simple ip forwarding

simple ip forwarding

Post by Dave Bro » Tue, 09 Apr 2002 03:08:23



Here's my puzzle.

I'm trying to get a RH7.2 box to be a gateway between to networks.

Details on each machine:
dilbert  eth0 -> 10.0.0.2
  route shows
Dest            Gateway         ...     Iface
192.168.0.0     10.0.0.1        ...     eth0
10.0.0.0        *               ...     eth0
127.0.0.0       0.0.0.0         ...     lo
0.0.0.0         0.0.0.0         ...     eth0
 (I added static route to 192.168.0.0).

calvin eth0 ->  192.168.0.4
       eth1 ->  10.0.0.1
  route shows
Dest            Gateway         ...     Iface
192.168.0.0     0.0.0.0         ...     eth0
10.0.0.0        0.0.0.0         ...     eth1
127.0.0.0       0.0.0.0         ...     lo
0.0.0.0         192.168.0.1     ...     eth0

On calvin,
   echo '1' > /proc/sys/net/ipv4/ip_forward

I can ping between 10.0.0.2 and 10.0.0.1 (dilbert and calvin-eth1);
I can ping between 192.168.0.4 and 192.168.0.1 (calvin and firewall);
I can ping between 10.0.0.2 and 192.168.0.4 (dilbert and calvin-eth0);

But if I ping from 10.0.0.2 to 192.168.0.1, packets go into the black
hole.

If I try to add a static route to 192.168.0.1,
   route add -host 192.168.0.1 gw 10.0.0.1
ping packets still go into the black hole.

What am I missing?

--
Dave Brown  Austin, TX

 
 
 

simple ip forwarding

Post by William Par » Tue, 09 Apr 2002 07:49:30



> dilbert  eth0 -> 10.0.0.2
> Dest            Gateway         ...     Iface
> 192.168.0.0     10.0.0.1        ...     eth0
> 10.0.0.0        *               ...     eth0
> 127.0.0.0       0.0.0.0         ...     lo
> 0.0.0.0         0.0.0.0         ...     eth0
> (I added static route to 192.168.0.0).
> calvin eth0 ->  192.168.0.4
>       eth1 ->  10.0.0.1
> Dest            Gateway         ...     Iface
> 192.168.0.0     0.0.0.0         ...     eth0
> 10.0.0.0        0.0.0.0         ...     eth1
> 127.0.0.0       0.0.0.0         ...     lo
> 0.0.0.0         192.168.0.1     ...     eth0

<dilbert> should resemble <calvin>, except for gateway.  So, for
<dilbert>,
    10.0.0.0    *           ...     eth0
    127.0.0.0   *           ...     lo
    default     10.0.0.1    ...     eth0        (10.0.0.1 = calvin)
and for <calvin>,
    10.0.0.0    *           ...     eth1
    127.0.0.0   *           ...     lo
    192.168.0.0 *           ...     eth0
    default     192.168.0.1 ...     eth0        (192.168.0.1 = firewall)

--

8 CPU cluster, NAS, (Slackware) Linux, Python, LaTeX, Vim, Mutt, Tin

 
 
 

simple ip forwarding

Post by Michael McDanie » Tue, 09 Apr 2002 13:58:59



> Here's my puzzle.

> I'm trying to get a RH7.2 box to be a gateway between to networks.

> Details on each machine:
> dilbert  eth0 -> 10.0.0.2
>   route shows
> Dest          Gateway         ...     Iface
> 192.168.0.0   10.0.0.1        ...     eth0
> 10.0.0.0      *               ...     eth0
> 127.0.0.0     0.0.0.0         ...     lo
> 0.0.0.0               0.0.0.0         ...     eth0
>  (I added static route to 192.168.0.0).

> calvin eth0 ->  192.168.0.4
>        eth1 ->  10.0.0.1
>   route shows
> Dest          Gateway         ...     Iface
> 192.168.0.0   0.0.0.0         ...     eth0
> 10.0.0.0      0.0.0.0         ...     eth1
> 127.0.0.0     0.0.0.0         ...     lo
> 0.0.0.0               192.168.0.1     ...     eth0

> On calvin,
>    echo '1' > /proc/sys/net/ipv4/ip_forward

> I can ping between 10.0.0.2 and 10.0.0.1 (dilbert and calvin-eth1);
> I can ping between 192.168.0.4 and 192.168.0.1 (calvin and firewall);
> I can ping between 10.0.0.2 and 192.168.0.4 (dilbert and calvin-eth0);

> But if I ping from 10.0.0.2 to 192.168.0.1, packets go into the black
> hole.

