policy ACCEPT 348K packets, 375M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 726 packets, 45138 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any 192.168.42.0 anywhere
Chain OUTPUT (policy ACCEPT 268K packets, 19M bytes)
pkts bytes target prot opt in out source destination
|
| Code: |
# iptables -vL -t mangle
Chain PREROUTING (policy ACCEPT 354K packets, 375M bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 348K packets, 375M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 726 packets, 45138 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 269K packets, 19M bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 269K packets, 19M bytes)
pkts bytes target prot opt in out source destination
|
| Code: |
# iptables -vL -t nat
Chain PREROUTING (policy ACCEPT 13108 packets, 1430K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 8414 packets, 534K bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- any eth0 192.168.42.0 anywhere
Chain OUTPUT (policy ACCEPT 8462 packets, 537K bytes)
pkts bytes target prot opt in out source destination
|
Now the problem is, when i connect the laptop XP says 'Acquiring network address' constantly while dhcpd is spamming syslog by looping
| Code: |
dhcpd: DHCPDISCOVER from 00:0b:db:07:50:3d (zero08-lap) via eth0
dhcpd: DHCPOFFER on 192.168.1.2 to 00:0b:db:07:50:3d (zero08-lap) via eth0
dhcpd: DHCPREQUEST for 192.168.1.2 (137.226.149.42) from 00:0b:db:07:50:3d (zero08-lap) via eth0
dhcpd: DHCPACK on 192.168.1.2 to 00:0b:db:07:50:3d (zero08-lap) via eth0
|
Now i was close to dispair when i found a post somewhere that cheap switches sometimes need a little break so i reset it and magically it worked (once or so..). But even then, i just could ping my workstations ip on the virtual subnet, not the external one (it seemed the packages got lost after hitting PREROUTING chain?!)..
anyways strange thing is, when i unplug the LAN cable from the switch, dhcp acquiring and pinging both workstation IPs starts to work, but no internet of course!
Please if someone has grokked this nat routing stuff more than me, i could really need some support on this one  regards!
_________________
"You cannot teach people anything. You can only help them discover it within themselves." --Galileo
expand your state of mind by not watching tv =)
- .... .. ... .-- --- .-. .-.. -.. .. ... .-- . .-.. .-.. .-- .. -.-. -.- . -..
|
|
| Back to top |
|
 |
eMPee584
Apprentice
Joined: 01 Nov 2003
Posts: 152
Location: Aachen, Germany
|
| Posted: Tue Nov 25, 2008 8:11 pm Post subject: Heeelp! |
|
|
This is really urgent as i can't go into our company's office for the next couple days and need to setup dhcp locally..
Therefore i am offering a 10€ bounty (via paypal) for the lucky guy that helps me resolve this!
_________________
"You cannot teach people anything. You can only help them discover it within themselves." --Galileo
expand your state of mind by not watching tv =)
- .... .. ... .-- --- .-. .-.. -.. .. ... .-- . .-.. .-.. .-- .. -.-. -.- . -..
|
|
| Back to top |
|
|
cyrillic
Watchman
Joined: 19 Feb 2003
Posts: 7313
Location: Groton, Massachusetts USA
|
| Posted: Wed Nov 26, 2008 4:17 am Post subject: |
|
|
| If you install a second NIC in your router, then everything you are trying to do will be easy. |
|
| Back to top |
|
|
eMPee584
Apprentice
Joined: 01 Nov 2003
Posts: 152
Location: Aachen, Germany
|
| Posted: Wed Nov 26, 2008 6:58 am Post subject: well maybe *but* |
|
|
thx but i'd rather spend 10€ for that helpful hint than for another physical NIC. It should be possible this way so i want to make this work. The source of the problem can only be a tiny piece of misunderconfiguration  ...
