Hi,
I'm building a firewall/router on Centos. I'm using Shorewall but have currently stopped and cleared the firewall rules to isolate the routing problem.
My firewall box has 5 interfaces in it but currently only two are involved in the problem.
eth1: inet addr:192.168.1.224 Bcast:192.168.1.255 Mask:255.255.255.0
eth3: inet addr:192.168.202.1 Bcast:192.168.202.255 Mask:255.255.255.0
eth1 is connected to a switch that is connected to a router. The router is 192.168.1.1 and is the internet gateway.
eth3 is connected to a different switch.
I have another Centos box that is connected to the switch shared with eth3. It's interface is:
eth3: inet addr:192.168.202.10 Bcast:192.168.202.255 Mask:255.255.255.0
I want to provide internet connectivity to this 2nd machine routed through the firewall. Currently, I can reach two machines on the 192.168.1.0/24 network (.5 and .3) but I can't reach the router (.1) or anything outside.
I'll paste the routing tables from both machines below. Thanks in advance for your help.
---Marc
Firewall routing tables:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 0.0.0.0 255.255.255.254 U 0 0 0 eth4
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.202.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth4
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth1
192.168.202.10 routing table:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.202.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
10.1.16.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 192.168.202.1 0.0.0.0 UG 0 0 0 eth1
On Jul 18, 2006, at 11:54 AM, Marc Breslow wrote:
I want to provide internet connectivity to this 2nd machine routed through the firewall. Currently, I can reach two machines on the 192.168.1.0/24 network (.5 and .3) but I can’t reach the router (.
- or anything outside.
what does the file /proc/sys/net/ipv4/ip_forward contain (on the CentOS box that's connected to the router)?
if this file contains "0", your machine will not forward packets.
Firewall routing tables:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 0.0.0.0 255.255.255.254 U 0 0 0 eth4
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.202.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth4
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth1
192.168.202.10 routing table:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.202.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
10.1.16.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 192.168.202.1 0.0.0.0 UG 0 0 0 eth1
are you sure that the machine 192.168.202.10 has an eth3 interface? i think you made a typo in your original message. can you ping 192.168.202.1 from the second machine? what is the output of `traceroute 192.168.1.1`?
-steve
--- If this were played upon a stage now, I could condemn it as an improbable fiction. - Fabian, Twelfth Night, III,v
Thanks for the quick reply.
/proc/sys/net/ipv4/ip_forward contains 1. Also, /etc/sysctl.conf was updated setting net.ipv4.ip_forward = 1. Also, /etc/sysconfig/network was updated adding FORWARD_IPV4=yes.
eth3 is on the firewall box and is connected to a switch shared by the 2nd box (eth1). eth1 on the firewall box connects to a different switch which also has a connection to the router.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Steve Huff Sent: Tuesday, July 18, 2006 12:07 PM To: CentOS mailing list Subject: Re: [CentOS] Routing problem
On Jul 18, 2006, at 11:54 AM, Marc Breslow wrote:
I want to provide internet connectivity to this 2nd machine routed through the firewall. Currently, I can reach two machines on the 192.168.1.0/24 network (.5 and .3) but I can't reach the router (.
- or anything outside.
what does the file /proc/sys/net/ipv4/ip_forward contain (on the CentOS box that's connected to the router)?
if this file contains "0", your machine will not forward packets.
Firewall routing tables:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 0.0.0.0 255.255.255.254 U 0 0 0 eth4
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.202.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth4
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth1
192.168.202.10 routing table:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.202.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
10.1.16.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 192.168.202.1 0.0.0.0 UG 0 0 0 eth1
are you sure that the machine 192.168.202.10 has an eth3 interface? i think you made a typo in your original message. can you ping 192.168.202.1 from the second machine? what is the output of `traceroute 192.168.1.1`?
-steve
--- If this were played upon a stage now, I could condemn it as an improbable fiction. - Fabian, Twelfth Night, III,v
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Marc Breslow wrote:
I want to provide internet connectivity to this 2^nd machine routed through the firewall. Currently, I can reach two machines on the 192.168.1.0/24 network (.5 and .3) but I can’t reach the router (.1) or anything outside.
What's the default route on the 192.168.1.5 and .3 machines? The router or the firewall?
It looks like your router doesn't know how to get back to the 192.168.202.x network. If you add a static route on your router that tells it to send traffic destined for the 192.168.202.x network to the 192.168.1.224 interface on the firewall box I think it will start working for you.
/jft
Jeff,
I think we are on to something here. I added a static route on the 192.168.1.1 router to the 192.168.1.224 with the gateway address equal to the eth1 IP address on the firewall. I can now ping 192.168.1.1 from behind the firewall but I still can't ping 209.73.186.238 (yahoo) from behind the firewall. I can ping yahoo from the firewall.
