Networking problem

[kjs]

Hi people,

I've been banging my head against the wall with this one for a while now and I hope you can assist me.

I have a network schema that looks like this:

i--fw--c1--rtr--c2

i = internet
fw = firewall, 192.168.1.1
c1 = computer 1, 192.168.1.150
c2 = computer 2, 192.168.2.13
rtr = router eth1 192.168.2.1, wlan0 192.168.1.2

networks:
192.168.1.0/24
192.168.2.0/24

routes:
192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.1
192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.2
default via 192.168.1.1 dev wlan0

Ip forwarding is enabled.
cat /proc/sys/net/ipv4/ip_forward
1


my problem is this:
c1 can use internet, ssh, http...
c1 can ping c2
c1 can not connect to c2 with ssh, http...
c2 can not ping c1
c2 can ping fw
c2 can use internet, ssh, http...

My question to you is how to set things up on the router in order to get c1 and c2 to be able to connect to each other. The strange thing is that they can ping, but not use for example ssh?

All help is welcome,

/kjs

[framp]

Your config looks very strange for me. Is c1 another router? For me

Code:

i--fw--rtr -- c1
        ! -- c2

makes much more sense.

rtr is a Linux box?

[kjs]

Hmmm, what I was trying to show with the schema is that c1 is in between fw and rtr.

fw is a wireless router/firewall.
c1 is a linux laptop connected to the wifi interface on fw
rtr is a linux box and have two interfaces wlan0 and eth0. wlan0 is connected to the wifi interface on fw which is acting like a switch/hub. The second interface eth0 is the gateway for the second subnet which holds a few servers/desktops, but for simplicity let's assume there is only one client, c2

I hope I could make things more clear.

/kjs

[cuervo73]

kjs,

why don't you rearrange your setup to look like this

i-rtr-sw-fw-c1
!-c2
!-cn

where sw is your switch/hub on the 192.168.2.0 subnet.

That way, you can do a proper job of firewalling using iptables in the Linux box, that you control.

Then, use the wireless router "fw" only to connect the wireless laptop. Plug the WAN cable from the "fw" into the switch and use the "fw" LAN IP as the gateway for the laptop.
The c2..cn subnet have the rtr eth1 IP address as their gateway. Then make the rtr gateway on eth0, be the ISP router address uplink.

IMHO, the "firewall" in vendor routers is limited, and is a "black box" wherein you shouldn't trust it. Do you really know what rules are in there? how do you know that it doesn't "leak" packets? If you are security-conscious, then you would NOT use the vendors router for a gateway firewall facing the Internet for the laptop. Make the Linux box do that.

This is exactly what I have as my setup, and it works for me. And, I have the peace of mind that MY iptables rules are exctly what I want.

cuervo

[cuervo73]

sorry, my "diagram" of a proposed network didn't come out right..

the !-c2 and !-cn should come off the rtr and not the "i" leg..

cuervo

[cuervo73]

sorry again... I mean that the !-c2 and the !-cn legs should come off the sw switch.

this website editor gobbles whiespace; that makes ascii art useless.

cuervo

[framp]

Looks like the following picture is the one we have to talk about.

Code:

i--fw -- c1
    ! -- rtr -- c2

@cuervo73 Just use [ code ] ... [ / code ] to wrap your pictures (blanks are just to get the tags displayed in this posting)

1) Have you enabled routing between c1 and c2 on fw in both directions with FW rules?
2) Have you a FW on rtr? If yes, have you opened the FW in both directions?

[kjs]

cuervo73:

I have this setup because of the way my apartment looks like. The internet outlet is in the hallway and I want to avoid have cables all over my apartment. I also want to avoid having any computers in the hallway because of lack of space. The wireless connection between fw and rtr exist because I want to have all equipment in my "computer room". The laptop c1 doesn't matter since it can use wifi and therefore I let it connect to the wifi interface of the fw.

framp:

Your schema looks almost right. The fw is also working as a switch for 192.168.1.0/24 subnet. Please have a look at the schema I attached to the message. It should be logically right.

1) since I'm connecting to the switch part of the fw, the fw doesn't need any rules.
2) The rtr is a debian sarge box that is striped down to the minimal. It have iptables support installed though. I have tried to do the routing with and without iptables forwarding rules. Both gives the same result.

The strange thing here is that I can use simple protocols like ntp, dns from c1 to c2 without any problems, but a http or ssh connection doesn't work. While trying connect from c1 to c2 doing tcpdump on rtr (on both interfaces) it seems like the first packet gets thru and c2 replies back and after those first packets c1 tries to connect to c2 till it times out.

/Kjs

[framp]

2) The rtr is a debian sarge box that is striped down to the minimal. It have iptables support installed though. I have tried to do the routing with and without iptables forwarding rules. Both gives the same result.

Could you please post the output of iptables -L -vn with no active FW (Just to be sure the FW is off )?

The strange thing here is that I can use simple protocols like ntp, dns from c1 to c2 without any problems,but a http or ssh connection doesn't work. While trying connect from c1 to c2 doing tcpdump on rtr (on both interfaces) it seems like the first packet gets thru and c2 replies back and after those first packets c1 tries to connect to c2 till it times out.

Strange. Have you tried to connect from c1 to rtr with ssh?

Could you please post the output of tcpdump when you connect with ssh from c1 to c2?

[kjs]

Could you please post the output of iptables -L -vn with no active FW (Just to be sure the FW is off )?

gw2:~# iptables -L -vn
Chain INPUT (policy ACCEPT 1466 packets, 116K bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 82 packets, 4141 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 2090 packets, 350K bytes)
pkts bytes target prot opt in out source destination

Strange. Have you tried to connect from c1 to rtr with ssh?

Yes, ssh from c1 to rtr is no problem. Ssh from c2 to rtr works aswell.

Could you please post the output of tcpdump when you connect with ssh from c1 to c2?

gw2:~# tcpdump -n -i wlan0 | grep 192.168.2.13
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), capture size 96 bytes
00:10:36.791693 IP 192.168.1.150.59836 > 192.168.2.13.22: S 3714279004:3714279004(0) win 5840 <mss 1460,sackOK,timestamp 7961821 0,nop,wscale 7>
00:10:36.792113 IP 192.168.2.13.22 > 192.168.1.150.59836: S 2263676860:2263676860(0) ack 3714279005 win 5792 <mss 1460,sackOK,timestamp 212345087 7961821,nop,wscale 7>
00:10:36.794233 IP 192.168.1.150.59836 > 192.168.2.13.22: R 3714279005:3714279005(0) win 5840


I get the above and then the ssh client just sits there waiting and nothing is happening.

/kjs