Seriously confused about linux routing

07-28-2007, 12:50 AM

Ok, so, what I'm trying to do is to route between to 10.0.0.0/16
subnets.

There are two computers, connected via VPN, that are involved with the
routing.

Server 1: IP Address 10.10.0.1 and 192.168.1.1
Server 2: IP Address 10.15.0.2 and 192.168.1.2

The VPN is connecting the computers via the 192. addresses. I'm
trying to route traffic originating at 10.10.0.0/16 and direct it to
the 10.15.0.0/16 subnet and vise versa, also, beyond that, I'm trying
to route all internet-bound traffic on 10.10.0.0/16 out through the
10.15.0.0/16 network.

I have enabled ip_forward on both servers ( echo 1 > /proc/sys/net/
ipv4/ip_forward and editted /etc/sysctl.conf for future reboots, etc.)

So far, for the routing tables, on Server 1:

192.168.1.0 0.0.0.0 255.255.255.0 U 0 0
0 eth1
10.10.0.0 0.0.0.0 255.255.0.0 U 0 0 0
eth0
10.15.0.0 192.168.1.2 255.255.0.0 UG 0 0 0
eth1
0.0.0.0 192.168.1.2 0.0.0.0 UG 0
0 0 eth0

On Server 2:

192.168.1.0 0.0.0.0 255.255.255.0 U 0 0
0 eth1
10.15.0.0 0.0.0.0 255.255.0.0 U 0 0 0
eth0
10.10.0.0 192.168.1.1 255.255.0.0 UG 0 0 0
eth1
0.0.0.0 10.15.0.1 0.0.0.0 UG 0 0
0 eth0

It appears that these two servers can communicate, and even access
computers on the other subnets, however, I'm having problems with the
internet connection from 10.10.0.0/16 routing out through the
10.15.0.0/16 (10.15.0.1 gateway specifically).

How can I get this to work?

Thanks

07-28-2007, 05:51 AM

(E-Mail Removed) wrote:
>Ok, so, what I'm trying to do is to route between to 10.0.0.0/16
>subnets.
>
>There are two computers, connected via VPN, that are involved with the
>routing.
>
>Server 1: IP Address 10.10.0.1 and 192.168.1.1
>Server 2: IP Address 10.15.0.2 and 192.168.1.2
>
>The VPN is connecting the computers via the 192. addresses. I'm
>trying to route traffic originating at 10.10.0.0/16 and direct it to
>the 10.15.0.0/16 subnet and vise versa, also, beyond that, I'm trying
>to route all internet-bound traffic on 10.10.0.0/16 out through the
>10.15.0.0/16 network.
>
>I have enabled ip_forward on both servers ( echo 1 > /proc/sys/net/
>ipv4/ip_forward and editted /etc/sysctl.conf for future reboots, etc.)
>
>So far, for the routing tables, on Server 1:
>
>192.168.1.0 0.0.0.0 255.255.255.0 U 0 0
>0 eth1
>10.10.0.0 0.0.0.0 255.255.0.0 U 0 0 0
>eth0
>10.15.0.0 192.168.1.2 255.255.0.0 UG 0 0 0
>eth1
>0.0.0.0 192.168.1.2 0.0.0.0 UG 0
>0 0 eth0
>
>On Server 2:
>
>192.168.1.0 0.0.0.0 255.255.255.0 U 0 0
>0 eth1
>10.15.0.0 0.0.0.0 255.255.0.0 U 0 0 0
>eth0
>10.10.0.0 192.168.1.1 255.255.0.0 UG 0 0 0
>eth1
>0.0.0.0 10.15.0.1 0.0.0.0 UG 0 0
>0 eth0
>
>It appears that these two servers can communicate, and even access
>computers on the other subnets, however, I'm having problems with the
>internet connection from 10.10.0.0/16 routing out through the
>10.15.0.0/16 (10.15.0.1 gateway specifically).
>
>How can I get this to work?

On Server 1, the default route is now,

0.0.0.0 192.168.1.2 0.0.0.0 UG 0 0 0 eth0

So all Internet traffic is going to be sent to host
192.168.1.2, but it will be sent on the eth0
interface... and there is no such IP address on that
subnet. The 192.168.1.2 host is connected via the eth1
interface.

