IP Forwarding refuses to work!

[liviy]

Hi everyone,

Firstly I've been searching on here and all the stuff I've found doesn't help as I don't think I've missed anything. I had the setup working on my old system before I upgraded to new hardware and then migrated the ip addresses and some of the configs over...Everything seems to be working apart from the IP forwarding.

I have a 10.1.2.0 network internally
10.1.2.80 is the internal interface of the gateway
I have a 10.1.1.0 network externally (which houses the internet gateway)
10.1.1.23 is the external interface of the gateway
10.1.1.1 is the internet gateway

so here is the information from a host internal network

Ethernet adapter Wireless Network Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/Wireless 3945ABG Network Connection
Physical Address. . . . . . . . . : 00-1C-BF-10-BC-53
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.1.2.20
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.1.2.80
DHCP Server . . . . . . . . . . . : 10.1.2.80
DNS Servers . . . . . . . . . . . : 10.1.2.80
Lease Obtained. . . . . . . . . . : Wednesday, 17 February 2010 18:21:47
Lease Expires . . . . . . . . . . : Wednesday, 17 February 2010 18:31:47

Host routing

================================================== =========================
Interface List
0x1 ........................... MS TCP Loopback interface
0x90003 ...00 1c bf 10 bc 53 ...... Intel(R) PRO/Wireless 3945ABG Network Connection - McAfee NDIS Intermediate Filter Miniport
0x90004 ...00 21 70 7a 42 d4 ...... Broadcom NetXtreme 57xx Gigabit Controller #3 - McAfee NDIS Intermediate Filter Miniport
================================================== =========================
================================================== =========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.1.2.80 10.1.2.20 25
10.1.2.0 255.255.255.0 10.1.2.20 10.1.2.20 25
10.1.2.20 255.255.255.255 127.0.0.1 127.0.0.1 25
10.255.255.255 255.255.255.255 10.1.2.20 10.1.2.20 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 10.1.2.20 10.1.2.20 20
224.0.0.0 240.0.0.0 10.1.2.20 10.1.2.20 25
255.255.255.255 255.255.255.255 10.1.2.20 10.1.2.20 1
255.255.255.255 255.255.255.255 10.1.2.20 90004 1
Default Gateway: 10.1.2.80
================================================== =========================
Persistent Routes:
None

Route Table

I can do a nslookup :

d:\nslookup (fedora)
*** Can't find server name for address 10.1.2.80: Server failed*** Default servers are not availableNon-authoritative answer:Server: UnKnown
Address: 10.1.2.80

Name: (fedora)
Address: 67.40.49.163

It's resolving off the gateway but still gives an error, always did that even with the working situation.

Now here's info from the gateway (and the dns caching & dhcpd setup came from the old system, copied across with identical ip's on the gateway)

eth0 Link encap:Ethernet HWaddr 00:24:8C:78:87:BE
inet addr:10.1.2.80 Bcast:10.1.2.255 Mask:255.255.255.0
inet6 addr: fe80::224:8cff:fe78:87be/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:47338 errors:0 dropped:0 overruns:0 frame:0
TX packets:88520 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2901845 (2.7 MiB) TX bytes:132922402 (126.7 MiB)
Interrupt:27 Base address:0x2000

wlan0 Link encap:Ethernet HWaddr 00:08:A1:85:8B:9C
inet addr:10.1.1.23 Bcast:10.1.1.255 Mask:255.255.255.0
inet6 addr: fe80::208:a1ff:fe85:8b9c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7207 errors:0 dropped:0 overruns:0 frame:0
TX packets:6915 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:778337 (760.0 KiB) TX bytes:1008011 (984.3 KiB)

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
10.1.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 10.1.1.1 0.0.0.0 UG 0 0 0 wlan0

