| View previous topic :: View next topic |
| Author |
Message |
edux
Apprentice
Joined: 15 Nov 2005
Posts: 223
Location: Bologna
|
 Posted: Fri Nov 17, 2006 7:13 pm Post subject: [SOLVED] Ip MASQUERADING not working... [NOW WORKING!] |
 |
|
This problem makes me crazy!!!
I've done exactly what all iptables tutorials around the world say, but still I don't get what I want!
I got a PC (PC1) connected to a server on this lan: 192.168.1.0/24, with eth1 interfcace.
Now I connect another PC (PC2) to the first, on eth0, with a cross cable, and I create a new lan between the two PC's, lan2: 192.168.2.0/24.
Ping between the two PC's work. Ping between PC2 and server doesn't work.
I set ip_forwarding to 1. I set MASQUERADING policies correctly. I set PC2's gateway to PC1. I have also corrected PC2's arp table by hand to avoid arp requests! But still it doesn't work...
And the most incredible thing is, I connected an IPAQ with Familiar Linux to PC1's usbnet, and with the same settings I can reach the server from IPAQ!!!
IPAQ and PC2 have exactly the same settings, except for the ip address (IPAQ is on lan 192.168.5.0/24).
Please someone help me, I'm going crazy.......
_________________
E' la seconda più grande testa di scimmia che abbia mai visto!
(Guybrush Threepwood)
Last edited by edux on Fri Nov 17, 2006 10:48 pm; edited 1 time in total |
|
| Back to top |
|
 |
ping-uino
n00b
Joined: 19 Nov 2005
Posts: 40
Location: Italy
|
| Posted: Fri Nov 17, 2006 8:32 pm Post subject: |
|
|
Uhm. the picture is not very clear... (for me  )
what's the class of ip of server? which ip has each pc?
if i get all things, the picture is:
[server] <--> (eth1)[PC1](eth0) <--> [PC2]
192.168.1.0/24 192.168.2.0/24
PC1 can reach server
PC1 can reach PC2
PC2 can reach PC1
PC2 doesn't reach server
it smells like a routing table problem. Does PC1 know where is PC2? What's the default gateway?
try to sniff traffic on PC1 with tcpdump to understand what is happening.
and check the route with netstat -rn
probably your tutorial is very old, because MASQUERADING is suggest only for dynamic ip natting,
use snat e dnat instead.
_________________
#ping -Ui 1 -n 0
(sorry for my bad english... my italian is far better!) |
|
| Back to top |
|
|
edux
Apprentice
Joined: 15 Nov 2005
Posts: 223
Location: Bologna
|
| Posted: Fri Nov 17, 2006 9:09 pm Post subject: |
|
|
| Quote: |
[server] <--> (eth1)[PC1](eth0) <--> [PC2]
192.168.1.0/24 192.168.2.0/24
PC1 can reach server
PC1 can reach PC2
PC2 can reach PC1
PC2 doesn't reach server
|
The picture is correct. And also: PC2's default gateway is PC1. And there's another device connected to PC1 via usbnet, that can reach the server:
[server] <--> (eth1)[PC1](usb0) <--> [IPAQ]
In IPAQ I can ping the server, and also the WAN. So why the problem is only in PC2??? I really don't understand.
I think I can use SNAT or MASQUERADING the same way, because they do quite the same thing, changing the source ip address of an outgoing ip packet.
Anyway, let's analyze this situation:
If I sniff net traffic on PC1 when I to ping server from PC2, I see ICMP packet with source PC2 and dest server (no ARP request because I've corrected PC2's arp table by hand), but those packets don't reach the server.
_________________
E' la seconda più grande testa di scimmia che abbia mai visto!
(Guybrush Threepwood) |
|
| Back to top |
|
|
edux
Apprentice
Joined: 15 Nov 2005
Posts: 223
Location: Bologna
|
| Posted: Fri Nov 17, 2006 9:13 pm Post subject: |
|
|
This is the routing table of PC2:
| Code: |
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.2.101 0.0.0.0 UG 0 0 0 eth0
|
192.168.2.101 is the ip of PC1
_________________
E' la seconda più grande testa di scimmia che abbia mai visto!
