Find the answer to your Linux question:
Results 1 to 3 of 3
I'm trying to set up a firewall/router for an internal network. The firewall box has two NIC's. Eth0 is on 192.168.1.106, and is connected to a router at 192.168.1.1 that ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2013
    Posts
    2

    Question Routing question -- internal boxes can't get to internet


    I'm trying to set up a firewall/router for an internal network.
    The firewall box has two NIC's. Eth0 is on 192.168.1.106, and is connected to a router at 192.168.1.1 that connects to the internet. Eth1 is on 10.0.0.3, and connects to several 10.0.0.x boxes through a switch. I'm running Ubuntu 12.04 on all boxes. No firewall software is configured yet.

    I can ping the internet and all the internal boxes from the firewall box. Its netstat -rn is:

    Kernel IP routing table
    Destination Gateway Genmask Flags MSS Window irtt Iface
    0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
    10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
    192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

    From any internal box (e.g. 10.0.0.104), I can ping all the other 10.0.0.x boxes, and I can ping the firewall box on 192.168.1.106, but I can't ping the router at 192.168.1.1 or anything on the internet. The netstat -rn on these boxes looks like this:

    Kernel IP routing table
    Destination Gateway Genmask Flags MSS Window irtt Iface
    0.0.0.0 10.0.0.3 0.0.0.0 UG 0 0 0 eth0
    10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
    169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0

    I've spent a few hours on this so far, and can't find what's wrong. Any ideas would be greatly appreciated.

  2. #2
    Linux Guru
    Join Date
    Nov 2007
    Posts
    1,752
    If you have no routing daemons running on the 10.0.0.3 box and no iptables rules configured, then you have done nothing to enable that system to accept/forward packets for the 10.X network. If you are not going to install any routing software and plan to do this with iptables, then you need to A) enable IP forwarding (kernel setting) and B) enable iptables to 1. masquerade forwarded packets and 2. send response packets back to the 10.X network.

    Lots of docs and examples exist for this, such as this very short one.

  3. #3
    Just Joined!
    Join Date
    Apr 2013
    Posts
    2
    Thanks HROAdmin26. When I disabled the Shorewall firewall/router to "test" routing without firewall, I lost the masquerading and forwarding I was getting from there. All works now.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •