Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 11
Hi, I got a Linux gateway, which has the following: WAN1 - eth0 - 192.166.0.2, connecting through gateway 192.166.0.1, mask 255.255.255.0 WAN1 - eth0 - 192.167.0.2, connecting through gateway 192.167.0.1, ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Mar 2007
    Posts
    6

    Linux gateway can't ping LAN workstations


    Hi,

    I got a Linux gateway, which has the following:
    WAN1 - eth0 - 192.166.0.2, connecting through gateway 192.166.0.1, mask 255.255.255.0
    WAN1 - eth0 - 192.167.0.2, connecting through gateway 192.167.0.1, mask 255.255.255.0
    LAN - eth2 - 192.168.0.1, mask 255.255.255.0, no gateway (as this IS a gateway linux)

    Basically I have setup some rules using ip route and iptables to have port forwarding to internal machines and to do weight based load balancing of outgoing connections. What happend is: LAN workstations can ping 192.168.0.1 (Linux gateway), they can ping the 192.166.0.1 and 192.167.0.1 and the whole internet. What they can't ping is each other. Also, the linux gateway (I believe that's the reason the machines can't ping each other as well) can't ping any of the workstations. I have used tcpdump and all it returned is that arp works well and then there is no response to the ICMP packages. I also tried other connections, not only ICMP. It all gets no reply.

    What can be wrong on the gateway linux that makes it impossible for it to ping the LAN network on the eth2? It can ping all other networks on eth1 and eth0 as well (they are masqueraded for LAN). Or otherwise: what needs to be in ip route and ip rules and in iptables for it to start working?

    If you need additional info let me know. I will parse it immediately.


    Thanks,

    Robert

  2. #2
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    A good start would be to post your fw rules: # iptables -nvL

    It would be best to enclose them in code tags when you post so that they're readable.

  3. #3
    Just Joined!
    Join Date
    Mar 2007
    Posts
    6

    The code

    I got scripts to do all the rules. So I can easily modify them. there are 2 scripts I created.

    Script one (setting iptables):

    #!/bin/bash
    echo ipfw running
    function nForward {
    #function opens ports and forwards them to the requested IP number
    #usage: nForward protocol source_port destination_IP Input_Interface
    #E.g.: nForward tcp 80 192.168.0.101 eth0
    iptables -t nat -A PREROUTING -i $4 -p $1 --dport $2 -j DNAT --to $3:$2
    iptables -A FORWARD -i $4 -p $1 --dport $2 -d $3 -j ACCEPT
    }

    function nOpen {
    #opens prot for local services
    #usage: nOpen protocol source_port Input_Interface
    #E.g.: nOpen tcp 80 eth0
    iptables -A INPUT -p $1 -i $3 --dport $2 -m state --state NEW -j ACCEPT
    }

    #set interfaces up/down
    ifconfig eth2 up
    ifconfig eth3 down
    ifconfig eth1 up
    ifconfig eth0 up

    #enable forwarding on the box
    echo 1 > /proc/sys/net/ipv4/ip_forward

    #flush iptables
    iptables -X
    iptables -F
    iptables -t nat -F

    #enable NAT and masquerade for WAN communication
    iptables --table nat -A POSTROUTING --out-interface eth1 -j MASQUERADE
    iptables --table nat -A POSTROUTING --out-interface eth0 -j MASQUERADE

    #enable LAN packet accept for forwarding of NAT to work
    iptables -A FORWARD --in-interface eth2 -j ACCEPT

    #enable the LAN users to "see" each other
    iptables -A FORWARD --out-interface eth2 -j ACCEPT

    #open ports for local services
    #port 5902 for vnc
    nOpen tcp 5902 eth0
    nOpen tcp 5902 eth1
    #port 5903 for vnc
    nOpen tcp 5903 eth0
    nOpen tcp 5903 eth1
    #port 22 for ssh
    nOpen tcp 22 eth0
    nOpen tcp 22 eth1

    #setup port forwarding for the services
    #port 4662 TCP for eMule to Rob's laptop
    nForward tcp 4662 192.168.0.138 eth0
    nForward tcp 4662 192.168.0.138 eth1
    #port 4672 UDP for eMule to Rob's laptop
    nForward udp 4672 192.168.0.138 eth0
    nForward udp 4672 192.168.0.138 eth1
    #ports 8090 g8, 8091 g4, 8092 f7 for DLink cameras
    nForward tcp 8090 192.168.0.90 eth0
    nForward udp 8090 192.168.0.90 eth1
    nForward tcp 8091 192.168.0.91 eth0
    nForward udp 8091 192.168.0.91 eth1
    nForward tcp 8092 192.168.0.92 eth0
    nForward udp 8092 192.168.0.92 eth1
    #port 5920 for alan vnc
    nForward tcp 5920 192.168.0.123 eth0
    nForward tcp 5920 192.168.0.123 eth1
    #port 5921 for han vnc
    nForward tcp 5921 192.168.0.133 eth0
    nForward tcp 5921 192.168.0.133 eth1
    #port 5900 for kelvin vnc
    nForward tcp 5900 192.168.0.128 eth0
    nForward tcp 5900 192.168.0.128 eth1
    #port 4125 for server remote PCs access
    nForward tcp 4125 192.168.0.101 eth0
    nForward tcp 4125 192.168.0.101 eth1
    #port 143 for IMAP services
    nForward tcp 143 192.168.0.101 eth0
    nForward tcp 143 192.168.0.101 eth1
    #port 25 to server
    nForward tcp 25 192.168.0.101 eth0
    nForward tcp 25 192.168.0.101 eth1
    #port 80 to server
    nForward tcp 80 192.168.0.101 eth0
    nForward tcp 80 192.168.0.101 eth1
    #port 443 to server
    nForward tcp 443 192.168.0.101 eth0
    nForward tcp 443 192.168.0.101 eth1
    #port 8000 and 10118 (tcp&udp) for LJD camera (192.168.0.97)
    nForward tcp 8000 192.168.0.97 eth0
    nForward tcp 8000 192.168.0.97 eth1
    nForward udp 8000 192.168.0.97 eth0
    nForward udp 8000 192.168.0.97 eth1
    nForward tcp 10118 192.168.0.97 eth0
    nForward tcp 10118 192.168.0.97 eth1
    nForward udp 10118 192.168.0.97 eth0
    nForward udp 10118 192.168.0.97 eth1
    #port 10115 (tcp&udp) for Linksys camera (192.168.0.9
    nForward tcp 10115 192.168.0.98 eth0
    nForward tcp 10115 192.168.0.98 eth1
    nForward udp 10115 192.168.0.98 eth0
    nForward udp 10115 192.168.0.98 eth1
    #ports 21,20 to server
    nForward tcp 21 192.168.0.101 eth0
    nForward tcp 21 192.168.0.101 eth1
    nForward tcp 20 192.168.0.101 eth0
    nForward tcp 20 192.168.0.101 eth1
    #port 3389 (RDC) to server (tcp)
    nForward tcp 3389 192.168.0.101 eth0
    nForward tcp 3389 192.168.0.101 eth1
    #port 53 tcp,udp for server - dns
    nForward tcp 53 192.168.0.101 eth0
    nForward tcp 53 192.168.0.101 eth1
    nForward udp 53 192.168.0.101 eth0
    nForward udp 53 192.168.0.101 eth1
    #port 500 - vpn-ipsec - server - udp
    nForward udp 500 192.168.0.101 eth0
    nForward udp 500 192.168.0.101 eth1
    #port 1701 - vpn-l2tp - server - udp
    nForward udp 1701 192.168.0.101 eth0
    nForward udp 1701 192.168.0.101 eth1
    #port 1723 - vpn-pptp - server - tcp
    nForward tcp 1723 192.168.0.101 eth0
    nForward tcp 1723 192.168.0.101 eth1
    #port 5555 to server??? what is port 5555???
    nForward tcp 5555 192.168.0.101 eth0
    nForward tcp 5555 192.168.0.101 eth1
    #port 444 to server??? what is port 444???
    nForward tcp 444 192.168.0.101 eth0
    nForward tcp 444 192.168.0.101 eth1

    #close all other incomming connections here
    #iptables -A INPUT -i eth0 -m state --state NEW -j REJECT
    #iptables -A FORWARD -i eth0 -m state --state NEW -j REJECT
    #iptables -A INPUT -i eth1 -m state --state NEW -j REJECT
    #iptables -A FORWARD -i eth1 -m state --state NEW -j REJECT
    echo ipfw finished



    Script 2 (for setting ip routes):

    #!/bin/bash
    #cleanup
    ip route flush all
    ip route flush table T1 all
    ip route flush table T2 all
    ip route flush table T3 all
    ours="T1|T2|T3"
    tables="lookup ($ours)"
    ip rule show | awk -v k="$tables" '$0 ~ k \
    { sub(/from all/,""); print "ip rule delete " substr($0, | "bash" }'
    echo Phase 0.3-flush cache
    ip route flush cache
    #create routing rules for 2 providers on separate tables
    ip route add 192.166.0.0/24 dev eth0 src 192.166.0.2 table T1
    ip route add 192.167.0.0/24 dev eth1 src 192.167.0.2 table T2
    #add routing rules in the main table
    ip route add 192.166.0.0/24 dev eth0 src 192.166.0.2
    ip route add 192.167.0.0/24 dev eth1 src 192.167.0.2
    ip route add 192.168.0.0/24 dev eth2 src 192.168.0.1
    #make sure the requests get routed back through the same provider
    ip rule add from 192.166.0.2 table T1
    ip rule add from 192.167.0.2 table T2
    #routing rules for eth2 on both tables for both providers: eth1 and eth0
    ip route add 192.168.0.0/24 dev eth2 table T1
    ip route add 127.0.0.0/8 dev lo table T1
    ip route add 192.168.0.0/24 dev eth2 table T2
    ip route add 127.0.0.0/8 dev lo table T2
    #add default ruotes in tables
    ip route add default table T1 via 192.166.0.1
    ip route add default table T2 via 192.167.0.1
    #define weight-based load-balancing
    ip route delete default
    ip route add default scope global nexthop via 192.166.0.1 dev eth0 weight 1 \
    nexthop via 192.167.0.1 dev eth1 weight 1

    Hope this helps. I really need to solve this and it is getting be a lag in other work and also getting on my nerves not working like it should.


    Thanks,

    Robert

  4. #4
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Could you post the results from the command I mentioned (and put it in code tags)?

    That will show the rules as iptables understands them, and it won't require interpreting those scripts.

  5. #5
    Just Joined!
    Join Date
    Mar 2007
    Posts
    6

    iptables rules

    Ok, please find the rules below. If you would like iptables -t nat -nvL as well let me know.


    iptables -nvL:
    Chain INPUT (policy ACCEPT 7333 packets, 567K bytes)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5902 state NEW
    0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5902 state NEW
    0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5903 state NEW
    0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5903 state NEW
    0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW
    0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW

    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    111 5400 ACCEPT 0 -- eth2 * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT 0 -- * eth2 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 192.168.0.138 tcp dpt:4662
    0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.0.138 tcp dpt:4662
    0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 192.168.0.138 udp dpt:4672
    0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 192.168.0.138 udp dpt:4672
    0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 192.168.0.90 tcp dpt:8090
    0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 192.168.0.90 udp dpt:8090
    0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 192.168.0.91 tcp dpt:8091
    0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 192.168.0.91 udp dpt:8091
    0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 192.168.0.92 tcp dpt:8092
    0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 192.168.0.92 udp dpt:8092
    0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 192.168.0.123 tcp dpt:5920
    0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.0.123 tcp dpt:5920
    0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 192.168.0.133 tcp dpt:5921
    0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.0.133 tcp dpt:5921
    0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 192.168.0.128 tcp dpt:5900
    0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.0.128 tcp dpt:5900
    0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 192.168.0.101 tcp dpt:4125
    0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.0.101 tcp dpt:4125
    0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 192.168.0.101 tcp dpt:143
    0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.0.101 tcp dpt:143
    0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 192.168.0.101 tcp dpt:25
    0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.0.101 tcp dpt:25
    0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 192.168.0.101 tcp dpt:80
    0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.0.101 tcp dpt:80
    0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 192.168.0.101 tcp dpt:443
    0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.0.101 tcp dpt:443
    0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 192.168.0.97 tcp dpt:8000
    0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.0.97 tcp dpt:8000
    0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 192.168.0.97 udp dpt:8000
    0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 192.168.0.97 udp dpt:8000
    0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 192.168.0.97 tcp dpt:10118
    0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.0.97 tcp dpt:10118
    0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 192.168.0.97 udp dpt:10118
    0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 192.168.0.97 udp dpt:10118
    0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 192.168.0.98 tcp dpt:10115
    0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.0.98 tcp dpt:10115
    0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 192.168.0.98 udp dpt:10115
    0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 192.168.0.98 udp dpt:10115
    0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 192.168.0.101 tcp dpt:21
    0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.0.101 tcp dpt:21
    0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 192.168.0.101 tcp dpt:20
    0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.0.101 tcp dpt:20
    0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 192.168.0.101 tcp dpt:3389
    0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.0.101 tcp dpt:3389
    0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 192.168.0.101 tcp dpt:53
    0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.0.101 tcp dpt:53
    0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 192.168.0.101 udp dpt:53
    0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 192.168.0.101 udp dpt:53
    0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 192.168.0.101 udp dpt:500
    0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 192.168.0.101 udp dpt:500
    0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 192.168.0.101 udp dpt:1701
    0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 192.168.0.101 udp dpt:1701
    0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 192.168.0.101 tcp dpt:1723
    0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.0.101 tcp dpt:1723
    0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 192.168.0.101 tcp dpt:5555
    0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.0.101 tcp dpt:5555
    0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 192.168.0.101 tcp dpt:444
    0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.0.101 tcp dpt:444

    Chain OUTPUT (policy ACCEPT 6223 packets, 462K bytes)
    pkts bytes target prot opt in out source destination

  6. #6
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    You have default ACCEPT policies, so iptables is probably not causing this.

    Read this article: http://www.ducea.com/2006/08/01/how-...ding-in-linux/

    Follow the steps to set net.ipv4.ip_forward to "1" and see if that solves it.

  7. #7
    Just Joined!
    Join Date
    Mar 2007
    Posts
    6

    Done that

    I have done that already. Not much help. I have a deep feeling that ip route might be causing the problem, which is why I have posted my script that does the ip route and ip rule settings. Can that be the issue with my current ip route setup I do? If I reboot the machine by the way and don't do any ip route changes, it still fails to work.

    Any ideas re this? It left me clueless here. Is it possible that my kernel configuration is missing something? I can post my .config file of my kernel I compiled if that can help. Let me know.

    Thanks,

    Robert

  8. #8
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Just for the hell of it, on the gateway box try specifying the gateway itself (192.168.0.1) as a default gateway.

  9. #9
    Just Joined!
    Join Date
    Mar 2007
    Posts
    6

    Tried that

    Tried that. Didn't work either.

    It's either some strange permissions problem (I doubt it) or routing problem. But so far for more then 3 days I have been unsuccessful in getting it to work.

    Any more ideas on your side?


    Thanks,

    Robert

  10. #10
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Well, to summarize this whole thing let's run down the list and make sure you implemented all the suggestions correctly. Can you post output from the following:
    Code:
    $ cat /proc/sys/net/ipv4/ip_forward
    $ cat /proc/sys/net/ipv4/icmp_echo_ignore_*
    And from the following:
    Code:
    $ netstat -rn
    Let's see if that gets us any leads. If not I am out of ideas at the moment.

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •