SEO

I'm trying to configure Slackware to route between 2 private networks
10.1.1.0 and 10.1.2.0, but can't seem to get it working.

Here's what I've done so far:

- installed Slackware 10.2 using the default bare 2.4.31 Kernel.

- setup and configured two network cards.

#ifconfig
eth0 Link encap:Ethernet HWaddr 00:C0:4F:4C:EC:B8
inet addr:10.1.1.10 Bcast:10.1.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2574 errors:0 dropped:0 overruns:0 frame:0
TX packets:979 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:216388 (211.3 Kb) TX bytes:192396 (187.8 Kb)
Interrupt:11 Base address:0xcc00

eth1 Link encap:Ethernet HWaddr 00:01:02:5E:F0:C2
inet addr:10.1.2.1 Bcast:10.1.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1606 errors:0 dropped:0 overruns:1 frame:0
TX packets:25 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:122676 (119.8 Kb) TX bytes:2518 (2.4 Kb)
Interrupt:9 Base address:0xdc80

#chmod 755 /etc/rc.d/rc.ip_forward

#route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
10.1.2.0 0.0.0.0 255.255.255.0 U 0 0 0
eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0
lo
0.0.0.0 10.1.1.1 0.0.0.0 UG 1 0 0
eth0

I can ping both private networks and the internet from that machine
(router). However, a machine on the 10.1.2.x network can not reach
(ping) the 10.1.1.x network other than 10.1.1.10 (the router).

What am I missing?

stm wrote:
[...]
> What am I missing?

perhaps: echo "1" > /proc/sys/net/ipv4/ip_forward

stm wrote:
> I'm trying to configure Slackware to route between 2 private networks
> 10.1.1.0 and 10.1.2.0, but can't seem to get it working.
>
> Here's what I've done so far:
>
> - installed Slackware 10.2 using the default bare 2.4.31 Kernel.
>
> - setup and configured two network cards.
>
> #ifconfig
> eth0 Link encap:Ethernet HWaddr 00:C0:4F:4C:EC:B8
> inet addr:10.1.1.10 Bcast:10.1.1.255 Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:2574 errors:0 dropped:0 overruns:0 frame:0
> TX packets:979 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:216388 (211.3 Kb) TX bytes:192396 (187.8 Kb)
> Interrupt:11 Base address:0xcc00
>
> eth1 Link encap:Ethernet HWaddr 00:01:02:5E:F0:C2
> inet addr:10.1.2.1 Bcast:10.1.2.255 Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:1606 errors:0 dropped:0 overruns:1 frame:0
> TX packets:25 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:122676 (119.8 Kb) TX bytes:2518 (2.4 Kb)
> Interrupt:9 Base address:0xdc80
>
> #chmod 755 /etc/rc.d/rc.ip_forward
>
> #route -n
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use
> Iface
> 10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0
> eth0
> 10.1.2.0 0.0.0.0 255.255.255.0 U 0 0 0
> eth1
> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0
> lo
> 0.0.0.0 10.1.1.1 0.0.0.0 UG 1 0 0
> eth0
>
> I can ping both private networks and the internet from that machine
> (router). However, a machine on the 10.1.2.x network can not reach
> (ping) the 10.1.1.x network other than 10.1.1.10 (the router).
>
> What am I missing?
>

i have a few ip-table rules for that.
try :

-------------
iptables -A FORWARD -s 10.1.2.0 -p tcp -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
-------------

....on the commandline as root.
if this works, you can put it in rc.local.

cashmir

I checked on the ip_forward. It is on:
# cat /proc/sys/net/ipv4/ip_forward
1

Regarding iptables, I assumed (perhaps wrongly) that I could get away
with straight packet forwarding w/o any NAT'ing or Masquerading between
two private networks. ??

On 5 Jan 2006 15:01:48 -0800, "stm" <stefanm@gmail.com> wrote:

>I checked on the ip_forward. It is on:
># cat /proc/sys/net/ipv4/ip_forward
>1
>
>Regarding iptables, I assumed (perhaps wrongly) that I could get away
>with straight packet forwarding w/o any NAT'ing or Masquerading between
>two private networks. ??

I put rules in to forward over localnet:

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
912K 639M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 eth1 192.168.1.0/24 192.168.2.0/24
0 0 ACCEPT all -- eth1 eth0 192.168.2.0/24 192.168.1.0/24

Grant.

Grant wrote:
> I put rules in to forward over localnet:
>
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
> 912K 639M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
> 0 0 ACCEPT all -- eth0 eth1 192.168.1.0/24 192.168.2.0/24
> 0 0 ACCEPT all -- eth1 eth0 192.168.2.0/24 192.168.1.0/24
.......^.....^

don't these zeros mean that these rules haven't seen any traffic whatsoever?

--
Joost Kremers joostkremers@yahoo.com
Selbst in die Unterwelt dringt durch Spalten Licht
EN:SiS(9)

On 6 Jan 2006 09:09:49 GMT, Joost Kremers <joostkremers@yahoo.com> wrote:

>Grant wrote:
>> I put rules in to forward over localnet:
>>
>> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>> pkts bytes target prot opt in out source destination
>> 912K 639M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
>> 0 0 ACCEPT all -- eth0 eth1 192.168.1.0/24 192.168.2.0/24
>> 0 0 ACCEPT all -- eth1 eth0 192.168.2.0/24 192.168.1.0/24
>......^.....^
>
>don't these zeros mean that these rules haven't seen any traffic whatsoever?

Yep, second localnet link is spare now 'cos I bought a another
switch, it used to be a 10base2 coax, but was too unreliable
(and slow) -- got sick of checking each T-piece in the place.

Planning to play with DMZ one day 'real soon now'

http://bugsplatter.mine.nu/bash/firewall/ for topology diagram,
posted here recently.

Grant.

stm wrote:

I can ping both private networks and the internet from that machine
> (router). However, a machine on the 10.1.2.x network can not reach
> (ping) the 10.1.1.x network other than 10.1.1.10 (the router).
>
> What am I missing?

That client on the 10.1.2.x network, what does that have as the
default gateway? If it has your internet router as the default
gateway, it would make sense, because only your dual-nic machine knows
that there is another network hidden behind it. If the 10.1.2.1
address is its default gateway, then the client should normally be
able to contact a client on the other segment (10.1.1.x) without any
problems.

So, I'd say, either you activate routed (in /etc/rc.d/rc.inet2) so
that your machine starts advertising the other network segment, or you
configure your internet router with an additional static route for the
"hidden" network segment. If the internet router is not able to be
configured with as static route, or will not fordward packets destined
for the hidden segment to your dual-nic machine, then the only option
left IMO is to use iptables on the dual-nic machine and setup NAT.

Eric

--
Eric Hameleers
Email: alien at slackware.com
Gpg fingerprint: F2CE 1B92 EE1F 2C0C E97E 581E 5E56 AAAF A75C BDA0

That was it. I totally forgot to put in the static (return) route for
the 10.1.2.x network into my Inet gateway router. So no packet ever
made it back. I knew, that I should not need NAT. Thanks Eric

Now off to installing nistnet to simulate real WAN conditions...

stm wrote:

> That was it. I totally forgot to put in the static (return) route for
> the 10.1.2.x network into my Inet gateway router. So no packet ever
> made it back. I knew, that I should not need NAT. Thanks Eric
>
> Now off to installing nistnet to simulate real WAN conditions...

Enjoy NISTNET