Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

[solved] connect two sub-nets
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
lawilog
n00b
n00b


Joined: 07 Sep 2007
Posts: 24
PostPosted: Mon Sep 22, 2008 11:05 pm    Post subject: [solved] connect two sub-nets Reply with quote
hi,
i have two different nets (wired and wireless) which use the ip ranges 192.168.41.* and 192.168.42.*
the two are connected thru a server acting as router running gentoo. configured iptables:
Code:

WAN_DEV="ppp0"
LAN_DEV0="eth1"
LAN_DEV1="tap0"
EXTRA_DEV="ath0"
MY_IP0="192.168.42.1"
MY_IP1="192.168.41.1"
MY_NET0="192.168.42.1/24"
MY_NET1="192.168.41.1/24"

# ...

# interconnect
iptables -A FORWARD -p ALL -i ${LAN_DEV0} -s ${MY_NET0} -d ${MY_NET1} -j ACCEPT
iptables -A FORWARD -p ALL -i ${LAN_DEV1} -s ${MY_NET1} -d ${MY_NET0} -j ACCEPT
iptables -t nat -A POSTROUTING -o ${LAN_DEV0} -s ${MY_NET1} -d 0/0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o ${LAN_DEV1} -s ${MY_NET0} -d 0/0 -j MASQUERADE


and now indeed both subnets can talk to each other, but for the things i know about routing, i always thought there would be a way without MASQUERADE-ing (thinking of the wide range of IPs in the internet) ... but if i leave the two lines out, ping tests fail.
is there a simpler way?

Lars

Last edited by lawilog on Tue Sep 23, 2008 8:03 pm; edited 1 time in total
Back to top
View user's profile Send private message
Anarcho
Advocate
Advocate


Joined: 06 Jun 2004
Posts: 2970
Location: Germany
PostPosted: Tue Sep 23, 2008 7:05 am    Post subject: Reply with quote
1. Check if "/proc/sys/net/ipv4/ip_forward" is set to 1

2. Check with completely disabled iptables firewall

3. Check the routing tables on the clients. They must have either the router as the default gw or they must have the router as the gateway for the other subnet

4. Give us the output of "iptables -L -v" (of course with your full firewall script enabled)

You should not need masquerading for your inner networks.
_________________
...it's only Rock'n'Roll, but I like it!
Back to top
View user's profile Send private message
lawilog
n00b
n00b


Joined: 07 Sep 2007
Posts: 24
PostPosted: Tue Sep 23, 2008 11:25 am    Post subject: Reply with quote
Code:
# cat /proc/sys/net/ipv4/ip_forward
1


i don't want to clear the iptables, this would make e.g. the ssh server avaliable to the outside world and i need the routing from pc to the internet.

the standard gw is of course the router - on my mashine:
Code:
# route -n
Kernel IP Routentabelle
Ziel            Router          Genmask         Flags Metric Ref    Use Iface
192.168.42.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         192.168.42.1    0.0.0.0         UG    0      0        0 eth0


i only quoted the parts of the iptables-script i thought were relevant. could post the whole code, if you want.
btw: the "router" has an pci wirless card acting as access point. because there are problems with WPA and the driver, we can only use WEP and use openvpn with 4096bit encryption on top of that. that's why there are tap and tun devices. but as far as i know, openVPN uses it's own internal routing, so i think the iptables can see "tun" as a usual network device.