Just change the default route, which should be

0.0.0.0 192.168.1.2 0.0.0.0 UG 0 0 0 eth1

--
Floyd L. Davidson <http://www.apaflo.com/floyd_davidson>
Ukpeagvik (Barrow, Alaska) (E-Mail Removed)

07-30-2007, 08:39 PM

On Jul 27, 10:51 pm, fl...@apaflo.com (Floyd L. Davidson) wrote:
> melem...@gmail.com wrote:
> >Ok, so, what I'm trying to do is to route between to 10.0.0.0/16
> >subnets.
>
> >There are two computers, connected via VPN, that are involved with the
> >routing.
>
> >Server 1: IP Address 10.10.0.1 and 192.168.1.1
> >Server 2: IP Address 10.15.0.2 and 192.168.1.2
>
> >The VPN is connecting the computers via the 192. addresses. I'm
> >trying to route traffic originating at 10.10.0.0/16 and direct it to
> >the 10.15.0.0/16 subnet and vise versa, also, beyond that, I'm trying
> >to route all internet-bound traffic on 10.10.0.0/16 out through the
> >10.15.0.0/16 network.
>
> >I have enabled ip_forward on both servers ( echo 1 > /proc/sys/net/
> >ipv4/ip_forward and editted /etc/sysctl.conf for future reboots, etc.)
>
> >So far, for the routing tables, on Server 1:
>
> >192.168.1.0 0.0.0.0 255.255.255.0 U 0 0
> >0 eth1
> >10.10.0.0 0.0.0.0 255.255.0.0 U 0 0 0
> >eth0
> >10.15.0.0 192.168.1.2 255.255.0.0 UG 0 0 0
> >eth1
> >0.0.0.0 192.168.1.2 0.0.0.0 UG 0
> >0 0 eth0
>
> >On Server 2:
>
> >192.168.1.0 0.0.0.0 255.255.255.0 U 0 0
> >0 eth1
> >10.15.0.0 0.0.0.0 255.255.0.0 U 0 0 0
> >eth0
> >10.10.0.0 192.168.1.1 255.255.0.0 UG 0 0 0
> >eth1
> >0.0.0.0 10.15.0.1 0.0.0.0 UG 0 0
> >0 eth0
>
> >It appears that these two servers can communicate, and even access
> >computers on the other subnets, however, I'm having problems with the
> >internet connection from 10.10.0.0/16 routing out through the
> >10.15.0.0/16 (10.15.0.1 gateway specifically).
>
> >How can I get this to work?
>
> On Server 1, the default route is now,
>
> 0.0.0.0 192.168.1.2 0.0.0.0 UG 0 0 0 eth0
>
> So all Internet traffic is going to be sent to host
> 192.168.1.2, but it will be sent on the eth0
> interface... and there is no such IP address on that
> subnet. The 192.168.1.2 host is connected via the eth1
> interface.
>
> Just change the default route, which should be
>
> 0.0.0.0 192.168.1.2 0.0.0.0 UG 0 0 0 eth1
>
> --
> Floyd L. Davidson <http://www.apaflo.com/floyd_davidson>
> Ukpeagvik (Barrow, Alaska) fl...@apaflo.com

Thanks Floyd, that worked perfectly.

Now I'm trying to configure iptables to allow me to use these machines
as routers.

Using the same machine setup as I had above (eth0:10.0.0.0 addresses
eth1: 192.168.0.0 addresses) I'm trying to configure NAT properly on
the the machines.

This is what I have tried, and I know I'm getting close, but I'm just
not quite there with the iptables rules.

On the 10.15.0.2 machine:

iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -j SNAT -s 192.168.1.2 --to
10.15.0.2

On the 10.10.0.1 machine:

iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -j SNAT -s 192.168.1.1 --to
10.10.0.1

Some generally "funkiness" goes on, that I'm haven't quite been able
to solve. While I'm on the 10.15.0.2 machine, I will try to ping
192.168.1.1 but I was unable to.

What am I doing wrong with my iptables rules now?

Thanks

07-30-2007, 08:57 PM

On Jul 30, 1:39 pm, melem...@gmail.com wrote:
> On Jul 27, 10:51 pm, fl...@apaflo.com (Floyd L. Davidson) wrote:
>
>
>
> > melem...@gmail.com wrote:
> > >Ok, so, what I'm trying to do is to route between to 10.0.0.0/16
> > >subnets.
>
> > >There are two computers, connected via VPN, that are involved with the
> > >routing.
>
> > >Server 1: IP Address 10.10.0.1 and 192.168.1.1
> > >Server 2: IP Address 10.15.0.2 and 192.168.1.2
>
> > >The VPN is connecting the computers via the 192. addresses. I'm
> > >trying to route traffic originating at 10.10.0.0/16 and direct it to
> > >the 10.15.0.0/16 subnet and vise versa, also, beyond that, I'm trying
> > >to route all internet-bound traffic on 10.10.0.0/16 out through the
> > >10.15.0.0/16 network.
>
> > >I have enabled ip_forward on both servers ( echo 1 > /proc/sys/net/
> > >ipv4/ip_forward and editted /etc/sysctl.conf for future reboots, etc.)
>
> > >So far, for the routing tables, on Server 1:
>
> > >192.168.1.0 0.0.0.0 255.255.255.0 U 0 0
> > >0 eth1
> > >10.10.0.0 0.0.0.0 255.255.0.0 U 0 0 0
> > >eth0
> > >10.15.0.0 192.168.1.2 255.255.0.0 UG 0 0 0
> > >eth1
> > >0.0.0.0 192.168.1.2 0.0.0.0 UG 0
> > >0 0 eth0
>
> > >On Server 2:
>
> > >192.168.1.0 0.0.0.0 255.255.255.0 U 0 0
> > >0 eth1
> > >10.15.0.0 0.0.0.0 255.255.0.0 U 0 0 0
> > >eth0
> > >10.10.0.0 192.168.1.1 255.255.0.0 UG 0 0 0
> > >eth1
> > >0.0.0.0 10.15.0.1 0.0.0.0 UG 0 0
> > >0 eth0
>
> > >It appears that these two servers can communicate, and even access
> > >computers on the other subnets, however, I'm having problems with the
> > >internet connection from 10.10.0.0/16 routing out through the
> > >10.15.0.0/16 (10.15.0.1 gateway specifically).
>
> > >How can I get this to work?
>
> > On Server 1, the default route is now,
>
> > 0.0.0.0 192.168.1.2 0.0.0.0 UG 0 0 0 eth0
>
> > So all Internet traffic is going to be sent to host
> > 192.168.1.2, but it will be sent on the eth0
> > interface... and there is no such IP address on that
> > subnet. The 192.168.1.2 host is connected via the eth1
> > interface.
>
> > Just change the default route, which should be
>
> > 0.0.0.0 192.168.1.2 0.0.0.0 UG 0 0 0 eth1
>
> > --
> > Floyd L. Davidson <http://www.apaflo.com/floyd_davidson>
> > Ukpeagvik (Barrow, Alaska) fl...@apaflo.com
>
> Thanks Floyd, that worked perfectly.
>
> Now I'm trying to configure iptables to allow me to use these machines
> as routers.
>
> Using the same machine setup as I had above (eth0:10.0.0.0 addresses
> eth1: 192.168.0.0 addresses) I'm trying to configure NAT properly on
> the the machines.
>
> This is what I have tried, and I know I'm getting close, but I'm just
> not quite there with the iptables rules.
>
> On the 10.15.0.2 machine:
>
> iptables -t nat -P OUTPUT ACCEPT
> iptables -t nat -A POSTROUTING -o eth1 -j SNAT -s 192.168.1.2 --to
> 10.15.0.2
>
> On the 10.10.0.1 machine:
>
> iptables -t nat -P OUTPUT ACCEPT
> iptables -t nat -A POSTROUTING -o eth1 -j SNAT -s 192.168.1.1 --to
> 10.10.0.1
>
> Some generally "funkiness" goes on, that I'm haven't quite been able
> to solve. While I'm on the 10.15.0.2 machine, I will try to ping
> 192.168.1.1 but I was unable to.
>
> What am I doing wrong with my iptables rules now?
>
> Thanks

So, looking at a tcpdump, while on the 10.15.0.2 machine, with the
iptable rules active, I can see the packets leaving a machine,
10.15.0.10 (set to route all packets through 10.15.0.2) I see the
packets heading towards their destination of 10.10.0.12, but I don't
see any packets being returned.

07-31-2007, 01:59 AM

(E-Mail Removed) writes:

> iptables -t nat -P OUTPUT ACCEPT
> iptables -t nat -A POSTROUTING -o eth1 -j SNAT -s 192.168.1.2 --to
> 10.15.0.2
>
> On the 10.10.0.1 machine:
>
> iptables -t nat -P OUTPUT ACCEPT
> iptables -t nat -A POSTROUTING -o eth1 -j SNAT -s 192.168.1.1 --to
> 10.10.0.1
>
> Some generally "funkiness" goes on, that I'm haven't quite been able
> to solve. While I'm on the 10.15.0.2 machine, I will try to ping
> 192.168.1.1 but I was unable to.
>
> What am I doing wrong with my iptables rules now?

The lines with "-P OUTPUT ACCEPT" shouldn't have "-t nat" in them.

Scott
--
Scott Hemphill (E-Mail Removed)
"This isn't flying. This is falling, with style." -- Buzz Lightyear

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Linux Routing	billdangerous@gmail.com	Linux Networking	5	09-11-2008 01:53 PM
If I replace my existing Linksys box with Linux Router, how can I know what kind of Routing to be enabled on my Linux Box?	santa19992000@yahoo.com	Linux Networking	3	01-06-2005 01:18 PM
linux routing	Jemy	Linux Networking	2	08-24-2004 03:21 AM
New to linux and confused about changing the hostname	Patrick Shroads	Linux Networking	3	02-17-2004 05:05 AM
Routing on Red Hat Linux 9	Aleksandr Zingorenko	Linux Networking	3	07-09-2003 12:56 PM