Re: A routing question

[Mumia W..]

On 05/21/2008 06:13 PM, Walt L. Williams wrote:

Greetings

I have recently upgraded my computer's hardware. 
After re-installing Debian Etch (64AMD). (I was running 
on a seven year old AMD motherboard.) I found that 
I now have to set the default route to ppp0 when I use
gnome-ppp by hand through a terminal window and 
su, where I didn't have to do this on my previous 
install of Etch.


Is there a way to get this to set its self when I start
gnome-ppp, or set this up to where it will be permanate. 
I admit to not being a networking whiz.




Gnome-ppp probably uses pppd to make the connection. Pppd supports 
multiple ISP profiles which are placed in /etc/ppp/peers/. Usually, the 
profile that is used is in the file /etc/ppp/peers/provider.


In that file (or whatever ISP profile your system uses), make sure that 
the defaultroute option appears; "defaultroute" tells pppd to make the 
link a default route when it comes up. Read "man pppd".


If you are unsure of what ISP profile your pppd uses, use gnome-ppp to 
go online and use a terminal to view how pppd is invoked:


ps U root | grep pppd

Good luck.



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

A routing question

[Walt L. Williams]

Greetings

I have recently upgraded my computer's hardware. 
After re-installing Debian Etch (64AMD). (I was running 
on a seven year old AMD motherboard.) I found that 
I now have to set the default route to ppp0 when I use
gnome-ppp by hand through a terminal window and 
su, where I didn't have to do this on my previous 
install of Etch.

Is there a way to get this to set its self when I start
gnome-ppp, or set this up to where it will be permanate. 
I admit to not being a networking whiz.

-- 
Best Regards
Walt L. Williams
http://www.intergate.com/~waltwilliams/


.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

ipv6 routing question

[Alex Samad]

Hi


I have ipv6 setup on my network and I use static and dynamic addresses I use a 
6to4 setup.

On my server I have 

2002:::11::10 as my static
2002:::11:230:834f:beaf:1cd0 as my dynamic (setup with radvd)


routing info is
2002:::11::11 dev eth0  metric 1024  expires 18267878sec mtu 9100 
advmss 9040 hoplimit 4294967295
2002:::11::/64 dev eth0  metric 256  expires 14115191sec mtu 1500 
advmss 1440 hoplimit 4294967295
fe80::/64 dev eth0  metric 256  expires 18267549sec mtu 1500 advmss 1440 
hoplimit 4294967295
ff00::/8 dev eth0  metric 256  expires 18267549sec mtu 1500 advmss 1440 
hoplimit 4294967295

default via fe80::214:be3f:f346:3a0c dev eth0  proto kernel  metric 1024  
expires 27sec mtu 1500 advmss 1440 hoplimit 64




My problem is when this machine connects to a non local address it uses the 
dynamic address in preference to the static address, I am not sure how to 
configure it to use the static address in preference ?

Alex


signature.asc
Description: Digital signature

Re: Routing Question

[David Purton]

On Wed, Jul 14, 2004 at 02:56:03PM +1000, James Sinnamon wrote:
> Until someone more knowledgeable replies ...
> 
> On Wed, 14 Jul 2004 11:02 am, David Purton wrote:
> > Hi all,
> >
> > I've got a routing question. This is the setup:
> 
> > But that didn't work either.
> >
> >
> > Can anybody explain to me what is going wrong or how to fix it?
> 
> I have done something similar, but don't have it running
> like that now.
> 
> It may be useful to see the output of /sbin/route -n on the 
> host(s) that are causing the problem(s) (you should be able
> to accomplish something similar with 'ip route ...').
> 

Oddly enough, it seems to be working now..., but I've started and
stopped things so many times, that I'm not sure what made it work :(

I think I first managed to get things happening when I tried restarting
openvpn after bringing the ppp0 link up - so maybe that is a potential
source of difficulties.

this is the routing tables when everything is up:

Destination Gateway Genmask Flags Metric RefUse Iface
10.3.0.20.0.0.0 255.255.255.255 UH0  00 tun0
203.61.3.4  0.0.0.0 255.255.255.255 UH0  00 ppp0
150.101.29.92   0.0.0.0 255.255.255.252 U 0  00 eth1
192.168.0.0 0.0.0.0 255.255.255.0   U 0  00 eth0
0.0.0.0 150.101.29.93   0.0.0.0 UG0  00 eth1


> 
> Possibly there is more than one default route on the host where you 
> are having problems?
> 

no this is definitly ok.

> Also '/usr/sbin/tcpdump eth0' (or '/usr/sbin/tcpdump -i eth1')
> (don't think it will work with ppp0) is another debugging tool.

ah - yeah of course - should have thought of that and ethereal, etc.


Thanks for your help

dc

-- 
David Purton
[EMAIL PROTECTED]
 
For the eyes of the LORD range throughout the earth to
strengthen those whose hearts are fully committed to him.
 2 Chronicles 16:9a


signature.asc
Description: Digital signature

Re: Routing Question

[Robert William Hutton]

James Sinnamon wrote:
Also '/usr/sbin/tcpdump eth0' (or '/usr/sbin/tcpdump -i eth1')
(don't think it will work with ppp0) is another debugging tool.
Ethereal is another tool, similar to tcpdump, which gives more readable output. 
 tethereal is the termial (command line) version of ethereal if you don't have X.

Cheers,
Rob
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Routing Question

[James Sinnamon]

Until someone more knowledgeable replies ...

On Wed, 14 Jul 2004 11:02 am, David Purton wrote:
> Hi all,
>
> I've got a routing question. This is the setup:

> But that didn't work either.
>
>
> Can anybody explain to me what is going wrong or how to fix it?

I have done something similar, but don't have it running
like that now.

It may be useful to see the output of /sbin/route -n on the 
host(s) that are causing the problem(s) (you should be able
to accomplish something similar with 'ip route ...').

On my (single) gateway the output of 'route -n' is:

Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse Iface
192.168.1.0   0.0.0.0255.255.255.0   U 0  00 eth2
192.168.0.0   0.0.0.0  255.255.255.0   U 0  00 eth1
144.132.248.0  0.0.0.0   255.255.252.0   U 0  00 eth0
0.0.0.0  144.132.248.1   0.0.0.0 UG0  00 eth0

... there are two internal networks 192.168.1.0/24 and 192.168.0.0/24.
The route with destination of 0.0.0.0 and mask of 0.0.0.0 and '(G)ateway'
flag is the default route through eth0, thence through my cable cable modem
and, finally, through the ISP host  144.132.248.1 to the net.

Possibly there is more than one default route on the host where you 
are having problems?

Also '/usr/sbin/tcpdump eth0' (or '/usr/sbin/tcpdump -i eth1')
(don't think it will work with ppp0) is another debugging tool.

HTH,

James

-- 
James Sinnamon
[EMAIL PROTECTED] net au 
+61 412 319669, +61 2 95692123


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Routing Question

[David Purton]

Hi all,

I've got a routing question. This is the setup:

   +--+
   |  Provider 1  |
 +-| Analog Modem | Internet
 | |  |
 | +--+
  +--+
  | ppp0 |
  |  |
  | Linux Router | +--+
  |(NAT) | |  Provider 2  |
Local Net | eth0eth1 |-| DSL-ethernet | Internet
  |  | |bridge|
  | tun0 | +--+
  +--+
 | +---+
 | |   |
 +-| VPN P-t-P |
   |   |
   +---+


We are transitioning from priver 1 to provider 2, and I want to have
both links up and routng correctly. I don't need load balancing, since
who would want to get load balanced from a DSL modem to a 56K modem...


The latc.org howto has helped me get things mostly working, except when
openvpn is running and hence tun0 exists.


When the tun0 interface is down, I run this script when ppp0 comes up, and everything 
works the way I want it to.




#!/bin/bash

IF0=eth0
IF1=eth1
IF2=ppp0

IP0=192.168.0.1
IP1=150.101.29.94
IP2=203.152.247.215

P1=150.101.29.93
P2=`/sbin/ifconfig | grep P-t-P | awk '{print $3}' | awk -F : '{print $2}'`

P0_NET=192.168.0.0/24
P1_NET=150.101.29.92/30
P2_NET=$P2/32

ip route add $P1_NET dev $IF1 src $IP1 table T1
ip route add default via $P1 table T1
ip route add $P2_NET dev $IF2 src $IP2 table T2
ip route add default via $P2 table T2

ip route add $P1_NET dev $IF1 src $IP1
ip route add $P2_NET dev $IF2 src $IP2

ip route add default via $P1

ip rule add from $IP1 table T1
ip rule add from $IP2 table T2

ip route add $P0_NET dev $IF0 table T1
ip route add $P2_NET dev $IF2 table T1
ip route add 127.0.0.0/8 dev lo   table T1
ip route add $P0_NET dev $IF0 table T2
ip route add $P1_NET dev $IF1 table T2
ip route add 127.0.0.0/8 dev lo   table T2


< End Routing Script>


But when I start openvpn, things break and I can no longer ping the ppp0
interface from the internet. Packets get the other end of the P-t-P
connection from ppp0 and then vanish. CLosing down the openvpn
connection restores things to a working state.