_________________
"You cannot teach people anything. You can only help them discover it within themselves." --Galileo
expand your state of mind by not watching tv =)
- .... .. ... .-- --- .-. .-.. -.. .. ... .-- . .-.. .-.. .-- .. -.-. -.- . -..
|
|
| Back to top |
|
|
eMPee584
Apprentice
Joined: 01 Nov 2003
Posts: 152
Location: Aachen, Germany
|
| Posted: Thu Nov 27, 2008 1:26 pm Post subject: raise 10! |
|
|
Raising bounty to 20€ - come on folks, someone *gotta* know this.
_________________
"You cannot teach people anything. You can only help them discover it within themselves." --Galileo
expand your state of mind by not watching tv =)
- .... .. ... .-- --- .-. .-.. -.. .. ... .-- . .-.. .-.. .-- .. -.-. -.- . -..
|
|
| Back to top |
|
|
sleepless9
n00b
Joined: 27 Aug 2008
Posts: 5
|
| Posted: Fri Nov 28, 2008 12:29 am Post subject: |
|
|
Hello,
First of all, I'm troubled by this line in your dhcpd config. Maybe I'm wrong since I haven't used dhcpd for a long time (dnsmasq does the work simplier and better).
| Code: | | option routers 192.168.42.1, 137.226.148.1; |
The 137.226.248.1 is the "real" router that your workstation actually connects to access the internet. Your laptop doesn't have to know about this. It only cares about 192.168.42.1 which will be its gateway (your workstation will be the only router for it). So, I think you should only leave this one in the config | Code: | | option routers 192.168.42.1; |
The other will only confuse it and mess things up.
Well, you might also miss one or two forwarding commands, so better then try this one in the workstation:
| Code: | echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
iptables -t nat -A POSTROUTING -s 192.168.42.0/24 -d ! 192.168.42.0/24 -j MASQUERADE
iptables -A FORWARD -s 192.168.42.0/24 -j ACCEPT
iptables -A FORWARD -d 192.168.42.0/24 -j ACCEPT
iptables -A FORWARD -s ! 192.168.42.0/24 -j DROP # just a simple precaution |
Type them in the exact same order...
Hmm... Also use this one | Code: | | iptables -I FORWARD 1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu |
to avoid possible MTU problems.
Now, having modified the dhcpd configuration and used this script, your XP should get a local IP and have internet
If it still doesn't work, try giving static IP to the laptop to avoid dhcpd completely.
If again it does not work, then you should consider using VLAN rather than just two addresses in one card... If that's the case, find out how to set up a vlan in the gentoo wiki (using vlan is pretty easy, on gentoo even easier!), try your thing and we are here if you have any problems. |
|
| Back to top |
|
|
eMPee584
Apprentice
Joined: 01 Nov 2003
Posts: 152
Location: Aachen, Germany
|
| Posted: Sun Dec 07, 2008 1:04 am Post subject: mmh solved, kinda. |
|
|
sorry for not replying sooner was swamped by important stuff to do.
Well most of your recommended settings do not make a difference or were set already. The line
| Code: | | iptables -t nat -A POSTROUTING -s 192.168.42.0/24 -d ! 192.168.42.0/24 -j MASQUERADE |
however makes a difference. It tells iptables to only masquerade packages that are not destined for the host comp, which i think was the problem leading to no web access. The other problem however (dhcp address only obtained by laptop if LAN cable not plugged into router), well, i circumvent that by shortly unplugging that cable to make the lap acquire its address, then plug it back in. That was the main problem that confused me and only once i had another network card acquired and plugged in it came to me that maybe once the ip address is acquired it would work, which it did. However this is still quite dissatisfying, it should work without nasty hacks like this. Anyways for the bounty, i think you deserve 5€ for the masquerading bit so just pm me your paypal address and i'll send you the cash 
_________________
"You cannot teach people anything. You can only help them discover it within themselves." --Galileo
expand your state of mind by not watching tv =)
- .... .. ... .-- --- .-. .-.. -.. .. ... .-- . .-.. .-.. .-- .. -.-. -.- . -..
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