(Guybrush Threepwood) |
|
| Back to top |
|
|
kadeux
Tux's lil' helper
Joined: 21 Nov 2005
Posts: 103
|
| Posted: Fri Nov 17, 2006 9:17 pm Post subject: |
|
|
It would be helpful if you can show us:
- your firewall script,
- the output of "/sbin/iptables -L -n -v" and "/sbin/iptables -t nat -L -n -v",
- the output of "route -n" for pc1, pc2 and the server,
- the output of "ifconfig -a" for pc1, pc2 and the server.
And please explain your intention to use a masquerading policy on pc1. Where is the WAN connection (that you mentioned in your second post) in the whole picture? And what have you done to the arp table of pc2 ?
Edit: Oh, you have already posted some information while I was writing. Please give even more information. 
Last edited by kadeux on Fri Nov 17, 2006 9:20 pm; edited 1 time in total |
|
| Back to top |
|
|
Corona688
Veteran
Joined: 10 Jan 2004
Posts: 1204
|
| Posted: Fri Nov 17, 2006 9:20 pm Post subject: |
|
|
I'd actually reccomend firehol for setting up masquerade, firewalls, etc. It's in portage, and works without having to program in the network-equivalent of assembly language.
_________________
Petition for Better 64-bit ATI Drivers - Sign Here
http://www.petitiononline.com/atipet/petition.html |
|
| Back to top |
|
|
kadeux
Tux's lil' helper
Joined: 21 Nov 2005
Posts: 103
|
| Posted: Fri Nov 17, 2006 9:29 pm Post subject: |
|
|
| edux wrote: | This is the routing table of PC2:
| Code: |
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.2.101 0.0.0.0 UG 0 0 0 eth0
|
192.168.2.101 is the ip of PC1 |
You are not using a /24 subnet (255.255.0.0 is a /16 subnet). PC2 thinks that your server is directly connected and therefore don't send the paket over the gateway. |
|
| Back to top |
|
|
edux
Apprentice
Joined: 15 Nov 2005
Posts: 223
Location: Bologna
|
| Posted: Fri Nov 17, 2006 9:42 pm Post subject: |
|
|
Server ip: 192.168.1.100
PC1 ip: eth1(->server):192.168.1.101 eth0(->PC2): 192.168.2.101
No firewall script, simply on PC1:
| Code: | | iptables -t nat -A POSTROUTING -j SNAT --to 192.168.1.101 |
I change the routing table of PC2 in many ways, but with no results...
On PC1:
| Code: |
vaioo ~ # ifconfig
eth0 Link encap:Ethernet HWaddr 00:13:A9:0E:AB:A3
inet addr:192.168.2.101 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::213:a9ff:fe0e:aba3/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4187 errors:0 dropped:0 overruns:0 frame:0
TX packets:7417 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:358958 (350.5 Kb) TX bytes:7310264 (6.9 Mb)
eth1 Link encap:Ethernet HWaddr 00:13:02:0D:B9:AB
inet addr:192.168.1.101 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::213:2ff:fe0d:b9ab/64 Scope:Link
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:162679 errors:1 dropped:13060 overruns:0 frame:0
TX packets:65093 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:22408690 (21.3 Mb) TX bytes:34575246 (32.9 Mb)
Interrupt:18 Base address:0x2000 Memory:cc000000-cc000fff
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:17 errors:0 dropped:0 overruns:0 frame:0
TX packets:17 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1104 (1.0 Kb) TX bytes:1104 (1.0 Kb)
usb0 Link encap:Ethernet HWaddr CA:2D:5E:3B:00:02
inet addr:192.168.5.1 Bcast:192.168.5.255 Mask:255.255.255.0
inet6 addr: fe80::c82d:5eff:fe3b:2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:217 errors:0 dropped:0 overruns:0 frame:0
TX packets:541 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:26451 (25.8 Kb) TX bytes:57790 (56.4 Kb)
vaioo ~ # iptables -L -n -v
