Need help with iptables/nat

I'm a seeker of iptables truth and need an expert as I cannot get a seemingly simple arrangement working properly. I'll buy the coffee for anone who can help!

I am trying to get a simple natting router running on an embedded box. It must permit eth0 to be connetec to a cable modem, and eth1 to a pc. The intent is to insert the embedded box in the ethernet chain without breaking anything. Since most clients get an ip dynamically, I've installed udhcp in the embedded box.

The setup and more details of the issue are posted here: http://www.massmicro.com/grief.html

I'm testing on my local lan (192.168.1.0./24). The embedded box eth0 is set to a static IP 192.168.1.90. The box hosts udhcpd so that a client connected to the embedded box's eth1 gets an IP address in the range 192.168.10.100 - 192.168.10.190. The embedded eth1 is set to 192.168.10.254. The client gets its ip fine.

No matter what I do (so far) I can't get from the client through to the local lan (and then out to the net). I can ping a www url from the embedded box just fine, but from the client I get "Destination Host Unreachable".

I'm using a very simple iptables script to begin with. iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE is, I think, correct for this case. Along with setting echo 1 > /proc/sys/net/ipv4/ip_forward.

Here's a simple diagram of my setup:

Public Internet
ADSL Modem
[dynamic i/p]
|
Linksys Router
[192.168.1.0/24] =Embedded server box=
|
3Com Switch -- > 192.168.1.90 [static/eth0]
udhcpd
iptables
switch < -- 192.168.10.254 [static/eth1]
|
client i/p via dhcp 192.168.10.254 [dynamic/eth2]
Also 192.168.1.80 [static/eth1] -> connected to 3com switch into local lan.

As you can see, in my test setup there's double natting going on. First on my lan's router, and then on the embedded box. Since I'm bridging between different subnets, (risking being called a stupid un-manual reading type) I assumed this was perfectly legal.

Can this setup actually work? Am I missing a fundamental here?

Mark Richards wrote:
> Can this setup actually work? Am I missing a fundamental here?

Well, it sure can.

I had a look at Your link, and yet Your routing does not become
clear to me... - Your clients that You want to connect to the out-
side world through Your router should, of course, have a default
route pointing at it.

You can do masquerading and natting as many times as You want, so that's
not the problem.

Please clarify. (Perhaps I overlooked something important...)


Cheers, Jack.

--
----------------------------------------------------------------------
My personal reading of the string "MicroSoft" expands to "NanoWeak"...

Mark Richards wrote:

> I'm a seeker of iptables truth and need an expert as I cannot get a
> seemingly simple arrangement working properly. I'll buy the coffee for
> anone who can help!
>
> I am trying to get a simple natting router running on an embedded box. It
> must permit eth0 to be connetec to a cable modem, and eth1 to a pc. The
> intent is to insert the embedded box in the ethernet chain without
> breaking anything. Since most clients get an ip dynamically, I've
> installed udhcp in the embedded box.
>
> The setup and more details of the issue are posted here:
> http://www.massmicro.com/grief.html
>
> I'm testing on my local lan (192.168.1.0./24). The embedded box eth0 is
> set to a static IP 192.168.1.90. The box hosts udhcpd so that a client
> connected to the embedded box's eth1 gets an IP address in the range
> 192.168.10.100 - 192.168.10.190. The embedded eth1 is set to
> 192.168.10.254. The client gets its ip fine.
>
> No matter what I do (so far) I can't get from the client through to the
> local lan (and then out to the net). I can ping a www url from the
> embedded box just fine, but from the client I get "Destination Host
> Unreachable".
>
> I'm using a very simple iptables script to begin with. iptables -A
> POSTROUTING -t nat -o eth0 -j MASQUERADE is, I think, correct for this
> case. Along with setting echo 1 > /proc/sys/net/ipv4/ip_forward.
>
> Here's a simple diagram of my setup:
>
> Public Internet
> ADSL Modem
> [dynamic i/p]
> |
> Linksys Router
> [192.168.1.0/24] =Embedded server box=
> |
> 3Com Switch -- > 192.168.1.90 [static/eth0]
> udhcpd
> iptables
> switch < -- 192.168.10.254 [static/eth1]
> |
> client i/p via dhcp 192.168.10.254 [dynamic/eth2]
> Also 192.168.1.80 [static/eth1] -> connected to 3com switch into local
> lan.
>
> As you can see, in my test setup there's double natting going on. First on
> my lan's router, and then on the embedded box. Since I'm bridging between
> different subnets, (risking being called a stupid un-manual reading type)
> I assumed this was perfectly legal.
>
> Can this setup actually work? Am I missing a fundamental here?
Hi,

as Jack already pointed out, there is a default route missing on the
clients. Besides, the 169.254.*.* is something that started out in windows
and it seems to be adapted by some Linux distros like SuSE for example.
DHCP clients, that do not manage to get an IP from a DHCP Server use IPs
from this range to make communication possible in case of a DHCP server
crash. If one of your clients operates with an Ip like this, check your
DHCP server settings. Alex

"Mark Richards" <(E-Mail Removed)> said:
>I am trying to get a simple natting router running on an embedded box.
>It must permit eth0 to be connetec to a cable modem, and eth1 to a pc.

Ok.

>The intent is to insert the embedded box in the ethernet chain without
>breaking anything. Since most clients get an ip dynamically, I've
>installed udhcp in the embedded box.

Ok.

>The setup and more details of the issue are posted here:
>http://www.massmicro.com/grief.html

Ugh; would be easier to read everything from single source, but here goes.

>I'm testing on my local lan (192.168.1.0./24). The embedded box eth0 is
>set to a static IP 192.168.1.90. The box hosts udhcpd so that a client
>connected to the embedded box's eth1 gets an IP address in the range
>192.168.10.100 - 192.168.10.190. The embedded eth1 is set to
>192.168.10.254. The client gets its ip fine.

Ok.

>No matter what I do (so far) I can't get from the client through to the
>local lan (and then out to the net). I can ping a www url from the
>embedded box just fine,

Good - tells that routing from the embedded box is ok.

>but from the client I get "Destination Host Unreachable".

Couple of issues; the routing info you show about the client does not
contain a default route (default gw). Also, you have all too many
interfaces on the client -- just keep them connected to the 192.168.10
network; disconnect the 192.168.1 network to make things simple. If
possible, use "ip route" command to print out route information in
the future, all in all it's easier to read. Similarly, I've begun to
prefer interface information as shown by "ip addr" command.

The reason you could not add the default gw you attempted is that the
machine didn't have any route to get to the gw: it only knew how to
reach networks 192.168.1, 192.168.10 and 169.254, and you told it that
default gw is at 192.168.0.254 -- something it could not reach with its
current route information. You should use 192.168.10.254 here, to use
your embedded box as the default gw for the clients.

>I'm using a very simple iptables script to begin with. iptables -A
>POSTROUTING -t nat -o eth0 -j MASQUERADE is, I think, correct for this
>case. Along with setting echo 1 > /proc/sys/net/ipv4/ip_forward.

Please, provide an iptables listing in "iptables-save" output format;
this mostly to check what you have in filter/FORWARD chain (the chain
policy at least).

>Here's a simple diagram of my setup:
>
>Public Internet
>ADSL Modem
>[dynamic i/p]
>|
>Linksys Router
>[192.168.1.0/24] =Embedded server box=
>|
>3Com Switch -- > 192.168.1.90 [static/eth0]
>udhcpd
>iptables
>switch < -- 192.168.10.254 [static/eth1]
>|
>client i/p via dhcp 192.168.10.254 [dynamic/eth2]
>Also 192.168.1.80 [static/eth1] -> connected to 3com switch into local lan.

Btw, is there a reason to have a separate Linksys router in there?
Or is it that you're in progress of replacing the router with the
embedded box of your own?

>As you can see, in my test setup there's double natting going on. First
>on my lan's router, and then on the embedded box. Since I'm bridging
>between different subnets, (risking being called a stupid un-manual
>reading type) I assumed this was perfectly legal.
>
>Can this setup actually work? Am I missing a fundamental here?

It should work. I guess the problem mostly is the default gw address.

As for the 169.254 address; that's "IP autoconfiguration" address; see
IETF RFC 3330. Some notes about these addresses are also in
http://www.iana.org/faqs/abuse-faq.h...alUseAddresses .
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

I found the problem and it had nothing to do with iptables.

In this case, the dhcp configuration (udhcp.conf) was not returning some needed information to the client.

Thanks to http://www.linuxquestions.org for getting me back on track.

For those interested, my server eth1 ip is set statically to 192.168.10.254
The udhcpd daemon is configured as:

start 192.168.10.100
end 192.168.10.225
interface eth1
lease_file /var/lib/misc/udhcpd.leases
pidfile /var/run/udhcpd.pid

opt broadcast 192.168.10.255
option dns xxx.xxx.xxx.xxx // note: i put my isp's primary dhcp server address here
option wins 192.168.10.1
option subnet 255.255.255.0
option router 192.168.10.254
option lease 864000 # 10 days of seconds

Here's the iptables-save.

Your were right on. The routing was not complete. Once I properly configured the udhcpd daemon on the server, it works perfectly.

I posted more information in a seperate file.

Thanks for your kind input.

-m-


# Generated by iptables-save v1.2.7a on Sun Aug 1 10:49:59 2004
*nat
:PREROUTING ACCEPT [49:6665]
:POSTROUTING ACCEPT [17:1023]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Sun Aug 1 10:49:59 2004
# Generated by iptables-save v1.2.7a on Sun Aug 1 10:49:59 2004
*mangle
:PREROUTING ACCEPT [758:232670]
:INPUT ACCEPT [724:230457]
:FORWARD ACCEPT [34:2213]
:OUTPUT ACCEPT [129:17826]
:POSTROUTING ACCEPT [163:20039]
COMMIT
# Completed on Sun Aug 1 10:49:59 2004
# Generated by iptables-save v1.2.7a on Sun Aug 1 10:49:59 2004
*filter
:INPUT ACCEPT [724:230457]
:FORWARD ACCEPT [34:2213]
:OUTPUT ACCEPT [129:17826]
COMMIT
# Completed on Sun Aug 1 10:49:59 2004

Jack, you hit it on the head. The routing was screwed up. Once I properly configured the udhcpd daemon on the server, it works perfectly.

I posted more information in a seperate file.

Thanks for your kind input and for all the others, too.

-m-

Alex,

I don't know where that 169.254 address is coming from. If i remember correctly, this is within the private address range that may be used within a class C network.

It only shows up on my linux client box and I have done a lot of fiddling with the client trying to get things working, so it's possible something else is plugging this into the routing table. The windows client that I connect to my server does not show the 169. address in its routing table, so i think it's entirely in the linux box.

Thanks for your kind input,

-m-