home lan - how can 3 subnets communicate?

i use debian sarge, kernel 2.6.7
last january i set up my home lan looking as follows:
class C all ip addresses are 192.168.x.x
GW=gateway/router DT=desktop

|---------|
|DSL MODEM|
|---------|
|
|
ppp0
|---------| |------|
| GW |0.1 --- 0.2| DT1 |
|---------| |------|
1.1
|
|
1.3
|--------|
| DT2 |
|--------|

by no means i am a network guru, therefore i set up my lan mainly googling
and with some help from friends and this newsgroup, everything works fine
though i think i could have done all without the need of two subnet (0.0 and
1.0)
for future searchers: DT1 and DT2 go to internet via the following
iptables rule
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

recently i became fed with unplugging DT2 and plugging my notebook anytime
i needed to update the software of the latter, therefore i added a eth card
to DT2 and started trying to connect the NB to internet, i ended up with the
easiest among solutions..... i made a new subnet 192.168.2.0
graphically it looks as follows:

|
|
1.3
|--------| |-------|
| DT2 |2.1----2.15| NB |
|--------| |-------|

adding to iptables in DT2 a similar rule to the one above, NB now can go to
internet.... but (there is always a but, isn't it?) i cannot do ssh nor ping
from the GW to the NB, almost certainly i need a further iptables rule but my
very low knowledge of networking doesn't help.

Any suggestions would be appreciated.

aldo

(E-Mail Removed) (aldo maggi) writes:

> recently i became fed with unplugging DT2 and plugging my notebook anytime
> i needed to update the software of the latter, therefore i added a eth card
> to DT2 and started trying to connect the NB to internet, i ended up with the
> easiest among solutions..... i made a new subnet 192.168.2.0
> graphically it looks as follows:
>
> |
> |
> 1.3
> |--------| |-------|
> | DT2 |2.1----2.15| NB |
> |--------| |-------|
>
> adding to iptables in DT2 a similar rule to the one above, NB now can go to
> internet.... but (there is always a but, isn't it?) i cannot do ssh nor ping
> from the GW to the NB, almost certainly i need a further iptables rule but my
> very low knowledge of networking doesn't help.
>
> Any suggestions would be appreciated.

You may have already done this, but on the DT2 system, check that you have IP
forwarding enabled. If you cat /proc/sys/net/ipv4/ip_forward, it should return
1. If not try:

# echo 1 > /proc/sys/net/ipv4/ip_forward

and see if N8 can now ping on the .1 network. Note, your hosts on the .1
network will need to know how to route to the .2 network, and your hosts on the
inner network (.2) will need to route through DT2 unless you use IP
masquerading on DT2 to hide all of the hosts on its subnet. Be sure to enable
logging of failed packets and check each of the syslogs.

--
Michael Meissner
email: (E-Mail Removed)
http://www.the-meissners.org

(E-Mail Removed) (aldo maggi) wrote in message news:<(E-Mail Removed). com>...
> i use debian sarge, kernel 2.6.7
> last january i set up my home lan looking as follows:
> class C all ip addresses are 192.168.x.x
> GW=gateway/router DT=desktop
>
> |---------|
> |DSL MODEM|
> |---------|
> |
> |
> ppp0
> |---------| |------|
> | GW |0.1 --- 0.2| DT1 |
> |---------| |------|
> 1.1
> |
> |
> 1.3
> |--------|
> | DT2 |
> |--------|
>
> by no means i am a network guru, therefore i set up my lan mainly googling
> and with some help from friends and this newsgroup, everything works fine
> though i think i could have done all without the need of two subnet (0.0 and
> 1.0)

This is more flexible and secure (IMO) than using GW as a switch --
your only other alternative. The 0.0 net can be easily turned into a
dmz ;-)

> for future searchers: DT1 and DT2 go to internet via the following
> iptables rule
> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
>
> recently i became fed with unplugging DT2 and plugging my notebook anytime
> i needed to update the software of the latter, therefore i added a eth card
> to DT2 and started trying to connect the NB to internet, i ended up with the
> easiest among solutions..... i made a new subnet 192.168.2.0
> graphically it looks as follows:
>
> |
> |
> 1.3
> |--------| |-------|
> | DT2 |2.1----2.15| NB |
> |--------| |-------|
>
> adding to iptables in DT2 a similar rule to the one above, NB now can go to
> internet.... but (there is always a but, isn't it?) i cannot do ssh nor ping
> from the GW to the NB, almost certainly i need a further iptables rule but my
> very low knowledge of networking doesn't help.
>
> Any suggestions would be appreciated.
>
> aldo

This is not an iptables thingy -- it's a routing thingy. Your GW box
doesn't know how to reach the 2.0 network -- ie., it's routing table
needs an entry telling it which interface to use to reach the 2.0
subnet.