Code:
iptables -L -v
Chain INPUT (policy DROP 25539 packets, 1492K bytes)
 pkts bytes target     prot opt in     out     source               destination
 1196  115K ACCEPT     all  --  lo     any     anywhere             anywhere
1061K  155M ACCEPT     all  --  ath0   any     anywhere             anywhere
2817K 1898M ACCEPT     all  --  eth1   any     anywhere             anywhere
    0     0 ACCEPT     all  --  tap0   any     anywhere             anywhere
 197K  264M ACCEPT     all  --  ppp0   any     anywhere             anywhere            state RELATED,ESTABLISHED
 416K   22M ACCEPT     all  --  tun+   any     anywhere             anywhere
25539 1492K LOG        all  --  any    any     anywhere             anywhere            LOG level info prefix `FIREWALL:input'
    0     0 ACCEPT     all  --  tun+   any     anywhere             anywhere
    0     0 ACCEPT     all  --  tun+   any     anywhere             anywhere

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 104K 5372K TCPMSS     tcp  --  any    any     anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
2173K  426M ACCEPT     all  --  eth1   any     anywhere             anywhere
    0     0 ACCEPT     all  --  tap0   any     anywhere             anywhere
2782K 3362M ACCEPT     all  --  ppp0   any     anywhere             anywhere            state RELATED,ESTABLISHED
 607K   63M ACCEPT     all  --  tun+   any     anywhere             anywhere
    0     0 ACCEPT     all  --  eth1   any     192.168.42.0/24      192.168.41.0/24
    0     0 ACCEPT     all  --  tap0   any     192.168.41.0/24      192.168.42.0/24
    0     0 LOG        all  --  any    any     anywhere             anywhere            LOG level info prefix `FIREWALL:forward'
    0     0 ACCEPT     all  --  tun+   any     anywhere             anywhere
    0     0 ACCEPT     all  --  tun+   any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 6556K packets, 6981M bytes)
 pkts bytes target     prot opt in     out     source               destination
6556K 6981M LOG        all  --  any    any     anywhere             anywhere            LOG level info prefix `FIREWALL:output'


just to say that again: it's not a big problem, since it's already working right now. i only thought there could be a better solution.

Lars
Back to top
View user's profile Send private message
Anarcho
Advocate
Advocate


Joined: 06 Jun 2004
Posts: 2970
Location: Germany
PostPosted: Tue Sep 23, 2008 11:36 am    Post subject: Reply with quote
1. The lines you have quoted from your iptables script are useless as some rules before eth1 and tap0 are already allowed everything in the FORWARD rule set. That's why there is no traffic recorded.

What I wonder is why there is no traffic at all in the tap0 lines. Which device is the WLAN OpenVPN then? Is it tap0 or tun?

But nevertheless, I can't see any reason why the direct communication should not work.

EDIT:

Your setup is not realy secure, btw. You have a WEP WLAN secured by OpenVPN but you allow any traffic coming from the unsecured ath0 device as input traffic. You should only allow the OpenVPN Port (and maybe DHCP/DNS, depends on your setup) in the INPUT rule set.
_________________
...it's only Rock'n'Roll, but I like it!
Back to top
View user's profile Send private message
lawilog
n00b
n00b


Joined: 07 Sep 2007
Posts: 24
PostPosted: Tue Sep 23, 2008 8:03 pm    Post subject: solved Reply with quote
works now, thanks. i confused tun and tap devices.

Code:
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere
    0     0 ACCEPT     udp  --  ath0   any     anywhere             anywhere            udp dpt:<my secret open vpn port *g*>
    2   104 ACCEPT     all  --  eth1   any     anywhere             anywhere
    0     0 ACCEPT     all  --  tun0   any     anywhere             anywhere
    0     0 ACCEPT     all  --  ppp0   any     anywhere             anywhere            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  ppp0   any     anywhere             anywhere            tcp dpt:ntp
    0     0 ACCEPT     udp  --  ppp0   any     anywhere             anywhere            udp dpt:ntp

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 TCPMSS     tcp  --  any    any     anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
    0     0 ACCEPT     all  --  eth1   any     anywhere             anywhere
    0     0 ACCEPT     all  --  tun0   any     anywhere             anywhere
    0     0 ACCEPT     all  --  ppp0   any     anywhere             anywhere            state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT 2 packets, 264 bytes)
 pkts bytes target     prot opt in     out     source               destination
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy