FAQ
Hi,


I'm building a firewall/router on Centos. I'm using Shorewall but have
currently stopped and cleared the firewall rules to isolate the routing
problem.



My firewall box has 5 interfaces in it but currently only two are involved
in the problem.



eth1: inet addr:192.168.1.224 Bcast:192.168.1.255 Mask:255.255.255.0

eth3: inet addr:192.168.202.1 Bcast:192.168.202.255 Mask:255.255.255.0



eth1 is connected to a switch that is connected to a router. The router is
192.168.1.1 and is the internet gateway.

eth3 is connected to a different switch.



I have another Centos box that is connected to the switch shared with eth3.
It's interface is:

eth3: inet addr:192.168.202.10 Bcast:192.168.202.255 Mask:255.255.255.0



I want to provide internet connectivity to this 2nd machine routed through
the firewall. Currently, I can reach two machines on the 192.168.1.0/24
network (.5 and .3) but I can't reach the router (.1) or anything outside.



I'll paste the routing tables from both machines below. Thanks in advance
for your help.



---Marc



Firewall routing tables:

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use
Iface

10.0.0.0 0.0.0.0 255.255.255.254 U 0 0 0 eth4

192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1

192.168.202.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3

169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth4

0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth1



192.168.202.10 routing table:

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use
Iface

192.168.202.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1

10.1.16.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0

169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0

0.0.0.0 192.168.202.1 0.0.0.0 UG 0 0 0 eth1



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.centos.org/pipermail/centos/attachments/20060718/53d83e31/attachment.htm

Search Discussions

  • Steve Huff at Jul 18, 2006 at 4:06 pm

    On Jul 18, 2006, at 11:54 AM, Marc Breslow wrote:

    I want to provide internet connectivity to this 2nd machine routed
    through the firewall. Currently, I can reach two machines on the
    192.168.1.0/24 network (.5 and .3) but I can?t reach the router (.
    1) or anything outside.
    what does the file /proc/sys/net/ipv4/ip_forward contain (on the
    CentOS box that's connected to the router)?

    if this file contains "0", your machine will not forward packets.
    Firewall routing tables:

    Kernel IP routing table

    Destination Gateway Genmask Flags Metric Ref
    Use Iface

    10.0.0.0 0.0.0.0 255.255.255.254 U 0
    0 0 eth4

    192.168.1.0 0.0.0.0 255.255.255.0 U 0
    0 0 eth1

    192.168.202.0 0.0.0.0 255.255.255.0 U 0
    0 0 eth3

    169.254.0.0 0.0.0.0 255.255.0.0 U 0
    0 0 eth4

    0.0.0.0 192.168.1.1 0.0.0.0 UG 0
    0 0 eth1



    192.168.202.10 routing table:

    Kernel IP routing table

    Destination Gateway Genmask Flags Metric Ref
    Use Iface

    192.168.202.0 0.0.0.0 255.255.255.0 U 0
    0 0 eth1

    10.1.16.0 0.0.0.0 255.255.240.0 U 0
    0 0 eth0

    169.254.0.0 0.0.0.0 255.255.0.0 U 0
    0 0 eth0

    0.0.0.0 192.168.202.1 0.0.0.0 UG 0
    0 0 eth1
    are you sure that the machine 192.168.202.10 has an eth3 interface?
    i think you made a typo in your original message. can you ping
    192.168.202.1 from the second machine? what is the output of
    `traceroute 192.168.1.1`?

    -steve

    ---
    If this were played upon a stage now, I could condemn it as an
    improbable fiction. - Fabian, Twelfth Night, III,v
  • Marc Breslow at Jul 18, 2006 at 4:16 pm
    Thanks for the quick reply.

    /proc/sys/net/ipv4/ip_forward contains 1.
    Also, /etc/sysctl.conf was updated setting net.ipv4.ip_forward = 1.
    Also, /etc/sysconfig/network was updated adding FORWARD_IPV4=yes.

    eth3 is on the firewall box and is connected to a switch shared by the 2nd
    box (eth1). eth1 on the firewall box connects to a different switch which
    also has a connection to the router.

