View previous topic :: View next topic |
Author |
Message |
BlueFusion Guru
Joined: 08 Mar 2006 Posts: 371
|
Posted: Fri Mar 09, 2012 1:03 am Post subject: Linux router help |
|
|
Hi folks. I have been using a Dell PowerEdge 2650 for storage, processing, and my router for some time now. I read up on jumbo frames recently and wanted to enable them for my home network. I have several devices that are Gigabit/Jumbo Frame capable and some that aren't. For example, my Linksys WRT54G and all wireless devices are not JF compatible. I decided to split the gigabit and the non-gigabit on two seperate subnets. They both go through my Netgear smart switch, but I am using a port-based VLAN to seperate the subnets. So far the subnets work fine and access through the server (router) to access the internet is fine. I am not able to access devices on the different subnets, however.
Here's the scenario:
On my router, I have:
eth0 = 10.1.2.0/24
eth1 = Modem
eth2 = 10.1.1.0/24
What do I have to do to allow my wireless laptop (10.1.2.10) to access my desktop (10.1.1.5)?
I am attaching my complete iptables settings, too. I don't think it's a firewall issue, but maybe it is. I figured the router would just forward traffic to the appropriate port (subnet) without any static route changes on any of the devices. Currently, all I get when trying to ping a device on the other subnet, I only get Destination host is unreachable
Quote: | #!/bin/sh
IF_WAN="eth1"
IF_LAN_GIG="eth2"
IF_LAN_FAST="eth0"
LANNET_GIG="10.1.1.0/24" # 10.1.1.1 - 10.1.1.254
LANNET_FAST="10.1.2.0/24" # 10.1.2.1 - 10.1.2.254
# chain policies
# drop everything and open stuff as necessary
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT DROP
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -F -t nat
iptables -X
iptables -Z
# create DUMP, STATEFUL, and SYN_FLOOD tables
iptables -N DUMP
iptables -F DUMP
iptables -N STATEFUL
iptables -F STATEFUL
iptables -N SYN-FLOOD
iptables -F SYN-FLOOD
# limited logs
iptables -A DUMP -p icmp -m limit --limit 1/m --limit-burst 5 -j LOG --log-prefix "IPT ICMPDUMP: "
iptables -A DUMP -p tcp -m limit --limit 1/m --limit-burst 5 -j LOG --log-prefix "IPT TCPDUMP: "
iptables -A DUMP -p udp -m limit --limit 1/m --limit-burst 5 -j LOG --log-prefix "IPT UDPDUMP: "
# reject with certain options packets in DUMP table
iptables -A DUMP -p tcp -j REJECT --reject-with tcp-reset
iptables -A DUMP -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A DUMP -j DROP
# Stateful table
iptables -I STATEFUL -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A STATEFUL -m state --state NEW ! -i ${IF_WAN} -j ACCEPT
iptables -A STATEFUL -j DUMP
# SYN flood protection
iptables -A SYN-FLOOD -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A SYN-FLOOD -j DROP
iptables -A INPUT -i ${IF_WAN} -p tcp --syn -j SYN-FLOOD
iptables -A INPUT -p tcp -i ${IF_WAN} ! --syn -m state --state NEW -j DROP
# watch out for fragments
iptables -A INPUT -i ${IF_WAN} -f -j LOG --log-prefix "IPT FRAGMENTS: "
iptables -A INPUT -i ${IF_WAN} -f -j DROP
# allow loopback in and out
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# allow LAN out
iptables -A OUTPUT -p ALL -s ${LANNET_GIG} -j ACCEPT
#iptables -A OUTPUT -p ALL -s ${LANNET_FAST} -j ACCEPT
# drop incoming reserved addresses
iptables -A INPUT -i ${IF_WAN} -s 0.0.0.0/8 -j DUMP
iptables -A INPUT -i ${IF_WAN} -s 240.0.0.0/8 -j DUMP
iptables -A INPUT -i ${IF_WAN} -s 10.0.0.0/8 -j DUMP
iptables -A INPUT -i ${IF_WAN} -s 172.16.0.0/12 -j DUMP
iptables -A INPUT -i ${IF_WAN} -s 192.168.0.0/16 -j DUMP
# allow certain inbound ICMP types
iptables -A INPUT -i ${IF_WAN} -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -i ${IF_WAN} -p icmp --icmp-type echo-request -j ACCEPT
# allow external access to SSH
iptables -A INPUT -i ${IF_WAN} -p tcp --dport ssh -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -i ${IF_WAN} -p tcp --dport ssh -m state --state NEW -m recent --update --seconds 300 --hitcount 5 --rttl --name SSH -j DUMP
iptables -A INPUT -i ${IF_WAN} -p tcp --dport ssh -j ACCEPT
# allow external access to local services
iptables -A INPUT -i ${IF_WAN} -p tcp --dport rsync -j ACCEPT
iptables -A INPUT -i ${IF_WAN} -p tcp --dport http -j ACCEPT
# masquerade from internal networks
iptables -I FORWARD -i ${IF_LAN_FAST} -d ${LANNET_FAST} -j DROP
iptables -A FORWARD -i ${IF_LAN_FAST} -s ${LANNET_FAST} -j ACCEPT
iptables -A FORWARD -i ${IF_WAN} -d ${LANNET_FAST} -j ACCEPT
iptables -I FORWARD -i ${IF_LAN_GIG} -d ${LANNET_GIG} -j DROP
iptables -A FORWARD -i ${IF_LAN_GIG} -s ${LANNET_GIG} -j ACCEPT
iptables -A FORWARD -i ${IF_WAN} -d ${LANNET_GIG} -j ACCEPT
#iptables -A FORWARD -i ${IF_FAST} -o ${IF_GIG} -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -i ${IF_FAST} -o ${IF_GIG} -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ${IF_LAN_GIG} -o ${IF_LAN_FAST} -s ${LANNET_GIG} -d ${LANNET_FAST} -j ACCEPT
iptables -A FORWARD -i ${IF_LAN_FAST} -o ${IF_LAN_GIG} -s ${LANNET_FAST} -d ${LANNET_GIG} -j ACCEPT
iptables -t nat -A POSTROUTING -s ${LANNET_FAST} -o ${IF_WAN} -j MASQUERADE
iptables -t nat -A POSTROUTING -s ${LANNET_GIG} -o ${IF_WAN} -j MASQUERADE
# send all else to stateful table
iptables -A INPUT -j STATEFUL
iptables -A FORWARD -j STATEFUL
iptables -A OUTPUT -j STATEFUL |
route -n on my router:
Code: | supernova kernels # route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 xx.xx.xx.1 0.0.0.0 UG 2 0 0 eth1
10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
10.1.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
xx.xx.xx.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
127.0.0.0 127.0.0.1 255.0.0.0 UG 0 0 0 lo |
ifconfig -a:
Code: | eth0 Link encap:Ethernet HWaddr 00:0d:56:b9:28:8f
inet addr:10.1.2.1 Bcast:10.1.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:29209 errors:0 dropped:12 overruns:0 frame:0
TX packets:47359 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2592710 (2.4 MiB) TX bytes:11472394 (10.9 MiB)
Interrupt:28
eth1 Link encap:Ethernet HWaddr 00:0d:56:b9:28:90
inet addr:xx.xx.xx.xx Bcast:xx.xx.xx.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:105842 errors:0 dropped:0 overruns:0 frame:0
TX packets:61922 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:115216616 (109.8 MiB) TX bytes:6649036 (6.3 MiB)
Interrupt:29
eth2 Link encap:Ethernet HWaddr 00:08:02:28:f1:3b
inet addr:10.1.1.1 Bcast:10.1.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:9000 Metric:1
RX packets:5235 errors:0 dropped:15 overruns:0 frame:0
TX packets:5397 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:593861 (579.9 KiB) TX bytes:4567136 (4.3 MiB)
Interrupt:20
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:3642 errors:0 dropped:0 overruns:0 frame:0
TX packets:3642 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:521158 (508.9 KiB) TX bytes:521158 (508.9 KiB) |
_________________ i7-940 2.93Ghz | ASUS P6T Deluxe (v.1) | 24GB Triple Channel RAM | nVidia GTX660
4x 4TB Seagate NAS HDD (Btrfs raid5) | 2x 120GB Samsung 850 EVO SSD (Btrfs raid1) |
|
Back to top |
|
|
BillWho Veteran
Joined: 03 Mar 2012 Posts: 1600 Location: US
|
Posted: Sat Mar 10, 2012 11:57 pm Post subject: |
|
|
A real long shot
route add -host 10.1.1.5 gw 10.1.2.1
route add -net 10.1.0.0 netmask 255.0.0.0 gw 10.1.2.1 |
|
Back to top |
|
|
Veldrin Veteran
Joined: 27 Jul 2004 Posts: 1945 Location: Zurich, Switzerland
|
Posted: Sun Mar 11, 2012 12:21 am Post subject: |
|
|
@OP: can you post the actual running iptables config? iptables -nvL
@BillWho: no additional routing is needed. both networks are directly attached to the router, and the respective hosts can use the default route to get to the router, which will handle any further routing.
V. _________________ read the portage output!
If my answer is too concise, ask for an explanation. |
|
Back to top |
|
|
BlueFusion Guru
Joined: 08 Mar 2006 Posts: 371
|
Posted: Sun Mar 11, 2012 4:21 pm Post subject: |
|
|
I gave up on it. It seemed like more trouble than it was worth for the slight increase in NFS/rsync performance. Maybe once I get more devices that support JF, I'll try again. _________________ i7-940 2.93Ghz | ASUS P6T Deluxe (v.1) | 24GB Triple Channel RAM | nVidia GTX660
4x 4TB Seagate NAS HDD (Btrfs raid5) | 2x 120GB Samsung 850 EVO SSD (Btrfs raid1) |
|
Back to top |
|
|
Mistwolf Apprentice
Joined: 07 Mar 2007 Posts: 189 Location: Edmonton, AB
|
Posted: Mon Mar 12, 2012 3:47 pm Post subject: |
|
|
Your subnet masks are wrong. They are blocking the subnets from accessing each other. Correct subnet mask should be 255.255.0.0 or, if you really want, 255.255.252.0. That way, it is all considered one network.
Hope this helps.
Dario |
|
Back to top |
|
|
py-ro Veteran
Joined: 24 Sep 2002 Posts: 1734 Location: Velbert
|
Posted: Mon Mar 12, 2012 4:02 pm Post subject: |
|
|
Did you even enable forwarding?
Code: | cat /proc/sys/net/ipv4/conf/all/forwarding |
@Mistwolf: You are wrong, too. |
|
Back to top |
|
|
BlueFusion Guru
Joined: 08 Mar 2006 Posts: 371
|
Posted: Sun Mar 18, 2012 2:36 pm Post subject: |
|
|
I did have forwarding enabled as the server is currently working as my NAT router.
Mistwolf, are those changes necessary on the router or each computer? _________________ i7-940 2.93Ghz | ASUS P6T Deluxe (v.1) | 24GB Triple Channel RAM | nVidia GTX660
4x 4TB Seagate NAS HDD (Btrfs raid5) | 2x 120GB Samsung 850 EVO SSD (Btrfs raid1) |
|
Back to top |
|
|
|