Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Linux router help
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
BlueFusion
Guru
Guru


Joined: 08 Mar 2006
Posts: 371

PostPosted: Fri Mar 09, 2012 1:03 am    Post subject: Linux router help Reply with quote

Hi folks. I have been using a Dell PowerEdge 2650 for storage, processing, and my router for some time now. I read up on jumbo frames recently and wanted to enable them for my home network. I have several devices that are Gigabit/Jumbo Frame capable and some that aren't. For example, my Linksys WRT54G and all wireless devices are not JF compatible. I decided to split the gigabit and the non-gigabit on two seperate subnets. They both go through my Netgear smart switch, but I am using a port-based VLAN to seperate the subnets. So far the subnets work fine and access through the server (router) to access the internet is fine. I am not able to access devices on the different subnets, however.

Here's the scenario:

On my router, I have:
eth0 = 10.1.2.0/24
eth1 = Modem
eth2 = 10.1.1.0/24

What do I have to do to allow my wireless laptop (10.1.2.10) to access my desktop (10.1.1.5)?

I am attaching my complete iptables settings, too. I don't think it's a firewall issue, but maybe it is. I figured the router would just forward traffic to the appropriate port (subnet) without any static route changes on any of the devices. Currently, all I get when trying to ping a device on the other subnet, I only get Destination host is unreachable

Quote:
#!/bin/sh

IF_WAN="eth1"
IF_LAN_GIG="eth2"
IF_LAN_FAST="eth0"
LANNET_GIG="10.1.1.0/24" # 10.1.1.1 - 10.1.1.254
LANNET_FAST="10.1.2.0/24" # 10.1.2.1 - 10.1.2.254

# chain policies
# drop everything and open stuff as necessary
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT DROP
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -F -t nat
iptables -X
iptables -Z

# create DUMP, STATEFUL, and SYN_FLOOD tables
iptables -N DUMP
iptables -F DUMP
iptables -N STATEFUL
iptables -F STATEFUL
iptables -N SYN-FLOOD
iptables -F SYN-FLOOD


# limited logs
iptables -A DUMP -p icmp -m limit --limit 1/m --limit-burst 5 -j LOG --log-prefix "IPT ICMPDUMP: "
iptables -A DUMP -p tcp -m limit --limit 1/m --limit-burst 5 -j LOG --log-prefix "IPT TCPDUMP: "
iptables -A DUMP -p udp -m limit --limit 1/m --limit-burst 5 -j LOG --log-prefix "IPT UDPDUMP: "

# reject with certain options packets in DUMP table
iptables -A DUMP -p tcp -j REJECT --reject-with tcp-reset
iptables -A DUMP -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A DUMP -j DROP

# Stateful table
iptables -I STATEFUL -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A STATEFUL -m state --state NEW ! -i ${IF_WAN} -j ACCEPT
iptables -A STATEFUL -j DUMP

# SYN flood protection
iptables -A SYN-FLOOD -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A SYN-FLOOD -j DROP
iptables -A INPUT -i ${IF_WAN} -p tcp --syn -j SYN-FLOOD
iptables -A INPUT -p tcp -i ${IF_WAN} ! --syn -m state --state NEW -j DROP

# watch out for fragments
iptables -A INPUT -i ${IF_WAN} -f -j LOG --log-prefix "IPT FRAGMENTS: "
iptables -A INPUT -i ${IF_WAN} -f -j DROP

# allow loopback in and out
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# allow LAN out
iptables -A OUTPUT -p ALL -s ${LANNET_GIG} -j ACCEPT
#iptables -A OUTPUT -p ALL -s ${LANNET_FAST} -j ACCEPT

# drop incoming reserved addresses
iptables -A INPUT -i ${IF_WAN} -s 0.0.0.0/8 -j DUMP
iptables -A INPUT -i ${IF_WAN} -s 240.0.0.0/8 -j DUMP
iptables -A INPUT -i ${IF_WAN} -s 10.0.0.0/8 -j DUMP
iptables -A INPUT -i ${IF_WAN} -s 172.16.0.0/12 -j DUMP
iptables -A INPUT -i ${IF_WAN} -s 192.168.0.0/16 -j DUMP

# allow certain inbound ICMP types
iptables -A INPUT -i ${IF_WAN} -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -i ${IF_WAN} -p icmp --icmp-type echo-request -j ACCEPT

# allow external access to SSH
iptables -A INPUT -i ${IF_WAN} -p tcp --dport ssh -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -i ${IF_WAN} -p tcp --dport ssh -m state --state NEW -m recent --update --seconds 300 --hitcount 5 --rttl --name SSH -j DUMP
iptables -A INPUT -i ${IF_WAN} -p tcp --dport ssh -j ACCEPT

# allow external access to local services
iptables -A INPUT -i ${IF_WAN} -p tcp --dport rsync -j ACCEPT
iptables -A INPUT -i ${IF_WAN} -p tcp --dport http -j ACCEPT

# masquerade from internal networks
iptables -I FORWARD -i ${IF_LAN_FAST} -d ${LANNET_FAST} -j DROP
iptables -A FORWARD -i ${IF_LAN_FAST} -s ${LANNET_FAST} -j ACCEPT
iptables -A FORWARD -i ${IF_WAN} -d ${LANNET_FAST} -j ACCEPT
iptables -I FORWARD -i ${IF_LAN_GIG} -d ${LANNET_GIG} -j DROP
iptables -A FORWARD -i ${IF_LAN_GIG} -s ${LANNET_GIG} -j ACCEPT
iptables -A FORWARD -i ${IF_WAN} -d ${LANNET_GIG} -j ACCEPT

