RE: simple routing problem

Paul Anderson Fri, 29 Dec 2000 05:49:45 -0800
1.  The best network calculator on the web is:

http://www.agt.net/public/sparkman/netcalc.htm

You can check your subnet calculations there.

Your ISP should not care about how you have subnetted.  They have routed all
traffic for that subnet to you (if they did their job right).

What you doing wrong is a large question.  From my point of view the answer
is a lot. I see no firewall here.  Even with subnets you have left yourself
wide open to any attack from anywhere.  It is a rare thing that I would
allow "real" IP addresses on internal machines in a network.  You need to
check out about using ipchains.  Rusty's ipchains HOWTO is easy and
complete.  It can be found here:

http://www.europe.redhat.com/documentation/HOWTO/IPCHAINS-HOWTO.php3

For my part, on my internal network I use one to one mapping of NAT address
to outside addresses using an internal and external NAT pool.  I then tie
the network down using the ipchains rules.  I have to admit to using access
lists in my router as well.

Paul Anderson

The way you have things setup the default gateway for your clients is
outside the mask you have set for the client so that the default gateway is
unreachable.

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Peter Peltonen
Sent: Friday, December 29, 2000 8:45 AM
To: [EMAIL PROTECTED]
Subject: simple routing problem



WHAT I'M TRYING TO DO
---------------------

I'm trying to connect a network with public ip-addresses to the Internet
via a Linux (Red Hat 6.2) router.


THE PROBLEM
-----------

No routing is happening. I can ping from the router both the Internet and
my own net, but can not ping from my own net the Internet.

I've wrote a diary how I set up my network. Maybe someone could find the
part I'm doing wrong?


CALCULATED THE SUBNETS
----------------------

My ISP has given me the net xxx.xx.xxx.128. So, I have a half C class
network in my use (addresses 129-254).

I divided that net into three parts:

net       name    netmask    ip

.128      dmz1    .192       .129 - .190
.192      dmz2    .224       .193 - .222
.224      router  .224       .225 - .224

Dmz2 is for future use. I'm not planning to use it for now.

Have I calculated the subnets correctly?

My ISP doesn't know about the subnets I've created. Is that a problem? I
think that it isn't, as xxx.xx.xxx.128/255.255.255.0 is forwarded to my
router and my router then forwards the packets to right directions, right?


MY PLANNED NETWORK
------------------

HDSL .254
 +
 |
 |
 +
eth0 .253
Linux-router
eth1 .190
 +
 |
 |
 +
eth0 .129
Linux-client



ROUTER'S KERNEL (2.2.17) SETTINGS
---------------------------------

>From Networkin Options I chose:

* Packet socket
* Kernel/User netlink socket
* Routing messages
* Netlink device emulation
* Network firewalls
* Socket Filtering
* Unix domain sockets
* TCP/IP networking
* IP: multicasting
* IP: advanced router
* IP: policy routing
* IP: equal cost multipath
* IP: use TOS valuee as routing key
* IP: verbose route monitoring
* IP: large routing tables
* IP: fast network address translation
* IP: kernel level autoconficuration
*       DHCP support
* IP: firewalling
* IP: firewall packet netling device
* IP: use FWMARK value as routing key
* IP: transparent proxy support
* IP: masquerading
* IP: ICMP masquerading
* IP: optimize as router not host
M IP: tunneling
M IP: GRE tunnels over IP
* IP: broadcast GRE over IP
* IP: aliasing support
* IP: Allow large windows



ROUTER'S NETWORK SETUP
----------------------

I've got RH 6.2 server installation running on my router. I've installed all
updates available.

I ran my network down:
root# /etc/rc.d/init.d/network stop

And then configured the /etc/sysconfig/network file:

--snip--
NETWORKING=yes
# in reality the next one is the real dns name
HOSTNAME=peking
--snip--

Edited the /etc/sysctl.conf file

--snip--
# Enables packet forwarding
net.ipv4.ip_forward = 1
# Disables source route verification
net.ipv4.conf.all.rp_filter = 0
# Enables automatic defragmentation (needed for masquerading, LVS)
net.ipv4.ip_always_defrag = 1
# Disables the magic-sysrq key
kernel.sysrq = 0
--snip--

I removed /etc/sysconfig/ifcfg-eth* files.

Started the network again:
root# /etc/rc.d/init.d/network start

Now my routing table is empty and ifconfig knows only about the lo
device.

I added my nameserver ip to the /etc/resolv.conf file.

