3 nics in linux box (iptables)

Hello,

I'm sure this has to be easy and I've been looking everywhere but
everything I've tried has come to no avail.

I have a Fedora core 3 (2.6.11-1.14_FC3) machine with 3 nics (one
getting the internet(eth0) and the other two going out to two different
machines--a PC(eth1) and an XBOX(eth2)).

Only eth1 gets internet--so if I put the PC or XBOX there each works
fine. But having either one hooked up to eth1 and the other hooked up
to eth2--eth2 does not get internet. The following are my files and
setups, hopefully I'm just doing something blantanly stupid.

Thanks for any help,
Jeremy

------------------------------
Hardware on Linux machine
------------------------------
eth0-Realtex
eth1-3COM 3c905b
eth2-Linksys NC100

-------------------------------
/etc/rc.d/rc.local
-------------------------------
touch /var/lock/subsys/local
/etc/rc.d/rc.ipmasq

--------------------------------
/etc/rc.d/rc.ipmasq
--------------------------------
# Set up IP FORWARDing and Masquerading
IPTABLES=iptables

# Windows PC
NETWORK1=192.168.0.0/24

#XBox
NETWORK2=192.168.10.0/24

$IPTABLES -t nat -A POSTROUTING -s $NETWORK1 -j MASQUERADE
$IPTABLES -A FORWARD -s $NETWORK1 -j ACCEPT
$IPTABLES -A FORWARD -d $NETWORK1 -j ACCEPT

$IPTABLES -t nat -A POSTROUTING -s $NETWORK2 -j MASQUERADE
$IPTABLES -A FORWARD -s $NETWORK2 -j ACCEPT
$IPTABLES -A FORWARD -d $NETWORK2 -j ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward

------------------------------------------
eth1 config (on linux machine)
------------------------------------------
Address: 192.168.0.3
Subnet mask: 255.255.255.0
Default gateway address: $IP_OF_LINUX_BOX

------------------------------------------
eth2 config (on linux machine)
------------------------------------------
Address: 192.168.10.3
Subnet mask: 255.255.255.0
Default gateway address: $IP_OF_LINUX_BOX

------------------------------------------
eth1 config (on PC machine) (connected at eth1 on linux box)
------------------------------------------
Address: 192.168.0.8
Subnet mask: 255.255.255.0
Default gateway address: 192.168.0.3
DNS Servers: $IPS_FROM_MY_ISP

------------------------------------------
eth1 config (on XBOX) (connected at eth2 on linux box)
------------------------------------------
Address: 192.168.10.8
Subnet mask: 255.255.255.0
Default gateway address: 192.168.10.3
DNS Servers: $IPS_FROM_MY_ISP

------------------------------------------
/etc/hosts.allow
------------------------------------------
SSHd2: 192.168.0. 192.168.10.
SSHd: 192.168.0. 192.168.10.
SSHfwd-X11: 192.168.0. 192.168.10.

-------------------------------------------
/etc/hosts.deny
-------------------------------------------
ALL:0.0.0.0

-------------------------------------------
Resulting output of "iptables -L"
-------------------------------------------
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
ACCEPT all -- 192.168.0.0/24 anywhere
ACCEPT all -- anywhere 192.168.0.0/24
ACCEPT all -- 192.168.10.0/24 anywhere
ACCEPT all -- anywhere 192.168.10.0/24

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited

On Tue, 26 Apr 2005, Jeremy wrote:

> Hello,
>
> I'm sure this has to be easy and I've been looking everywhere but
> everything I've tried has come to no avail.
>
> I have a Fedora core 3 (2.6.11-1.14_FC3) machine with 3 nics (one
> getting the internet(eth0) and the other two going out to two different
> machines--a PC(eth1) and an XBOX(eth2)).
>
> Only eth1 gets internet--so if I put the PC or XBOX there each works
> fine. But having either one hooked up to eth1 and the other hooked up
> to eth2--eth2 does not get internet. The following are my files and
> setups, hopefully I'm just doing something blantanly stupid.

<snip>

> ------------------------------------------
> eth1 config (on linux machine)
> ------------------------------------------
> Address: 192.168.0.3
> Subnet mask: 255.255.255.0
> Default gateway address: $IP_OF_LINUX_BOX
>
> ------------------------------------------
> eth2 config (on linux machine)
> ------------------------------------------
> Address: 192.168.10.3
> Subnet mask: 255.255.255.0
> Default gateway address: $IP_OF_LINUX_BOX

First thing that come in mind : you don't need default gateway there. In
any situation, you should only have one default gateway.

Does 'netstat -rn' show only one '0.0.0.0' line ? If it displays more than
one '0.0.0.0' destination, you're asking for trouble.

It's quite unusual to find two NAT rules in an IPMASQ table. I personnaly
never tried this. If the above does not solve your problem, drop me a note
and I'll check the behaviour of the kernel in this particular case.