> If I try to add a static route to 192.168.0.1,
>    route add -host 192.168.0.1 gw 10.0.0.1
> ping packets still go into the black hole.

> What am I missing?

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
on my SuSE box...
echo 1 > /proc/sys/net/ipv4/ip_forward

on your redhat box in bash or compatible shell...
echo 1 > $(find /proc -name ip_forward)

~mm

 
 
 

simple ip forwarding

Post by Dave Bro » Tue, 09 Apr 2002 14:53:05




>> dilbert  eth0 -> 10.0.0.2
>> Dest            Gateway         ...     Iface
>> 192.168.0.0     10.0.0.1        ...     eth0
>> 10.0.0.0        *               ...     eth0
>> 127.0.0.0       0.0.0.0         ...     lo
>> 0.0.0.0         0.0.0.0         ...     eth0
>> (I added static route to 192.168.0.0).

>> calvin eth0 ->  192.168.0.4
>>       eth1 ->  10.0.0.1
>> Dest            Gateway         ...     Iface
>> 192.168.0.0     0.0.0.0         ...     eth0
>> 10.0.0.0        0.0.0.0         ...     eth1
>> 127.0.0.0       0.0.0.0         ...     lo
>> 0.0.0.0         192.168.0.1     ...     eth0

>[dilbert] should resemble [calvin], except for gateway.  So, for
>[dilbert],
>     10.0.0.0    *           ...     eth0
>     127.0.0.0   *      ...     lo
>     default        10.0.0.1    ...     eth0        (10.0.0.1 = calvin)
>[calvin],
>     10.0.0.0    *      ...     eth1
>     127.0.0.0   *      ...     lo
>     192.168.0.0    *           ...     eth0
>     default        192.168.0.1 ...     eth0        (192.168.0.1 = firewall)

Thanks for the shot at it.  That's what I had initially.  Didn't work.
So I tried to add a static route to 192.168.0.0.  Doesn't work either.

Putting it back the way you suggest, from dilbert, I can ping 10.0.0.1
(calvin's eth0) and I can ping 192.168.0.4 (calvin's eth1), but not
anything else on 192.168.0.0.  

And ip_forward is turned on ... "cat /proc/sys/net/ipv4/ip_forward" -> 1.

There's gotta be something else.  (I know I've gotten forwarding to work
before... but back in 2.0 kernel days.)

--
Dave Brown  Austin, TX

 
 
 

simple ip forwarding

Post by Thomas Homme » Tue, 09 Apr 2002 20:55:51


your firewall has to know where to find the 10.x.x.x net, so you have to
set up a route for it on the firewall:
route add -net 10.0.0.0 gw 192.168.0.1

tom


> Here's my puzzle.

> I'm trying to get a RH7.2 box to be a gateway between to networks.

> Details on each machine:
> dilbert  eth0 -> 10.0.0.2
>   route shows
> Dest               Gateway         ...     Iface
> 192.168.0.0        10.0.0.1        ...     eth0
> 10.0.0.0   *               ...     eth0
> 127.0.0.0  0.0.0.0         ...     lo
> 0.0.0.0            0.0.0.0         ...     eth0
>  (I added static route to 192.168.0.0).

> calvin eth0 ->  192.168.0.4
>        eth1 ->  10.0.0.1
>   route shows
> Dest               Gateway         ...     Iface
> 192.168.0.0        0.0.0.0         ...     eth0
> 10.0.0.0   0.0.0.0         ...     eth1
> 127.0.0.0  0.0.0.0         ...     lo
> 0.0.0.0            192.168.0.1     ...     eth0

> On calvin,
>    echo '1' > /proc/sys/net/ipv4/ip_forward

> I can ping between 10.0.0.2 and 10.0.0.1 (dilbert and calvin-eth1);
> I can ping between 192.168.0.4 and 192.168.0.1 (calvin and firewall);
> I can ping between 10.0.0.2 and 192.168.0.4 (dilbert and calvin-eth0);

> But if I ping from 10.0.0.2 to 192.168.0.1, packets go into the black
> hole.