So I thought I would try adding these lines to the above script to setup
routing:

IP3=10.3.0.1
IF3=tun0
P3_NET=$P3/32
ip route add $P3_NET dev $IF3 table T1
ip route add $P3_NET dev $IF3 table T2

But that didn't work either.


Can anybody explain to me what is going wrong or how to fix it?

Also how can you debug routing tables? Is there and easy way to watch
what happens to a packet?


cheers

dc

-- 
David Purton
[EMAIL PROTECTED]
 
For the eyes of the LORD range throughout the earth to
strengthen those whose hearts are fully committed to him.
 2 Chronicles 16:9a


signature.asc
Description: Digital signature

Re: Advanced routing question

[Haim Ashkenazi]

On Sunday 27 July 2003 20:10, Fraser Campbell wrote:
> On July 27, 2003 09:10 am, Haim Ashkenazi wrote:
> > I'm trying to combine 2 linux firewalls/routers together. the final host
> > should have the following ports:
> >
> > 1. eth0 - 256kbps frame relay.
> > 2. ppp0 (via eth1) - pppoe adsl with dhcp.
> > 3. eth2-3 - 2 DMZ's.
> > 4. eth4 - localnet.
> >
> > The default route is ppp0.
> >
> > Here's the problem: If I'll connect to the firewall from the internet
> > through eth0 (or even connect to the dmz through the firewall's eth0)
> > wouldn't it try to respond through ppp0 (the default gateway) which will
> > make the connection impossible?
>
> Yes you need to install some advanced routing rules.  Read the advanced
> routing howto (http://www.lartc.org/), you'll need something roughly like
> this:
thanx, I'll read it.

Bye
-- 
Haim


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Advanced routing question

[Fraser Campbell]

On July 27, 2003 09:10 am, Haim Ashkenazi wrote:

> I'm trying to combine 2 linux firewalls/routers together. the final host
> should have the following ports:
>
>   1. eth0 - 256kbps frame relay.
>   2. ppp0 (via eth1) - pppoe adsl with dhcp.
>   3. eth2-3 - 2 DMZ's.
>   4. eth4 - localnet.
>
> The default route is ppp0.
>
> Here's the problem: If I'll connect to the firewall from the internet
> through eth0 (or even connect to the dmz through the firewall's eth0)
> wouldn't it try to respond through ppp0 (the default gateway) which will
> make the connection impossible?

Yes you need to install some advanced routing rules.  Read the advanced 
routing howto (http://www.lartc.org/), you'll need something roughly like 
this:

# All of my networks
localnet='172.16.0.0/24'
dmz_a='172.17.0.0/24'
dmz_b='172.17.0.0/24
frame='216.1.2.0/28'

# Set default route for frame relay network
ip route add default via 216.1.2.1 table 10 # (table 10 arbitrary choice)

pri=100

# ensure that traffic to local IPs is handled by default routing table
for net in $localnet $dmz_a $dmz_b $frame; do
   ip rule add to $net lookup main pri $pri
done

pri=200
# Make sure that traffic coming from frame IPs get's routing to frame gateway
ip rule add from $frame lookup 10 pri $pri

# Flush route cache to make changes immediate
ip route flush cache

That should handle everything correctly.  Have your pppoe software install a 
default route when it brings up the connection and you shouldn't have to 
worry about any special routing for it.

-- 
Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/
Halton Hills, Ontario, Canada Debian GNU/Linux


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Advanced routing question

[Haim Ashkenazi]

Hi

I'm trying to combine 2 linux firewalls/routers together. the final host 
should have the following ports:

1. eth0 - 256kbps frame relay.
2. ppp0 (via eth1) - pppoe adsl with dhcp.
3. eth2-3 - 2 DMZ's.
4. eth4 - localnet.

The default route is ppp0.

Here's the problem: If I'll connect to the firewall from the internet through 
eth0 (or even connect to the dmz through the firewall's eth0) wouldn't it try 
to respond through ppp0 (the default gateway) which will make the connection 
impossible? 

Bye
-- 
Haim


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: FreeS/Wan and masquerdaing routing question... (was desperate forhelp! freeswan attempt: can exhange keys but no access to other net after!)