Chain INPUT (policy ACCEPT 7875 packets, 2766K bytes)
pkts bytes target prot opt in out source destination
24532 5174K ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 13 packets, 1092 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 39679 packets, 9830K bytes)
pkts bytes target prot opt in out source destination
vaioo ~ # iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 171 packets, 23759 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 85 packets, 9439 bytes)
pkts bytes target prot opt in out source destination
327 34560 SNAT 0 -- * * 0.0.0.0/0 0.0.0.0/0 to:192.168.1.101
Chain OUTPUT (policy ACCEPT 477 packets, 48463 bytes)
pkts bytes target prot opt in out source destination
vaioo ~ # route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.5.0 0.0.0.0 255.255.255.0 U 0 0 0 usb0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 2000 0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.1.254 0.0.0.0 UG 2000 0 0 eth1
|
on PC2:
| Code: |
bestiolino ~ # ifconfig
eth0 Link encap:Ethernet HWaddr 00:0A:E4:56:8E:B2
inet addr:192.168.2.102 Bcast:192.168.255.255 Mask:255.255.0.0
inet6 addr: fe80::20a:e4ff:fe56:8eb2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:257 errors:0 dropped:0 overruns:0 frame:0
TX packets:207 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:26260 (25.6 Kb) TX bytes:23692 (23.1 Kb)
Interrupt:11 Base address:0xa000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:20 errors:0 dropped:0 overruns:0 frame:0
TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2019 (1.9 Kb) TX bytes:2019 (1.9 Kb)
bestiolino ~ # route -n [NOW CHANGED]
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 192.168.1.101 255.255.255.255 UGH 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
|
Tell me if you want information about server's configuration, but I think the problem is between PC1 and PC2 only.
_________________
E' la seconda più grande testa di scimmia che abbia mai visto!
(Guybrush Threepwood) |
|
| Back to top |
|
|
edux
Apprentice
Joined: 15 Nov 2005
Posts: 223
Location: Bologna
|
| Posted: Fri Nov 17, 2006 9:45 pm Post subject: |
|
|
Is the new routing table correct?
_________________
E' la seconda più grande testa di scimmia che abbia mai visto!
(Guybrush Threepwood) |
|
| Back to top |
|
|
edux
Apprentice
Joined: 15 Nov 2005
Posts: 223
Location: Bologna
|
| Posted: Fri Nov 17, 2006 10:17 pm Post subject: |
|
|
Solved. Wait a minute and I'll post why...
_________________
E' la seconda più grande testa di scimmia che abbia mai visto!
(Guybrush Threepwood) |
|
| Back to top |
|
|
edux
Apprentice
Joined: 15 Nov 2005
Posts: 223
Location: Bologna
|
| Posted: Fri Nov 17, 2006 10:31 pm Post subject: |
|
|
Ok, I was wrong with PC2's routing table.
Now, from PC2, I can ping server and router. But now I can't ping a WAN ip...
_________________
E' la seconda più grande testa di scimmia che abbia mai visto!
(Guybrush Threepwood) |
|
| Back to top |
|
|
edux
Apprentice
Joined: 15 Nov 2005
Posts: 223
Location: Bologna
|
| Posted: Fri Nov 17, 2006 10:47 pm Post subject: |
|
|
I WIN!!!!!
In the end, and for ever, here's the correct routing table for PC2:
| Code: |
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.254 192.168.2.101 255.255.255.255 UGH 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.2.101 0.0.0.0 UG 0 0 0 eth0
|
192.168.1.254 = router
192.168.2.101 = PC1
YUPPIE!
_________________
E' la seconda più grande testa di scimmia che abbia mai visto!
(Guybrush Threepwood) |
|
| Back to top |
|
|
|
Networking & Security
