| View previous topic :: View next topic |
| Author |
Message |
linux_on_the_brain
Tux's lil' helper
Joined: 24 Feb 2004
Posts: 136
|
 Posted: Tue Dec 28, 2004 8:49 am Post subject: iptables,routing, multiple subnets, need help |
 |
|
Ok so here is situation.
I added a gigabit ethernet card to my server. And attached it to a gigabit switch I have dhcp setup and working, finally. Here is what I dont have working. I cant get to the internet via the new subnet nor can I ping between subnets. My firewall is based on the example given in the masquerade howto I found on tldp.org. I've been reading posts on the forums for about three days and I have not been able to figure out what I need to do. If somebody could he me out, I would appreciate it. |
|
| Back to top |
|
 |
br0mGreV
Apprentice
Joined: 28 Jul 2004
Posts: 265
Location: Paris, France
|
| Posted: Tue Dec 28, 2004 9:18 am Post subject: |
|
|
Have you set your routes correctly ?
| Code: | # route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
loopback localhost 255.0.0.0 UG 0 0 0 lo
default 192.168.0.1 0.0.0.0 UG 0 0 0 eth0
|
_________________
Rien n'est éternel, pas même les problèmes... |
|
| Back to top |
|
|
Anarcho
Advocate
Joined: 06 Jun 2004
Posts: 2970
Location: Germany
|
| Posted: Tue Dec 28, 2004 10:44 am Post subject: |
|
|
did you enable IP-Forwarding?
check this via | Code: | | cat /proc/sys/net/ipv4/ip_forward |
(or similar, I am currently at a windows pc)
if it says 0 then you have to enable it via
| Code: | | echo 1 > /prov/sys/net/ipv4/ip_forward |
_________________
...it's only Rock'n'Roll, but I like it! |
|
| Back to top |
|
|
linux_on_the_brain
Tux's lil' helper
Joined: 24 Feb 2004
Posts: 136
|
| Posted: Tue Dec 28, 2004 4:51 pm Post subject: |
|
|
ip_forwarding is enabled
this is the results of route from the server
| Code: |
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.0 * 255.255.255.0 U 0 0 0 eth2
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
user-0c8hqg0.ca * 255.255.255.0 U 0 0 0 eth0
loopback localhost 255.0.0.0 UG 0 0 0 lo
default user-0c8hqg1.ca 0.0.0.0 UG 0 0 0 eth0
|
and from one of the workstations on subnet 192.168.0
| Code: |
route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
loopback localhost 255.0.0.0 UG 0 0 0 lo
default 192.168.0.1 0.0.0.0 UG 0 0 0 eth1
|
|
|
| Back to top |
|
|
plut0
Apprentice
Joined: 21 Dec 2004
Posts: 272
|
| Posted: Tue Dec 28, 2004 5:08 pm Post subject: |
|
|
| Did you add a MASQUERADE or SNAT rule to your firewall for NAT? |
|
| Back to top |
|
|
linux_on_the_brain
Tux's lil' helper
Joined: 24 Feb 2004
Posts: 136
|
| Posted: Tue Dec 28, 2004 6:01 pm Post subject: |
|
|
plut0, thats part of the problem. I'm not sure what I need to change or add to my firewall rules.
Currently I have this, which works for my network prior to adding the second subnet.
| Code: |
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP
|
|
|
| Back to top |
|
|
plut0
Apprentice
Joined: 21 Dec 2004
Posts: 272
|
| Posted: Wed Dec 29, 2004 12:15 am Post subject: |
|
|
Remove the SNAT line for now and try this:
iptables -t nat -I POSTROUTING -j MASQUERADE
That should pick up all ethernet devices, not just eth0 as your rule states. Without Network Address Translation your packets would be sent out with the wrong source and thus never returned. |
|
| Back to top |
|
|
linux_on_the_brain
Tux's lil' helper
Joined: 24 Feb 2004
Posts: 136
|
| Posted: Wed Dec 29, 2004 12:44 am Post subject: |
|
|
| i've made some progress I can now get to the internet from the second subnet. Now I need to work on getting communication between the 2 subnets. |
|
| Back to top |
|
|
digitall2000
Apprentice
Joined: 21 Dec 2004
Posts: 267
|
| Posted: Wed Dec 29, 2004 4:53 am Post subject: |
|
|
well as far as i understand this on the subnet thing
if you have one nic card with one address you cannot
talk to the other subnet through the switch it is on a
different network.
if you have a fancy swithch it may do the routing necessary
to get to the other subnet.
maybe alias (virtual) address on the nic card may work |
|
| Back to top |
|
|
linux_on_the_brain
Tux's lil' helper
Joined: 24 Feb 2004
Posts: 136
|
| Posted: Wed Dec 29, 2004 4:16 pm Post subject: |
|
|
| I can now ssh and ping between the subnets, I think I have acheived my goal for now. |
|
| Back to top |
|
|
br0mGreV
Apprentice
Joined: 28 Jul 2004
Posts: 265
Location: Paris, France
|
| Posted: Wed Dec 29, 2004 4:32 pm Post subject: |
|
|
nice job lol,
but for those who search the forum and wants to get this type of information, could you sum up the importants rules from iptables you have written.
_________________
Rien n'est éternel, pas même les problèmes... |
|
| Back to top |
|
|
|
Networking & Security