[Martin Edward John Waller]

Ooops - here's that setup again:

192.168.0.* [private subnet I want to access = leftsubnet]
|
|
|
194.216.251.1 [firewall = left]
|
|
|
194.216.251.254 [router  = leftnexthop
.
.
.
212.46.128.11 [router = rightnexthop]
|
|
|
aaa.bbb.ccc.ddd [my statuc IP address = right]
|
|
|
192168.201.* [my private subnet = rightsubnet]


Martin Edward John Waller wrote:

>   --
>
> Subject: FreeS/Wan and masquerdaing routing question... (was desperate for
>  help! freeswan attempt: can exhange keys but no access to other net 
> after!)
> Date: Wed, 24 Apr 2002 09:56:44 +0100
> From: Martin Edward John Waller <[EMAIL PROTECTED]>
> To: users@lists.freeswan.org, [EMAIL PROTECTED]
> References: <[EMAIL PROTECTED]>
>
> John Sullivan wrote:
>
> >
> >
> > It looks like you're sending SYN packets but
> > never receiving an ACK.  My guess would be that
> > the internal device does not know how to get to
> > 192.168.201.0/24 or it does know but it knows
> > wrongly, i.e., some router is sending the
> > packets to some other path.  Hope this helps -
> > John
> >
> > > John A. Sullivan III
> > > Group Technology Director
> > > Nexus Management
> > > +1 207-985-7880
> >
>
> Ok - thanks.  I'm not sure what is meant by 'the
> internal device' but assuming routing is the issue
> here's my setup and routing info at my end - is it
> correct for what I'm trying to do?
>
>   192.168.0.*
> 194.216.251.1==194.216.251.254
> -
> 212.46.128.11=aaa.bbb.ccc.ddd
> =192.168.201.*
>  [private subnet [firewall
> = left]  [router = leftnexthop]
> [internet] [router = rightnexthop]
> [my static IP = right]   [my private
> subnet
> I want to
> access]
> (masqueraded)]
>
> My masquerading script and ispec.conf are
> attached.
>
> Here's my routing table when connections me-fw1
> and me-flo are up:
>
> netstat -nr
> Kernel IP routing table
> Destination  Gateway
> Genmask Flags  MSS Window  irtt
> Iface
> 194.216.251.1   212.46.128.11   255.255.255.255
> UGH   0  0  0   ipsec0
> 212.46.128.11   0.0.0.0
> 255.255.255.255 UH  0  0
> 0   ppp0
> 212.46.128.11   0.0.0.0
> 255.255.255.255 UH  0  0
> 0  ipsec0
> 192.168.0.0   212.46.128.11
> 255.255.255.0 UG  0
> 0  0   ipsec0
> 192.168.201.0   0.0.0.0
> 255.255.255.0 U 0
> 0  0   eth0
> 0.0.0.0   212.46.128.11
> 0.0.0.0 UG  0
> 0  0   ppp0
>
> And here's ipsec eroute:
>
> ipsec eroute
> 0  192.168.201.0/24   ->
> 192.168.0.0/24   => [EMAIL PROTECTED]
> 0  aaa.bbb.ccc.ddd/32   ->
> 194.216.251.1/32   => [EMAIL PROTECTED]
>
> Is this correct at my end?  Should I add something
> to my ipmasquerading script?  Stumped...
>
> Thanks for any info!
>
> Martin
>
>   --
> #!/bin/sh
> #
> # rc.firewall - Initial SIMPLE IP Masquerade test for 2.1.x and 2.2.x kernels
> #   using IPCHAINS
> #
> # Load all required IP MASQ modules
> #
> #   NOTE:  Only load the IP MASQ modules you need.  All current IP MASQ 
> modules
> #  are shown below but are commented out from loading.
>
> echo "Starting IP Masquerading..."
>
> # Needed to initially load modules
> #
> /sbin/depmod -a
>
> # Supports the proper masquerading of FTP file transfers using the PORT method
> #
> /sbin/modprobe ip_masq_ftp
>
> # Supports the masquerading of RealAudio over UDP.  Without this module,
> #   RealAudio WILL function but in TCP mode.  This can cause a reduction
> #   in sound quality
> #
> /sbin/modprobe ip_masq_raudio
>
> # Supports the masquerading of IRC DCC file transfers
> #
> #/sbin/modprobe ip_masq_irc
>
> # Supports the masquerading of Quake and QuakeWorld by default.  This modules 
> is
> #   for for multiple users behind the Linux MASQ server.  If you are going to
> #   play Quake I, II, and III, use the second example.
> #
> #   NOTE:  If you get ERRORs loading the QUAKE module, you are running an old
> #   -  kernel that has bugs in it.  Please upgrade to the newest kernel.
> #
> #Quake I / QuakeWorld (ports 26000 and 27000)
> #/sbin/modprobe ip_masq_quake
> #
> #Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960)
> #/sbin/modprobe ip_

FreeS/Wan and masquerdaing routing question... (was desperate for help! freeswan attempt: can exhange keys but no access to other net after!)