    -----Original Message-----
    From: centos-bounces@centos.org On Behalf
    Of Steve Huff
    Sent: Tuesday, July 18, 2006 12:07 PM
    To: CentOS mailing list
    Subject: Re: [CentOS] Routing problem

    On Jul 18, 2006, at 11:54 AM, Marc Breslow wrote:

    I want to provide internet connectivity to this 2nd machine routed
    through the firewall. Currently, I can reach two machines on the
    192.168.1.0/24 network (.5 and .3) but I can't reach the router (.
    1) or anything outside.
    what does the file /proc/sys/net/ipv4/ip_forward contain (on the
    CentOS box that's connected to the router)?

    if this file contains "0", your machine will not forward packets.
    Firewall routing tables:

    Kernel IP routing table

    Destination Gateway Genmask Flags Metric Ref
    Use Iface

    10.0.0.0 0.0.0.0 255.255.255.254 U 0
    0 0 eth4

    192.168.1.0 0.0.0.0 255.255.255.0 U 0
    0 0 eth1

    192.168.202.0 0.0.0.0 255.255.255.0 U 0
    0 0 eth3

    169.254.0.0 0.0.0.0 255.255.0.0 U 0
    0 0 eth4

    0.0.0.0 192.168.1.1 0.0.0.0 UG 0
    0 0 eth1



    192.168.202.10 routing table:

    Kernel IP routing table

    Destination Gateway Genmask Flags Metric Ref
    Use Iface

    192.168.202.0 0.0.0.0 255.255.255.0 U 0
    0 0 eth1

    10.1.16.0 0.0.0.0 255.255.240.0 U 0
    0 0 eth0

    169.254.0.0 0.0.0.0 255.255.0.0 U 0
    0 0 eth0

    0.0.0.0 192.168.202.1 0.0.0.0 UG 0
    0 0 eth1
    are you sure that the machine 192.168.202.10 has an eth3 interface?
    i think you made a typo in your original message. can you ping
    192.168.202.1 from the second machine? what is the output of
    `traceroute 192.168.1.1`?

    -steve

    ---
    If this were played upon a stage now, I could condemn it as an
    improbable fiction. - Fabian, Twelfth Night, III,v



    _______________________________________________
    CentOS mailing list
    CentOS@centos.org
    http://lists.centos.org/mailman/listinfo/centos
  • Tom Brown at Jul 18, 2006 at 4:08 pm

    I want to provide internet connectivity to this 2^nd machine routed
    through the firewall. Currently, I can reach two machines on the
    192.168.1.0/24 network (.5 and .3) but I can?t reach the router (.1) or
    anything outside.
    has IP forwarding been allowed on the firewall box?
  • Jeffrey Tadlock at Jul 18, 2006 at 4:19 pm

    Marc Breslow wrote:
    I want to provide internet connectivity to this 2^nd machine routed
    through the firewall. Currently, I can reach two machines on the
    192.168.1.0/24 network (.5 and .3) but I can?t reach the router (.1) or
    anything outside.
    What's the default route on the 192.168.1.5 and .3 machines? The router
    or the firewall?

    It looks like your router doesn't know how to get back to the
    192.168.202.x network. If you add a static route on your router that
    tells it to send traffic destined for the 192.168.202.x network to the
    192.168.1.224 interface on the firewall box I think it will start
    working for you.

    /jft
  • Marc Breslow at Jul 18, 2006 at 4:36 pm
    Jeff,

    I think we are on to something here. I added a static route on the
    192.168.1.1 router to the 192.168.1.224 with the gateway address equal to
    the eth1 IP address on the firewall. I can now ping 192.168.1.1 from behind
    the firewall but I still can't ping 209.73.186.238 (yahoo) from behind the
    firewall. I can ping yahoo from the firewall.

    Any other thoughts?

    Thanks,
    ---Marc

    -----Original Message-----
    From: centos-bounces@centos.org On Behalf
    Of Jeffrey Tadlock
    Sent: Tuesday, July 18, 2006 12:19 PM
    To: CentOS mailing list
    Subject: Re: [CentOS] Routing problem

    Marc Breslow wrote:
    I want to provide internet connectivity to this 2^nd machine routed
    through the firewall. Currently, I can reach two machines on the
    192.168.1.0/24 network (.5 and .3) but I can't reach the router (.1) or
    anything outside.
    What's the default route on the 192.168.1.5 and .3 machines? The router
    or the firewall?

    It looks like your router doesn't know how to get back to the
    192.168.202.x network. If you add a static route on your router that
    tells it to send traffic destined for the 192.168.202.x network to the
    192.168.1.224 interface on the firewall box I think it will start
    working for you.

    /jft
    _______________________________________________
    CentOS mailing list
    CentOS@centos.org
    http://lists.centos.org/mailman/listinfo/centos
  • Jeffrey Tadlock at Jul 18, 2006 at 7:13 pm

    Marc Breslow wrote:
    I think we are on to something here. I added a static route on the
    192.168.1.1 router to the 192.168.1.224 with the gateway address equal to
    the eth1 IP address on the firewall. I can now ping 192.168.1.1 from behind
    the firewall but I still can't ping 209.73.186.238 (yahoo) from behind the
    firewall. I can ping yahoo from the firewall.

    Any other thoughts?
    Do you still have the firewall turned off for testing? If so, I would
    try to traceroute to the 209.73.186.238 address and see if that helps
    show you anything.

    /jft
  • Guillermo Garron at Jul 18, 2006 at 7:47 pm
    What are your NAT policies?

    /etc/init.d/iptables status
    or
    iptables -L
    &
    iptables -L -t nat

    please.

    regards,
    Guillermo.

    On 7/18/06, Jeffrey Tadlock wrote:

    Marc Breslow wrote:
    I think we are on to something here. I added a static route on the
    192.168.1.1 router to the 192.168.1.224 with the gateway address equal to
    the eth1 IP address on the firewall. I can now ping 192.168.1.1 from behind
    the firewall but I still can't ping 209.73.186.238 (yahoo) from behind the
    firewall. I can ping yahoo from the firewall.

    Any other thoughts?
    Do you still have the firewall turned off for testing? If so, I would
    try to traceroute to the 209.73.186.238 address and see if that helps
    show you anything.

    /jft
    _______________________________________________
    CentOS mailing list
    CentOS@centos.org
    http://lists.centos.org/mailman/listinfo/centos
    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL: http://lists.centos.org/pipermail/centos/attachments/20060718/743d1824/attachment.htm
  • Guillermo Garron at Jul 18, 2006 at 7:50 pm
    Sorry i made a mistake, what we need are you NAT policies on the router, but
    now that I re-read your email, you can ping yahoo from the firewall so the
    NAT is working.

    do you wich IP are you using to ping outside?
    what is the source IP? your PC is using?

    maybe you can use the -I parameter on ping in order to force your linux box
    to use eth1 IP and not eth0 IP (10.x.x.x.x)

    hope it helps.
    regards,
    Guillermo.

    On 7/18/06, Guillermo Garron wrote:

    What are your NAT policies?

    /etc/init.d/iptables status
    or
    iptables -L
    &
    iptables -L -t nat

    please.

    regards,
    Guillermo.


    On 7/18/06, Jeffrey Tadlock wrote:

    Marc Breslow wrote:
    I think we are on to something here. I added a static route on the
    192.168.1.1 router to the 192.168.1.224 with the gateway address equal to
    the eth1 IP address on the firewall. I can now ping 192.168.1.1 from behind
    the firewall but I still can't ping 209.73.186.238 (yahoo) from behind the
    firewall. I can ping yahoo from the firewall.

    Any other thoughts?
    Do you still have the firewall turned off for testing? If so, I would
    try to traceroute to the 209.73.186.238 address and see if that helps
    show you anything.

    /jft
    _______________________________________________
    CentOS mailing list
    CentOS@centos.org
    http://lists.centos.org/mailman/listinfo/centos
    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL: http://lists.centos.org/pipermail/centos/attachments/20060718/61397619/attachment.htm
  • Aleksandar Milivojevic at Jul 19, 2006 at 3:50 pm

    Quoting Marc Breslow <marc@radiusIM.com>:

    Jeff,

    I think we are on to something here. I added a static route on the
    192.168.1.1 router to the 192.168.1.224 with the gateway address equal to
    the eth1 IP address on the firewall. I can now ping 192.168.1.1 from behind
    the firewall but I still can't ping 209.73.186.238 (yahoo) from behind the
    firewall. I can ping yahoo from the firewall.

    Any other thoughts?
    Couple of questions.

    Is your firewall (the CentOS box with 192.168.1.224 and 192.168.202.1
    interfaces) configured to perform NAT? Or is the firewall on it
    completely turned off?

    What is exactly the route you added to your external router? That
    router probably has two network interfaces and therefore two routes
    with link scope associted with them. One telling it how to reach the
    router at the ISP end, and second one for your 192.168.1.0/24 network.
    Everything else will be routed to the default route (meaning
    outside). You want to add static route on your external router for
    192.168.202.0/24 pointing to 192.168.1.224. Is that what you did?

    If that is what you did, you might want to check configuration of your
    external router, and see how firewalling is configured on it. Many of
    those small devices have some firewalling enabled by default in them.
    Maybe it considers only 192.168.1.0/24 to be internal network, and
    drops everything else from inside.

    Try doing traceroute from 192.168.202.10. Also, running tcpdump on
    your firewall's eth1 and eth3 interfaces in parallel (for example from
    two terminal windows) while you are doing traceroute or simply
    attempting to ping outside world and comparing the outputs might give
    you an idea what is going on.

    --
    See Ya' later, alligator!
    http://www.8-P.ca/
  • Alex Palenschat at Jul 18, 2006 at 6:35 pm

    Jeff,

    I think we are on to something here. I added a static route
    on the 192.168.1.1 router to the 192.168.1.224 with the
    gateway address equal to the eth1 IP address on the firewall.
    I can now ping 192.168.1.1 from behind the firewall but I
    still can't ping 209.73.186.238 (yahoo) from behind the
    firewall. I can ping yahoo from the firewall.

    Any other thoughts?
    Possible Firewall policy at 192.168.1.1 router. Also, possibly NAT
    policy on the firewall at 192.168.1.1. You may need to set up a NAT for
    the 192.168.202.x network? What type of router is it?

    Just some guesses...

    alex
  • Marc Breslow at Jul 18, 2006 at 6:46 pm
    It's a Netgear router. WPN824v2.

    -----Original Message-----
    From: centos-bounces@centos.org On Behalf
    Of Alex Palenschat
    Sent: Tuesday, July 18, 2006 2:35 PM
    To: CentOS mailing list
    Subject: RE: [CentOS] Routing problem

    Jeff,

    I think we are on to something here. I added a static route
    on the 192.168.1.1 router to the 192.168.1.224 with the
    gateway address equal to the eth1 IP address on the firewall.
    I can now ping 192.168.1.1 from behind the firewall but I
    still can't ping 209.73.186.238 (yahoo) from behind the
    firewall. I can ping yahoo from the firewall.

    Any other thoughts?
    Possible Firewall policy at 192.168.1.1 router. Also, possibly NAT
    policy on the firewall at 192.168.1.1. You may need to set up a NAT for
    the 192.168.202.x network? What type of router is it?

    Just some guesses...

    alex
    _______________________________________________
    CentOS mailing list
    CentOS@centos.org
    http://lists.centos.org/mailman/listinfo/centos

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupcentos @
categoriescentos
postedJul 18, '06 at 3:54p
activeJul 19, '06 at 3:50p
posts12
users7
websitecentos.org
irc#centos

People

Translate

site design / logo © 2022 Grokbase