Configured the network settings:

root# ifconfig eth0 xxx.xx.xxx.253 netmask 255.255.255.224 up
root# ifconfig eth1 xxx.xx.xxx.190 netmask 255.255.255.192 up
root# route add default gw xxx.xx.xxx.254

The settings look like this now:

root# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:80:5F:BC:FE:37
          inet addr:xxx.xx.xxx.253  Bcast:xxx.xx.xxx..255
Mask:255.255.255.224
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:223 errors:0 dropped:0 overruns:0 frame:0
          TX packets:346 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          Interrupt:3 Base address:0x7000

eth1      Link encap:Ethernet  HWaddr 00:D0:B7:BD:9E:3C
          inet addr:xxx.xx.xxx..190  Bcast:xxx.xx.xxx.255
Mask:255.255.255.192
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3583 errors:0 dropped:0 overruns:0 frame:0
          TX packets:625 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          Interrupt:5 Base address:0x5000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:3924  Metric:1
          RX packets:22 errors:0 dropped:0 overruns:0 frame:0
          TX packets:22 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0

root# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
xxx.xx.xxx.224  0.0.0.0         255.255.255.224 U     0      0        0 eth0
xxx.xx.xxx.128  0.0.0.0         255.255.255.192 U     0      0        0 eth1
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         xxx.xx.xxx.254  0.0.0.0         UG    0      0        0 eth0

I checked that I sure was forwarding the packets:

root# cat /proc/sys/net/ipv4/ip_forward
1

And that I can ping everybody:

root# ping xxx.xx.xxx.253
PING xxx.xx.xxx.253 (xxx.xx.xxx.253) from xxx.xx.xxx.253 : 56(84) bytes of
data.
64 bytes from xxx.xx.xxx.253: icmp_seq=0 ttl=255 time=338 usec

root# ping xxx.xx.xxx.190
PING xxx.xx.xxx.190 (xxx.xx.xxx.190) from xxx.xx.xxx.190 : 56(84) bytes of
data.
64 bytes from xxx.xx.xxx.190: icmp_seq=0 ttl=255 time=374 usec

root# ping xxx.xx.xxx.254
PING xxx.xx.xxx.254 (xxx.xx.xxx.254) from xxx.xx.xxx.253 : 56(84) bytes of
data.
64 bytes from xxx.xx.xxx.254: icmp_seq=0 ttl=255 time=1.646 msec

root# ping ftp.funet.fi
PING ftp.funet.fi (193.166.0.148) from xxx.xx.xxx.253 : 56(84) bytes of
data.
64 bytes from ftp.funet.fi (193.166.0.148): icmp_seq=0 ttl=248 time=7.329
msec



THE CLIENT MACHINE'S SETTINGS
-----------------------------

I'm running RH 6.2 (full install) on the client machine too.

Ran the network down:
root# /etc/rc.d/init.d/network stop

And edited the /etc/sysconfig/network file:

--snip--
NETWORKING=yes
# in reality the next one is the real dns name
HOSTNAME=antarktis
--snip--

I removed /etc/sysconfig/ifcfg-eth* files.

Started the network again:
root# /etc/rc.d/init.d/network start

Now my routing table is empty and ifconfig knows only about the lo
device.

I added my nameserver ip to the /etc/resolv.conf file.

Configured the network settings:

root# ifconfig eth0 xxx.xx.xxx.129 netmask 255.255.255.192 up
root# route add default gw xxx.xx.xxx.190

And the settings look like this now:

root# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:10:5A:72:8D:AC
          inet addr:xxx.xx.xxx.129  Bcast:xxx.xx.xxx.255
Mask:255.255.255.192
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1877078 errors:1 dropped:0 overruns:0 frame:1
          TX packets:1341156 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          Interrupt:10 Base address:0xb800

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:3924  Metric:1
          RX packets:863692 errors:0 dropped:0 overruns:0 frame:0
          TX packets:863692 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0

root# route -n
# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
xxx.xx.xxx.128  0.0.0.0         255.255.255.192 U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         xxx.xx.xxx.190  0.0.0.0         UG    0      0        0 eth0

Tried if I can find the default gateway:

root# ping xxx.xx.xxx.190
PING xxx.xx.xxx.190 (xxx.xx.xxx.190) from xxx.xx.xxx.129 : 56(84) bytes of
data.
64 bytes from xxx.xx.xxx.190: icmp_seq=0 ttl=255 time=407 usec

Ok. How about the router's eth0:

[root@cayman network-scripts]# ping xxx.xx.xxx.253
PING xxx.xx.xxx.253 (xxx.xx.xxx.253) from xxx.xx.xxx.129 : 56(84) bytes of
data.
64 bytes from xxx.xx.xxx.253: icmp_seq=0 ttl=255 time=394 usec

Ok. And what might the HDSL-router say:

# ping xxx.xx.xxx.254
PING xxx.xx.xxx.254 (xxx.xx.xxx.254) from xxx.xx.xxx.129 : 56(84) bytes of
data.

No replies. Just silence.

What I'm doing wrong???

A bit hopeles,
Peter



_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list



_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
RE: simple routing problem

Reply via email to