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

cat /proc/sys/net/ipv4/ip_forward
1

grep -i ip_for /etc/sysctl.conf
net.ipv4.ip_forward = 1

grep -i forw /etc/sysconfig/network
FORWARD_IPV4=true

grep -i forw /etc/sysconfig/networking/devices/ifcfg-eth0
FORWARD_IPV4=yes

Now all that looks right and the gateway can connect to the internet fine :

nslookup (fedora)
Server: 10.1.1.1
Address: 10.1.1.1#53

Non-authoritative answer:
Name: (fedora)
Address: 67.40.49.163

ping (fedora)
PING (fedora) (67.40.49.163) 56(84) bytes of data.
64 bytes from (fedora) (67.40.49.163): icmp_seq=1 ttl=237 time=235 ms
64 bytes from (fedora) (67.40.49.163): icmp_seq=2 ttl=237 time=223 ms
^C
--- (fedora) ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1230ms
rtt min/avg/max/mdev = 223.742/229.850/235.959/6.127 ms


So I'm really confused!!!! Help?

[HROAdmin26]

*Assuming the "internet gateway" system is connected to a public IP and there is not routing through further private networks...*

Unless the systems on the 10.1.1.0 network have a static route explaining HOW to get back to the 10.1.2.0 network, you will need masquerading enabled via IPTables on the 10.1.1.0/10.1.2.0 gateway machine.

You can use tcpdump on any systems to see what packets are making it to what machines.

[liviy]

Sorry, I should have maybe made that a bit clearer. 10.1.1.1 router is the gateway to the internet and yes it has a static route stating that 10.1.2.0 has a gateway of 10.1.1.23 with a 255.250.255.0 netmask.

10.1.2.x can't talk to 10.1.1.x and vice versa, only the middle router with interfaces on both makes it out the 10.1.1.1 to the Internet.

[liviy]

masq is setup...

Table: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination

Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Please help?

[Lazydog]

OK, the above is hard to read as you did not post the output using the CODE tags.
This is easier to read then what you have posted.

Code:

~ $ ifconfig
eth0      Link encap:Ethernet  HWaddr 00:11:D8:95:65:7D
          inet addr:192.168.1.100  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:12276 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10837 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:9882680 (9.4 MiB)  TX bytes:1040569 (1016.1 KiB)
          Interrupt:185 Memory:fac00000-0

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:408 errors:0 dropped:0 overruns:0 frame:0
          TX packets:408 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:65948 (64.4 KiB)  TX bytes:65948 (64.4 KiB)

You get the above by placing the text you cut&paste between {code}{/code} replacing {} with []. This keeps the format.


I'm going to assume your gateway is some form of RH distro.
Now I would like the following output from the gateway box using the code tags:

ifconfig
route -n
cat /etc/sysconfig/iptables
ping <any address on the 10.1.2.*>

[liviy]

Sorry for that...

Yes, FC12.

Code:

=>ifconfig
eth0      Link encap:Ethernet  HWaddr 00:24:8C:78:87:BE  
          inet addr:10.1.2.80  Bcast:10.1.2.255  Mask:255.255.255.0
          inet6 addr: fe80::224:8cff:fe78:87be/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2079007 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3917629 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:125916804 (120.0 MiB)  TX bytes:5870017867 (5.4 GiB)
          Interrupt:27 Base address:0xe000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:4552 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4552 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1609122 (1.5 MiB)  TX bytes:1609122 (1.5 MiB)

wlan0     Link encap:Ethernet  HWaddr 00:08:A1:85:8B:9C  
          inet addr:10.1.1.23  Bcast:10.1.1.255  Mask:255.255.255.0
          inet6 addr: fe80::208:a1ff:fe85:8b9c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6839445 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6063573 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:4853415446 (4.5 GiB)  TX bytes:1341148892 (1.2 GiB)

wmaster0  Link encap:UNSPEC  HWaddr 00-08-A1-85-8B-9C-80-4E-00-00-00-00-00-00-00-00  
          UP RUNNING  MTU:0  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