> If I try to add a static route to 192.168.0.1,
>    route add -host 192.168.0.1 gw 10.0.0.1
> ping packets still go into the black hole.

> What am I missing?

 
 
 

simple ip forwarding

Post by Dave Bro » Wed, 10 Apr 2002 01:00:47



> your firewall has to know where to find the 10.x.x.x net, so you have to
> set up a route for it on the firewall:
> route add -net 10.0.0.0 gw 192.168.0.1

That kinda makes sense.  But when I execute that command on the firewall,
I get "SIOCADDRT: Invalid argument".  (Never have understood what that
message is really telling me--what the heck is SIOCADDRT?)

--
Dave Brown  Austin, TX

 
 
 

simple ip forwarding

Post by William Par » Wed, 10 Apr 2002 05:16:37




>>[dilbert] should resemble [calvin], except for gateway.  So, for
>>[dilbert],
>>     10.0.0.0    *           ...     eth0
>>     127.0.0.0   *         ...     lo
>>     default   10.0.0.1    ...     eth0        (10.0.0.1 = calvin)
>>[calvin],
>>     10.0.0.0    *         ...     eth1
>>     127.0.0.0   *         ...     lo
>>     192.168.0.0       *           ...     eth0
>>     default   192.168.0.1 ...     eth0        (192.168.0.1 = firewall)

> Thanks for the shot at it.  That's what I had initially.  Didn't work.
> So I tried to add a static route to 192.168.0.0.  Doesn't work either.

> Putting it back the way you suggest, from dilbert, I can ping 10.0.0.1
> (calvin's eth0) and I can ping 192.168.0.4 (calvin's eth1), but not
> anything else on 192.168.0.0.  

> And ip_forward is turned on ... "cat /proc/sys/net/ipv4/ip_forward" -> 1.

> There's gotta be something else.  (I know I've gotten forwarding to work
> before... but back in 2.0 kernel days.)

This is confusing without diagram,
    [dilbert]   --  [calvin]    --  [firewall]
    10.0.0.2        10.0.0.1 (eth1)
                    192.168.0.4     192.168.0.1 (eth0)

How is the route in [firewall]?  Usually, it would send "unknown" packet
outwards to Internet (ie. ppp0).  So, it has to know that 10.0.0.0/8 is
internal route and hand it over to [calvin], ie.
    route add -net 10.0.0.0 netmask 255.0.0.0 eth0

--

8 CPU cluster, NAS, (Slackware) Linux, Python, LaTeX, Vim, Mutt, Tin

 
 
 

simple ip forwarding

Post by Dave Bro » Wed, 10 Apr 2002 08:44:34




>> ...
>> There's gotta be something else.  (I know I've gotten forwarding to work
>> before... but back in 2.0 kernel days.)

> This is confusing without diagram,
>     [dilbert]      --  [calvin]    --  [firewall]
>     10.0.0.2           10.0.0.1 (eth1)
>                192.168.0.4     192.168.0.1 (eth0)

> How is the route in [firewall]?  Usually, it would send "unknown" packet
> outwards to Internet (ie. ppp0).  So, it has to know that 10.0.0.0/8 is
> internal route and hand it over to [calvin], ie.
>     route add -net 10.0.0.0 netmask 255.0.0.0 eth0

Okay, I thought I'd done that, but gotten an SIOCADDR error.  I think
maybe I left out a piece of the command.

[calvin] is now forwarding.  But now this is a mess! That says I
have to put a static route on my nameserver as well (sitting at
192.168.0.10).  What's the alternative to putting static routes
on every machine that I want to be able to reach from dilbert via
calvin?  Masquerading?

--
Dave Brown  Austin, TX

 
 
 

simple ip forwarding

Post by Dave Bro » Wed, 10 Apr 2002 10:18:28




>> your firewall has to know where to find the 10.x.x.x net, so you have to
>> set up a route for it on the firewall:
>> route add -net 10.0.0.0 gw 192.168.0.1

> That kinda makes sense.  But when I execute that command on the firewall,
> I get "SIOCADDRT: Invalid argument".  (Never have understood what that
> message is really telling me--what the heck is SIOCADDRT?)