#iptables -A FORWARD -i ${IF_FAST} -o ${IF_GIG} -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -i ${IF_FAST} -o ${IF_GIG} -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i ${IF_LAN_GIG} -o ${IF_LAN_FAST} -s ${LANNET_GIG} -d ${LANNET_FAST} -j ACCEPT
iptables -A FORWARD -i ${IF_LAN_FAST} -o ${IF_LAN_GIG} -s ${LANNET_FAST} -d ${LANNET_GIG} -j ACCEPT

iptables -t nat -A POSTROUTING -s ${LANNET_FAST} -o ${IF_WAN} -j MASQUERADE
iptables -t nat -A POSTROUTING -s ${LANNET_GIG} -o ${IF_WAN} -j MASQUERADE

# send all else to stateful table
iptables -A INPUT -j STATEFUL
iptables -A FORWARD -j STATEFUL
iptables -A OUTPUT -j STATEFUL


route -n on my router:
Code:
supernova kernels # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         xx.xx.xx.1     0.0.0.0         UG    2      0        0 eth1
10.1.1.0        0.0.0.0         255.255.255.0   U     0      0        0 eth2
10.1.2.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
xx.xx.xx.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo


ifconfig -a:
Code:
eth0      Link encap:Ethernet  HWaddr 00:0d:56:b9:28:8f 
          inet addr:10.1.2.1  Bcast:10.1.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:29209 errors:0 dropped:12 overruns:0 frame:0
          TX packets:47359 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2592710 (2.4 MiB)  TX bytes:11472394 (10.9 MiB)
          Interrupt:28

eth1      Link encap:Ethernet  HWaddr 00:0d:56:b9:28:90 
          inet addr:xx.xx.xx.xx  Bcast:xx.xx.xx.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:105842 errors:0 dropped:0 overruns:0 frame:0
          TX packets:61922 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:115216616 (109.8 MiB)  TX bytes:6649036 (6.3 MiB)
          Interrupt:29

eth2      Link encap:Ethernet  HWaddr 00:08:02:28:f1:3b 
          inet addr:10.1.1.1  Bcast:10.1.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:9000  Metric:1
          RX packets:5235 errors:0 dropped:15 overruns:0 frame:0
          TX packets:5397 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:593861 (579.9 KiB)  TX bytes:4567136 (4.3 MiB)
          Interrupt:20

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:3642 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3642 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:521158 (508.9 KiB)  TX bytes:521158 (508.9 KiB)

_________________
i7-940 2.93Ghz | ASUS P6T Deluxe (v.1) | 24GB Triple Channel RAM | nVidia GTX660
4x 4TB Seagate NAS HDD (Btrfs raid5) | 2x 120GB Samsung 850 EVO SSD (Btrfs raid1)
Back to top
View user's profile Send private message
BillWho
Veteran
Veteran


Joined: 03 Mar 2012
Posts: 1600
Location: US

PostPosted: Sat Mar 10, 2012 11:57 pm    Post subject: Reply with quote

A real long shot

route add -host 10.1.1.5 gw 10.1.2.1
route add -net 10.1.0.0 netmask 255.0.0.0 gw 10.1.2.1
Back to top
View user's profile Send private message
Veldrin
Veteran
Veteran


Joined: 27 Jul 2004
Posts: 1945
Location: Zurich, Switzerland

PostPosted: Sun Mar 11, 2012 12:21 am    Post subject: Reply with quote

@OP: can you post the actual running iptables config? iptables -nvL

@BillWho: no additional routing is needed. both networks are directly attached to the router, and the respective hosts can use the default route to get to the router, which will handle any further routing.

V.
_________________
read the portage output!
If my answer is too concise, ask for an explanation.
Back to top
View user's profile Send private message
BlueFusion
Guru
Guru


Joined: 08 Mar 2006
Posts: 371

PostPosted: Sun Mar 11, 2012 4:21 pm    Post subject: Reply with quote

I gave up on it. It seemed like more trouble than it was worth for the slight increase in NFS/rsync performance. Maybe once I get more devices that support JF, I'll try again.
_________________
i7-940 2.93Ghz | ASUS P6T Deluxe (v.1) | 24GB Triple Channel RAM | nVidia GTX660
4x 4TB Seagate NAS HDD (Btrfs raid5) | 2x 120GB Samsung 850 EVO SSD (Btrfs raid1)
Back to top
View user's profile Send private message
Mistwolf
Apprentice
Apprentice


Joined: 07 Mar 2007
Posts: 189
Location: Edmonton, AB

PostPosted: Mon Mar 12, 2012 3:47 pm    Post subject: Reply with quote

Your subnet masks are wrong. They are blocking the subnets from accessing each other. Correct subnet mask should be 255.255.0.0 or, if you really want, 255.255.252.0. That way, it is all considered one network.

Hope this helps.

Dario
Back to top
View user's profile Send private message
py-ro
Veteran
Veteran


Joined: 24 Sep 2002
Posts: 1734
Location: Velbert

PostPosted: Mon Mar 12, 2012 4:02 pm    Post subject: Reply with quote

Did you even enable forwarding?

Code:
cat /proc/sys/net/ipv4/conf/all/forwarding


@Mistwolf: You are wrong, too.
Back to top
View user's profile Send private message
BlueFusion
Guru
Guru


Joined: 08 Mar 2006
Posts: 371

PostPosted: Sun Mar 18, 2012 2:36 pm    Post subject: Reply with quote

I did have forwarding enabled as the server is currently working as my NAT router.

Mistwolf, are those changes necessary on the router or each computer?
_________________
i7-940 2.93Ghz | ASUS P6T Deluxe (v.1) | 24GB Triple Channel RAM | nVidia GTX660
4x 4TB Seagate NAS HDD (Btrfs raid5) | 2x 120GB Samsung 850 EVO SSD (Btrfs raid1)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum