Access to public host from private host through Linux router

Hi all,

We have a linux (Mandrake 9.1) router having network 192.168.10.0/24 at eth0
and 210.212.7.0/24 at eth1.

Pinging from a host of IP 210.212.7.4 (connected by hub with eth1) to
192.168.10.1 (eth0 of the Mandrake Linux router) is possible but
we are unable to ping any host of the network 192.168.10.0

I am a newbie at this. Could anyone please help me out here.
If possible, please tell me what routes are to be added.

Regards,
Santanu

Santanu Chatterjee wrote:

> Hi all,
>
> We have a linux (Mandrake 9.1) router having network 192.168.10.0/24 at eth0
> and 210.212.7.0/24 at eth1.
>
> Pinging from a host of IP 210.212.7.4 (connected by hub with eth1) to
> 192.168.10.1 (eth0 of the Mandrake Linux router) is possible but
> we are unable to ping any host of the network 192.168.10.0
>
> I am a newbie at this. Could anyone please help me out here.
> If possible, please tell me what routes are to be added.
>
> Regards,
> Santanu
>

Hi Santanu,

Some troubleshooting tips:

1) Are you running a firewall as well? If it is iptables, you
need to make sure eth0 is forwarded to eth1 and eth1 is
forwarded to eth0 (but only the traffic you want to pass).

2) Check your route tables with
netstat -rn
You will need this data for steps 2a and 2b

2a) Are you running the router daemon?
/etc/rc.d/init.d/routed start
If this works you will need to add it to your rc
startup list
sysconfig --add routed
Reboot to make sure it stuck

2b) Are your ethx gateways configured correctly?
/etc/sysconfig/network-scripts/ifcfg-eth0 and eth1
GATEWAY=xxx.yyy.zzz.ppp
Your internal ethx (off Internet) needs to point to your
external ethx (connected to the Internet). Your external
ethx needs to point to you Internet providers default
gateway.

HTH,
--Tony


--
-------------------------
I Fish. Therefore, I am.
-------------------------

On Thu, 13 Nov 2003, Santanu Chatterjee <(E-Mail Removed)> wrote:
> We have a linux (Mandrake 9.1) router having network 192.168.10.0/24 at eth0
> and 210.212.7.0/24 at eth1.
>
> Pinging from a host of IP 210.212.7.4 (connected by hub with eth1) to
> 192.168.10.1 (eth0 of the Mandrake Linux router) is possible but
> we are unable to ping any host of the network 192.168.10.0

Does Mdk router have ip_forward enabled
(does 'cat /proc/sys/net/ipv4/ip_forward' return 1)?

Does it have any iptables forward rules to allow 210.212.7.4 to forward
to/from 192.168.10.0/24 network before any masquerading rules?

Does 210.212.7.4 have a route for 192.168.10.0/24 network using Mdk router
eth1 IP for gateway?

--
David Efflandt - All spam ignored http://www.de-srv.com/

On Thu, 13 Nov 2003 09:56:55 -0800, Anthony Ewell wrote:

> Hi Santanu,
>
> Some troubleshooting tips:
>
> 1) Are you running a firewall as well? If it is iptables, you
> need to make sure eth0 is forwarded to eth1 and eth1 is
> forwarded to eth0 (but only the traffic you want to pass).
>
> 2) Check your route tables with
> netstat -rn
> You will need this data for steps 2a and 2b
>
> 2a) Are you running the router daemon?
> /etc/rc.d/init.d/routed start
> If this works you will need to add it to your rc
> startup list
> sysconfig --add routed
> Reboot to make sure it stuck
>
> 2b) Are your ethx gateways configured correctly?
> /etc/sysconfig/network-scripts/ifcfg-eth0 and eth1
> GATEWAY=xxx.yyy.zzz.ppp
> Your internal ethx (off Internet) needs to point to your
> external ethx (connected to the Internet). Your external
> ethx needs to point to you Internet providers default
> gateway.

Thanks for the tips above. They will help me in future too.
I checked the above settings. Everything seemed to be OK.
After some hair pulling it turned out that ip_forwarding was
not enabled by default by Mandrake. Once I did that everything
worked.

So, I thought that well, for the first time, I have set up
the routing table correctly (I did not use routed, and I had set
the routing table after reading the relevant portions of the NAG).
But I was wrong. It was actually the ip_forwarding that worked, and
the actual routing was being done by the CISCO router which had been
set up by the cisco experts hired by our college. This I came to
know when the cisco expert tried to place the Linux router in place
of the cisco router. So, I am only successful in that things are
working as far as the college networking is concerned.

Now, since things are already working, I won't be allowed to tweak
the settings any further. But still, I would want to know if there
is something that I am missing. I mean, something basic, like
enabling ip_forwarding, that would _enable_ routing in Linux?
Any pointers to any online docs that deal with Linux routing _in_depth_
would be very helpful. The NAG does to go very deep into routing.
(All the other docs that I found about linux routing mainly deals with
Firewalling about which I am not very interested right now.)

Regards,
Santanu

On Fri, 14 Nov 2003 02:50:45 +0000, David Efflandt wrote:

> On Thu, 13 Nov 2003, Santanu Chatterjee <(E-Mail Removed)> wrote:
>> We have a linux (Mandrake 9.1) router having network 192.168.10.0/24 at eth0
>> and 210.212.7.0/24 at eth1.
>>
>> Pinging from a host of IP 210.212.7.4 (connected by hub with eth1) to
>> 192.168.10.1 (eth0 of the Mandrake Linux router) is possible but
>> we are unable to ping any host of the network 192.168.10.0
>
> Does Mdk router have ip_forward enabled
> (does 'cat /proc/sys/net/ipv4/ip_forward' return 1)?

Yes, _that_ was the problem. Now it works, but still routing does
not work (please see my reply to Anthony Ewell).

> Does 210.212.7.4 have a route for 192.168.10.0/24 network using Mdk router
> eth1 IP for gateway?

Well, I did give that route and it appeared in the output shown
by 'route -n' command (I can't exactly reproduce the line, as the
setup is already working using the routing services of a cicso router
and I won't be allowed to touch that setup again (until it goes wrong))

Still, could you please state the exact command line to use for the
route command for doing that. Maybe I can recall if I made any mistake
in that. IIRC, the line I used was, most probably:
# route add 192.168.10.0 gw 210.212.7.3
(where 212.212.7.3 is the machine with its other ethernet interface
being 192.168.10.1)

Regards,
Santanu

On Sat, 15 Nov 2003, Santanu Chatterjee <(E-Mail Removed)> wrote:
> On Fri, 14 Nov 2003 02:50:45 +0000, David Efflandt wrote:
>
>> On Thu, 13 Nov 2003, Santanu Chatterjee <(E-Mail Removed)> wrote:
>>> We have a linux (Mandrake 9.1) router having network 192.168.10.0/24 at eth0
>>> and 210.212.7.0/24 at eth1.
>>>
>>> Pinging from a host of IP 210.212.7.4 (connected by hub with eth1) to
>>> 192.168.10.1 (eth0 of the Mandrake Linux router) is possible but
>>> we are unable to ping any host of the network 192.168.10.0
>>
>> Does Mdk router have ip_forward enabled
>> (does 'cat /proc/sys/net/ipv4/ip_forward' return 1)?
>
> Yes, _that_ was the problem. Now it works, but still routing does
> not work (please see my reply to Anthony Ewell).

Then it could have something to do with iptables rules. If you were
masquerading 192.168.10.0/24 (so it could access internet) then you would
have had to punch a forward hole through it between 192.168.10.0/24
to/from 210.212.7.0/24 to ACCEPT before any masq rule.

>> Does 210.212.7.4 have a route for 192.168.10.0/24 network using Mdk router
>> eth1 IP for gateway?
>
> Well, I did give that route and it appeared in the output shown
> by 'route -n' command (I can't exactly reproduce the line, as the
> setup is already working using the routing services of a cicso router
> and I won't be allowed to touch that setup again (until it goes wrong))
>
> Still, could you please state the exact command line to use for the
> route command for doing that. Maybe I can recall if I made any mistake
> in that. IIRC, the line I used was, most probably:
> # route add 192.168.10.0 gw 210.212.7.3
> (where 212.212.7.3 is the machine with its other ethernet interface
> being 192.168.10.1)

See 'man route'. The correct way to route to a network (assuming default
255.255.255.0 netmask for 192.168.x.x network) via a gateway:

route add -net 192.168.10.0 gw 210.212.7.3
(possibly with 'dev eth0' or whatever interface it goes out of).

--
David Efflandt - All spam ignored http://www.de-srv.com/
http://www.autox.chicago.il.us/ http://www.berniesfloral.net/
http://cgi-help.virtualave.net/ http://hammer.prohosting.com/~cgi-wiz/