On GW
[root]# route add -net 192.168.2.0 netmask 255.255.255.0 gw dev ethx
(ethx=whichever one is connected to DT2) -- ie., to reach the
192.168.2.0 net send packets out ethx

On DT2
[root]# route add -net 192.168.2.0 netmask 255.255.255.0 dev ethx
(ethx=whichever one is connected to NB) -- ie., to send packets
addressed to the 192.168.2.0 net use ethx

I'm guessing here a bit as to your current routing table entries and
your _exact_ iptables rules, but think this is what you need.
Assuming you can already ping to/from GW-DT1-DT2.

The question is, do you really want/need this? NATing is providing
access to the outside world that originates from NB and access from/to
DT2 is easy enough, but do you really _expect_ the GW machine to
originate packets (like ping or ssh sessions) heading for NB? How
about DT1? Your current lack of connectivity provides a layer
(perhaps small) of security. Just a thought.

If above and "$ man route" and
http://www.tldp.org/HOWTO/Net-HOWTO/x552.html are not enough to get
you going, then post your routing tables from all the machines you
want to "connect":
$ /sbin/route -n
or this one
$ netstat -rn

Probably handy to have output from
$ ifconfig -a
from each machine also to save a question/answer round.

You can X.X.56.34 any public IPs that might show up.

hth,
prg
email above disabled

(E-Mail Removed) (aldo maggi) wrote in message news:<(E-Mail Removed). com>...
> i use debian sarge, kernel 2.6.7
> last january i set up my home lan looking as follows:
> class C all ip addresses are 192.168.x.x
> GW=gateway/router DT=desktop
>
> |---------|
> |DSL MODEM|
> |---------|
> |
> |
> ppp0
> |---------| |------|
> | GW |0.1 --- 0.2| DT1 |
> |---------| |------|
> 1.1
> |
> |
> 1.3
> |--------|
> | DT2 |
> |--------|
>
> by no means i am a network guru, therefore i set up my lan mainly googling
> and with some help from friends and this newsgroup, everything works fine
> though i think i could have done all without the need of two subnet (0.0 and
> 1.0)
> for future searchers: DT1 and DT2 go to internet via the following
> iptables rule
> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

Sorry, but I forgot to add this before sending ... what a dufus I are
;-0
NB should be using this also ...
NB should route "normally" through DT2 -- no NATing. The only time
you want it NATed is when it is sending packets onto the public
internet byways, not before then. DT2 will forward NB packets to GW
without mangling them. GW will NAT for NB just like DT1 and DT2.

> recently i became fed with unplugging DT2 and plugging my notebook anytime
> i needed to update the software of the latter, therefore i added a eth card
> to DT2 and started trying to connect the NB to internet, i ended up with the
> easiest among solutions..... i made a new subnet 192.168.2.0
> graphically it looks as follows:
>
> |
> |
> 1.3
> |--------| |-------|
> | DT2 |2.1----2.15| NB |
> |--------| |-------|
>
> adding to iptables in DT2 a similar rule to the one above, NB now can go to
> internet.... but (there is always a but, isn't it?) i cannot do ssh nor ping
> from the GW to the NB, almost certainly i need a further iptables rule but my
> very low knowledge of networking doesn't help.
>
> Any suggestions would be appreciated.
>
> aldo

It's past my bedtime, hope nothing else messed up in my synapses.
prg

aldo maggi wrote:
> i use debian sarge, kernel 2.6.7
> last january i set up my home lan looking as follows:
> class C all ip addresses are 192.168.x.x
> GW=gateway/router DT=desktop
>
> |---------|
> |DSL MODEM|
> |---------|
> |
> |
> ppp0
> |---------| |------|
> | GW |0.1 --- 0.2| DT1 |
> |---------| |------|
> 1.1
> |
> |
> 1.3
> |--------|
> | DT2 |
> |--------|
>
> by no means i am a network guru, therefore i set up my lan mainly googling
> and with some help from friends and this newsgroup, everything works fine
> though i think i could have done all without the need of two subnet (0.0 and
> 1.0)
> for future searchers: DT1 and DT2 go to internet via the following
> iptables rule
> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
>
> recently i became fed with unplugging DT2 and plugging my notebook anytime
> i needed to update the software of the latter, therefore i added a eth card
> to DT2 and started trying to connect the NB to internet, i ended up with the
> easiest among solutions..... i made a new subnet 192.168.2.0
> graphically it looks as follows:
>
> |
> |
> 1.3
> |--------| |-------|
> | DT2 |2.1----2.15| NB |
> |--------| |-------|
>
> adding to iptables in DT2 a similar rule to the one above, NB now can go to
> internet.... but (there is always a but, isn't it?) i cannot do ssh nor ping
> from the GW to the NB, almost certainly i need a further iptables rule but my
> very low knowledge of networking doesn't help.
>

If your gateway has decent iptables rules and you trust
your local network, the other hosts do not need iptables
filtering.

The parts you may be missing:

1. Allow forwarding in DT2
2. Tell GW the route to NB via DT2

Check that the default routes are set correctly:

- GW to ISP via ppp0
- DT1 to GW
- DT2 to GW
- NB to DT2

HTH

Tauno Voipio
tauno voipio (at) iki fi

IP addresses are class C: 192.168.x.x (in the graphic only x.x is
showed)

|---------|
|DSL MODEM|
|---------|
|
|
ppp0
|---------| |------|
| GW |0.1 --- 0.2| DT1 |
|---------| |------|
1.1
|
|
1.3
|--------|
| DT2 |
|--------|
2.1
|
|
2.15
|-------|
| NB |
|-------|

After a couple of weeks harvesting hazel nuts, i have started again
messing around using your suggestions as my guide.
First of all i want to apologize, had i read better the man i would have
easyly found how to had a net :-(
anyway, i added nets both in GW and in NB (pls see below), removed the
NAT rule in DT2
..... and tried everything my poor knowledge allowed, but i cannot
communicate (for instance pinging) from NB to GW and viceversa.
please find herebelow the details i deem useful to understand the
situation, personally i believe i need the right forwarding iptables
rule in DT2, in fact i can ping both from GW and NB the two cards in
DT2 (pls note that the default policy for the three main chains is
ACCEPT):

GW (gatway)

/etc/network/interfaces
# /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)

# The loopback interface
auto lo
iface lo inet loopback

auto eth1
iface eth1 inet static
address 192.168.0.1
netmask 255.255.255.0

auto eth2
iface eth2 inet static
address 192.168.1.1
netmask 255.255.255.0
up route add -net 192.168.2.0 netmask 255.255.255.0 dev eth2
down route del -net 192.168.2.0 netmask 255.255.255.0

netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.100.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 192.168.100.1 0.0.0.0 UG 0 0 0 ppp0

DT2 (pc desktop)

# /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)

# The loopback interface
# automatically added when upgrading
auto lo
iface lo inet loopback

auto eth1
iface eth1 inet static
address 192.168.1.3
network 192.168.1.0
netmask 255.255.255.0
gateway 192.168.1.1

auto eth0
iface eth0 inet static
address 192.168.2.1
network 192.168.2.0
netmask 255.255.255.0

netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth1

paperino:~# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

i tried several forwarding rules with no success, just as an example:
iptables -A INPUT -j ACCEPT (and then added -s 192.168.2.15 -d 192.168.1.1 ,
etc.)

NB (notebook)

/etc/network/interfaces
# We always want the loopback interface.
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
address 192.168.2.15
network 192.168.2.0
netmask 255.255.255.0
gateway 192.168.2.1
up route add -net 192.168.1.0 netmask 255.255.255.0 dev eth0
down route del -net 192.168.1.0 netmask 255.255.255.0

netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth0

thanks in advance

aldo

(E-Mail Removed) (aldo maggi) wrote in message news:<(E-Mail Removed). com>...
> IP addresses are class C: 192.168.x.x (in the graphic only x.x is
> showed)
>
> |---------|
> |DSL MODEM|
> |---------|
> |
> |
> ppp0
> |---------| |------|
> | GW |0.1 --- 0.2| DT1 |
> |---------| |------|
> 1.1
> |
> |
> 1.3
> |--------|
> | DT2 |
> |--------|
> 2.1
> |
> |
> 2.15
> |-------|
> | NB |
> |-------|
>
> /etc/network/interfaces
>

[...]

> auto eth2
> iface eth2 inet static
> address 192.168.1.1
> netmask 255.255.255.0
> up route add -net 192.168.2.0 netmask 255.255.255.0 dev eth2

i replaced the line above with:
up route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.1.3

which made the trick :-)

no needs of forward rules in DT2 since debian iptables default policy for
the three main chains is: accept

many thanks to the friends who have helped me :-)

aldo