Any other thoughts?
Thanks, ---Marc
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Jeffrey Tadlock Sent: Tuesday, July 18, 2006 12:19 PM To: CentOS mailing list Subject: Re: [CentOS] Routing problem
Marc Breslow wrote:
I want to provide internet connectivity to this 2^nd machine routed through the firewall. Currently, I can reach two machines on the 192.168.1.0/24 network (.5 and .3) but I can't reach the router (.1) or anything outside.
What's the default route on the 192.168.1.5 and .3 machines? The router or the firewall?
It looks like your router doesn't know how to get back to the 192.168.202.x network. If you add a static route on your router that tells it to send traffic destined for the 192.168.202.x network to the 192.168.1.224 interface on the firewall box I think it will start working for you.
/jft _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Marc Breslow wrote:
I think we are on to something here. I added a static route on the 192.168.1.1 router to the 192.168.1.224 with the gateway address equal to the eth1 IP address on the firewall. I can now ping 192.168.1.1 from behind the firewall but I still can't ping 209.73.186.238 (yahoo) from behind the firewall. I can ping yahoo from the firewall.
Any other thoughts?
Do you still have the firewall turned off for testing? If so, I would try to traceroute to the 209.73.186.238 address and see if that helps show you anything.
/jft
What are your NAT policies?
/etc/init.d/iptables status or iptables -L & iptables -L -t nat
please.
regards, Guillermo.
On 7/18/06, Jeffrey Tadlock linux@elfshadow.net wrote:
Marc Breslow wrote:
I think we are on to something here. I added a static route on the 192.168.1.1 router to the 192.168.1.224 with the gateway address equal
to
the eth1 IP address on the firewall. I can now ping 192.168.1.1 from
behind
the firewall but I still can't ping 209.73.186.238 (yahoo) from behind
the
firewall. I can ping yahoo from the firewall.
Any other thoughts?
Do you still have the firewall turned off for testing? If so, I would try to traceroute to the 209.73.186.238 address and see if that helps show you anything.
/jft _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Sorry i made a mistake, what we need are you NAT policies on the router, but now that I re-read your email, you can ping yahoo from the firewall so the NAT is working.
do you wich IP are you using to ping outside? what is the source IP? your PC is using?
maybe you can use the -I parameter on ping in order to force your linux box to use eth1 IP and not eth0 IP (10.x.x.x.x)
hope it helps. regards, Guillermo.
On 7/18/06, Guillermo Garron guillermo.fedora@gmail.com wrote:
What are your NAT policies?
/etc/init.d/iptables status or iptables -L & iptables -L -t nat
please.
regards, Guillermo.
On 7/18/06, Jeffrey Tadlock linux@elfshadow.net wrote:
Marc Breslow wrote:
I think we are on to something here. I added a static route on the 192.168.1.1 router to the 192.168.1.224 with the gateway address equal
to
the eth1 IP address on the firewall. I can now ping 192.168.1.1 from
behind
the firewall but I still can't ping 209.73.186.238 (yahoo) from behind
the
firewall. I can ping yahoo from the firewall.
Any other thoughts?
Do you still have the firewall turned off for testing? If so, I would try to traceroute to the 209.73.186.238 address and see if that helps show you anything.
/jft _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Quoting Marc Breslow marc@radiusIM.com:
Jeff,
I think we are on to something here. I added a static route on the 192.168.1.1 router to the 192.168.1.224 with the gateway address equal to the eth1 IP address on the firewall. I can now ping 192.168.1.1 from behind the firewall but I still can't ping 209.73.186.238 (yahoo) from behind the firewall. I can ping yahoo from the firewall.
Any other thoughts?
Couple of questions.
Is your firewall (the CentOS box with 192.168.1.224 and 192.168.202.1 interfaces) configured to perform NAT? Or is the firewall on it completely turned off?
What is exactly the route you added to your external router? That router probably has two network interfaces and therefore two routes with link scope associted with them. One telling it how to reach the router at the ISP end, and second one for your 192.168.1.0/24 network. Everything else will be routed to the default route (meaning outside). You want to add static route on your external router for 192.168.202.0/24 pointing to 192.168.1.224. Is that what you did?
If that is what you did, you might want to check configuration of your external router, and see how firewalling is configured on it. Many of those small devices have some firewalling enabled by default in them. Maybe it considers only 192.168.1.0/24 to be internal network, and drops everything else from inside.
Try doing traceroute from 192.168.202.10. Also, running tcpdump on your firewall's eth1 and eth3 interfaces in parallel (for example from two terminal windows) while you are doing traceroute or simply attempting to ping outside world and comparing the outputs might give you an idea what is going on.
-
Aleksandar Milivojevic -
Guillermo Garron -
Jeffrey Tadlock -
Marc Breslow -
Steve Huff -
Tom Brown