=>route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.1.2.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         10.1.1.1        0.0.0.0         UG    0      0        0 wlan0
=>cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.5 on Tue Mar  2 17:27:28 2010
*nat
:PREROUTING ACCEPT [341736:31562983]
:POSTROUTING ACCEPT [7428:2263507]
:OUTPUT ACCEPT [315513:29503157]
-A POSTROUTING -o wlan0 -j MASQUERADE 
COMMIT
# Completed on Tue Mar  2 17:27:28 2010
# Generated by iptables-save v1.4.5 on Tue Mar  2 17:27:28 2010
*filter
:INPUT ACCEPT [8032062:4579135398]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8965663:5670961015]
-A FORWARD -i eth0 -j ACCEPT 
COMMIT
# Completed on Tue Mar  2 17:27:28 2010
=>ping 10.1.2.1
PING 10.1.2.1 (10.1.2.1) 56(84) bytes of data.
64 bytes from 10.1.2.1: icmp_seq=1 ttl=64 time=0.362 ms
64 bytes from 10.1.2.1: icmp_seq=2 ttl=64 time=0.361 ms
64 bytes from 10.1.2.1: icmp_seq=3 ttl=64 time=0.353 ms
^C
--- 10.1.2.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2239ms
rtt min/avg/max/mdev = 0.353/0.358/0.362/0.022 ms

the routing table is smaller than it used to be as I tried to remove extra routes just incase that was it...no difference. The routes I removed were

Code:

1051  route del -net 10.1.1.0 netmask 255.255.255.0 wlan0
1055  route del -net 169.254.0.0 netmask 255.255.0.0 eth0

Regards,
Andy

[Lazydog]

Looking at what you have posted above your system has not forwarded any packets as can be seen in the *filter section of your firewall.

So if I understand you correctly you can get to, for example, google.com from the gateway box but from anything behind this box you cannot. Correct?

What does the routing table look like on the box behind the gateway (10.1.2.*)? Can it ping any ip address on the 10.1.1.* network that isn't the gateway router?

[liviy]

Correct, nothing...can do dns queries (as 10.1.2.80 is a proxy for dns) but no actual connection

Code:

Client=>route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.1.2.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1002   0        0 eth0
0.0.0.0         10.1.2.80       0.0.0.0         UG    0      0        0 eth0


Client=>ping 10.1.2.80
PING 10.1.2.80 (10.1.2.80) 56(84) bytes of data.
64 bytes from 10.1.2.80: icmp_seq=1 ttl=64 time=0.159 ms
64 bytes from 10.1.2.80: icmp_seq=2 ttl=64 time=0.137 ms
^C
--- 10.1.2.80 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1090ms
rtt min/avg/max/mdev = 0.137/0.148/0.159/0.011 ms


Client=>ping 10.1.1.1
PING 10.1.1.1 (10.1.1.1) 56(84) bytes of data.
^C
--- 10.1.1.1 ping statistics ---
10 packets transmitted, 0 received, 100% packet loss, time 9927ms


Client=>ping 10.1.1.2
PING 10.1.1.2 (10.1.1.2) 56(84) bytes of data.
^C
--- 10.1.1.2 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4175ms


Client=>ping www-google-com
PING www-google-com (66.102.7.103) 56(84) bytes of data.
^C
--- www-google-com ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4819ms

[Lazydog]

Your gateway/router is not passing traffic. Have you ensured that forwarding it turned on? Have you tried to reboot the system?

[liviy]

Yes...hence my issue!

Code:

cat /proc/sys/net/ipv4/ip_forward
1

grep -i ip_for /etc/sysctl.conf
net.ipv4.ip_forward = 1

grep -i forw /etc/sysconfig/network
FORWARD_IPV4=true

grep -i forw /etc/sysconfig/networking/devices/ifcfg-eth0
FORWARD_IPV4=yes

I've just noticed this... I have a true & a yes for FORWARD_IPV4...shouldn't they both be the same? If so, is it true or yes?