As best I can tell, with "route" you have to specify netmask (and maybe
interface) in addition to ip addresses when you're adding "-net" route.
Anyway, that's how I stopped getting the SIOCADDR error.

--
Dave Brown  Austin, TX

 
 
 

simple ip forwarding

Post by William Par » Thu, 11 Apr 2002 02:04:17



>> This is confusing without diagram,
>>     [dilbert] --  [calvin]    --  [firewall]
>>     10.0.0.2      10.0.0.1 (eth1)
>>                   192.168.0.4     192.168.0.1 (eth0)

>> How is the route in [firewall]?  Usually, it would send "unknown" packet
>> outwards to Internet (ie. ppp0).  So, it has to know that 10.0.0.0/8 is
>> internal route and hand it over to [calvin], ie.
>>     route add -net 10.0.0.0 netmask 255.0.0.0 eth0

Sorry, I forgot about 'gw'.  Try.
    route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.0.4

Quote:

> Okay, I thought I'd done that, but gotten an SIOCADDR error.  I think
> maybe I left out a piece of the command.

> [calvin] is now forwarding.  But now this is a mess! That says I
> have to put a static route on my nameserver as well (sitting at
> 192.168.0.10).  What's the alternative to putting static routes
> on every machine that I want to be able to reach from dilbert via
> calvin?  Masquerading?

No need to masquerade in [calvin], only in [firewall].  You only have to
configure the route for single-hop.  [dilbert] is passing everything to
[calvin], so okey.  But, [calvin] and [firewall] has 2 connections, so
they have to know what goes where.

--

8 CPU cluster, NAS, (Slackware) Linux, Python, LaTeX, Vim, Mutt, Tin

 
 
 

simple ip forwarding

Post by Dave Bro » Thu, 11 Apr 2002 07:31:53




>> [calvin] is now forwarding.  But now this is a mess! That says I
>> have to put a static route on my nameserver as well (sitting at
>> 192.168.0.10).  What's the alternative to putting static routes
>> on every machine that I want to be able to reach from dilbert via
>> calvin?  Masquerading?

> No need to masquerade in [calvin], only in [firewall].  You only have to
> configure the route for single-hop.  [dilbert] is passing everything to
> [calvin], so okey.  But, [calvin] and [firewall] has 2 connections, so
> they have to know what goes where.

On [dilbert], when I ping the nameserver [garfield] at 192.168.0.10, I get
no response, unless I put a route on [garfield] just like the one on the
firewall.  Every host on 192.168.0.0 is pointed to the firewall as a
default route.  So [garfield] responds to 10.0.0.2, thinking they should
go to the firewall. (Here's where I wish I understood how the network
layer really worked.)

So my thought about masquerading was that the nameserver would think
the requests from dilbert were actually coming from calvin and be
returned where calvin could get them back to dilbert.

--
Dave Brown  Austin, TX

 
 
 

simple ip forwarding

Post by William Par » Thu, 11 Apr 2002 15:19:47




>> No need to masquerade in [calvin], only in [firewall].  You only have to
>> configure the route for single-hop.  [dilbert] is passing everything to
>> [calvin], so okey.  But, [calvin] and [firewall] has 2 connections, so
>> they have to know what goes where.

> On [dilbert], when I ping the nameserver [garfield] at 192.168.0.10, I get
> no response, unless I put a route on [garfield] just like the one on the
> firewall.  Every host on 192.168.0.0 is pointed to the firewall as a
> default route.  So [garfield] responds to 10.0.0.2, thinking they should
> go to the firewall. (Here's where I wish I understood how the network
> layer really worked.)

> So my thought about masquerading was that the nameserver would think
> the requests from dilbert were actually coming from calvin and be
> returned where calvin could get them back to dilbert.

In that case, [calvin] has to masquerade for [dilbert], and, in fact,
become "firewall/router" for [dilbert], just like [firewall] is doing
for 192.168.0.0 hosts.  Without masquerade (which is unnecessary for
LAN), then [firewall] and [garfield] have to know how to connect to
10.0.0.2.  Without explicit routing, then they would send this "unknown"
packets to default gateway (ie. to Internet).

--

8 CPU cluster, NAS, (Slackware) Linux, Python, LaTeX, Vim, Mutt, Tin