--
Jean-Francois "Jef" Stenuit

Jean-Francois Stenuit wrote:
> On Tue, 26 Apr 2005, Jeremy wrote:
>
>
>>Hello,
>>
>>I'm sure this has to be easy and I've been looking everywhere but
>>everything I've tried has come to no avail.
>>
>>I have a Fedora core 3 (2.6.11-1.14_FC3) machine with 3 nics (one
>>getting the internet(eth0) and the other two going out to two different
>>machines--a PC(eth1) and an XBOX(eth2)).
>>
>>Only eth1 gets internet--so if I put the PC or XBOX there each works
>>fine. But having either one hooked up to eth1 and the other hooked up
>>to eth2--eth2 does not get internet. The following are my files and
>>setups, hopefully I'm just doing something blantanly stupid.
>
>
> <snip>
>
>>------------------------------------------
>>eth1 config (on linux machine)
>>------------------------------------------
>>Address: 192.168.0.3
>>Subnet mask: 255.255.255.0
>>Default gateway address: $IP_OF_LINUX_BOX
>>
>>------------------------------------------
>>eth2 config (on linux machine)
>>------------------------------------------
>>Address: 192.168.10.3
>>Subnet mask: 255.255.255.0
>>Default gateway address: $IP_OF_LINUX_BOX
>
>
> First thing that come in mind : you don't need default gateway there. In
> any situation, you should only have one default gateway.
>
> Does 'netstat -rn' show only one '0.0.0.0' line ? If it displays more than
> one '0.0.0.0' destination, you're asking for trouble.
>
> It's quite unusual to find two NAT rules in an IPMASQ table. I personnaly
> never tried this. If the above does not solve your problem, drop me a note
> and I'll check the behaviour of the kernel in this particular case.
>

Thanks for responding.

Here's the output of netstat -rn
--------------------------------
Kernel IP routing table
Destination Gateway Genmask Flags MSS W irtt Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
128.61.me.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2
0.0.0.0 128.61.me.1 0.0.0.0 UG 0 0 0 eth0

I'm not sure where the 4th entry (169.254.0.0) is from--that's the only
wierd looking thing to me. Do I need to remove it?

Thanks,
Jeremy

On Thu, 28 Apr 2005, Jeremy wrote:
<snip>
> Thanks for responding.
>
> Here's the output of netstat -rn
> --------------------------------
> Kernel IP routing table
> Destination Gateway Genmask Flags MSS W irtt Iface
> 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
> 192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
> 128.61.me.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2
> 0.0.0.0 128.61.me.1 0.0.0.0 UG 0 0 0 eth0
>
> I'm not sure where the 4th entry (169.254.0.0) is from--that's the only
> wierd looking thing to me. Do I need to remove it?

Indeed you should check why this entry is there. Usually, this is caused
by a mis-placed DHCP client without a DHCP server.

Check your DHCP settings. I advice you to run a DHCP server on your
internal interfaces (eases the configuration work, especially with a
Xbox), but you don't want a DHCP client on those interfaces.

--
Jean-Francois "Jef" Stenuit

> I'm not sure where the 4th entry (169.254.0.0) is from--that's the only
> wierd looking thing to me. Do I need to remove it?


https://www.redhat.com/archives/fedo.../msg03577.html

Found with a few minutes of searching on google.

In article <d4ptrc$aqh$(E-Mail Removed)>, Jeremy wrote:

>> On Tue, 26 Apr 2005, Jeremy wrote:

>>>I have a Fedora core 3 (2.6.11-1.14_FC3)

>Here's the output of netstat -rn
>--------------------------------
>Kernel IP routing table
>Destination Gateway Genmask Flags MSS W irtt Iface
>192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
>192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
>128.61.me.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
>169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2
>0.0.0.0 128.61.me.1 0.0.0.0 UG 0 0 0 eth0
>
>I'm not sure where the 4th entry (169.254.0.0) is from--that's the only
>wierd looking thing to me.

This is a "feature" that microsoft has been trying to get standardized since
1998. The idea is that when the MCSE has so screwed up the configuration of
the DHCP server that even a windoze box can't get an address, it will reach
up between it's legs and grab an IP address randomly out of the 169.254/16
range and use that. Several Linux distributions have been adding a route
to the network - perhaps to avoid the 'Martian Packet' error messages when
this happens. I've not seen a Linux box actually assign such an address to
any interface.

If you look inside /etc/sysconfig/network-scripts/ifup you'll probably find:

-----8<-------
# Add Zeroconf route.
if [ -z "${NOZEROCONF}" -a "${ISALIAS}" = "no" ]; then
ip route replace 169.254.0.0/16 dev ${REALDEVICE}
fi
-----8<-------

So if you set NOZEROCONF=yes in the /etc/sysconfig/network configuration
file, this "feature" will be disabled.

>Do I need to remove it?

http://www.ietf.org/internet-drafts/...nklocal-17.txt
(8 July 2004 which expired 2 Jan 2005) para 1.9 says "should not" have
zero-conf address if the interface ALSO has a routable (meaning anything
other than 169.254.0.0/16) address. However, this is just a routing table
entry, not an address assignment (check this with /sbin/ifconfig). It's up
to you if you want or don't want the routing table entry (I don't), as any
properly configured router should silently discard packets with these
addresses.

Old guy

Jean-Francois Stenuit wrote:
> On Thu, 28 Apr 2005, Jeremy wrote:
> <snip>
>
>>Thanks for responding.
>>
>>Here's the output of netstat -rn
>>--------------------------------
>>Kernel IP routing table
>>Destination Gateway Genmask Flags MSS W irtt Iface
>>192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
>>192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
>>128.61.me.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
>>169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2
>>0.0.0.0 128.61.me.1 0.0.0.0 UG 0 0 0 eth0
>>
>>I'm not sure where the 4th entry (169.254.0.0) is from--that's the only
>>wierd looking thing to me. Do I need to remove it?
>
>
> Indeed you should check why this entry is there. Usually, this is caused
> by a mis-placed DHCP client without a DHCP server.
>
> Check your DHCP settings. I advice you to run a DHCP server on your
> internal interfaces (eases the configuration work, especially with a
> Xbox), but you don't want a DHCP client on those interfaces.
>
I just got a hub...prob solved.
Thanx for the help.