[Martin Edward John Waller]

--- Begin Message ---
John Sullivan wrote:

>
>
> It looks like you're sending SYN packets but
> never receiving an ACK.  My guess would be that
> the internal device does not know how to get to
> 192.168.201.0/24 or it does know but it knows
> wrongly, i.e., some router is sending the
> packets to some other path.  Hope this helps -
> John
>
> > John A. Sullivan III
> > Group Technology Director
> > Nexus Management
> > +1 207-985-7880
>

Ok - thanks.  I'm not sure what is meant by 'the
internal device' but assuming routing is the issue
here's my setup and routing info at my end - is it
correct for what I'm trying to do?



  192.168.0.*
194.216.251.1==194.216.251.254
-
212.46.128.11=aaa.bbb.ccc.ddd
=192.168.201.*
 [private subnet [firewall
= left]  [router = leftnexthop]
[internet] [router = rightnexthop]
[my static IP = right]   [my private
subnet
I want to
access]
(masqueraded)]

My masquerading script and ispec.conf are
attached.


Here's my routing table when connections me-fw1
and me-flo are up:

netstat -nr
Kernel IP routing table
Destination  Gateway
Genmask Flags  MSS Window  irtt
Iface
194.216.251.1   212.46.128.11   255.255.255.255
UGH   0  0  0   ipsec0
212.46.128.11   0.0.0.0
255.255.255.255 UH  0  0
0   ppp0
212.46.128.11   0.0.0.0
255.255.255.255 UH  0  0
0  ipsec0
192.168.0.0   212.46.128.11
255.255.255.0 UG  0
0  0   ipsec0
192.168.201.0   0.0.0.0
255.255.255.0 U 0
0  0   eth0
0.0.0.0   212.46.128.11
0.0.0.0 UG  0
0  0   ppp0

And here's ipsec eroute:

ipsec eroute
0  192.168.201.0/24   ->
192.168.0.0/24   => [EMAIL PROTECTED]
0  aaa.bbb.ccc.ddd/32   ->
194.216.251.1/32   => [EMAIL PROTECTED]

Is this correct at my end?  Should I add something
to my ipmasquerading script?  Stumped...

Thanks for any info!

Martin

#!/bin/sh
#
# rc.firewall - Initial SIMPLE IP Masquerade test for 2.1.x and 2.2.x kernels 
#   using IPCHAINS
#
# Load all required IP MASQ modules
#
#   NOTE:  Only load the IP MASQ modules you need.  All current IP MASQ modules
#  are shown below but are commented out from loading.

echo "Starting IP Masquerading..."

# Needed to initially load modules
#
/sbin/depmod -a

# Supports the proper masquerading of FTP file transfers using the PORT method
#
/sbin/modprobe ip_masq_ftp

# Supports the masquerading of RealAudio over UDP.  Without this module,
#   RealAudio WILL function but in TCP mode.  This can cause a reduction
#   in sound quality
#
/sbin/modprobe ip_masq_raudio

# Supports the masquerading of IRC DCC file transfers
#
#/sbin/modprobe ip_masq_irc


# Supports the masquerading of Quake and QuakeWorld by default.  This modules is
#   for for multiple users behind the Linux MASQ server.  If you are going to 
#   play Quake I, II, and III, use the second example.
#
#   NOTE:  If you get ERRORs loading the QUAKE module, you are running an old
#   -  kernel that has bugs in it.  Please upgrade to the newest kernel.
#
#Quake I / QuakeWorld (ports 26000 and 27000)
#/sbin/modprobe ip_masq_quake
#
#Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960)
#/sbin/modprobe ip_masq_quake 26000,27000,27910,27960


# Supports the masquerading of the CuSeeme video conferencing software
#
/sbin/modprobe ip_masq_cuseeme

#Supports the masquerading of the VDO-live video conferencing software
#
/sbin/modprobe ip_masq_vdolive


#CRITICAL:  Enable IP forwarding since it is disabled by default since
#
#   Redhat Users:  you may try changing the options in 
#  /etc/sysconfig/network from:
#
#   FORWARD_IPV4=false
# to
#   FORWARD_IPV4=true
#
echo "1" > /proc/sys/net/ipv4/ip_forward


#CRITICAL:  Enable automatic IP defragmenting since it is disabled by default 
#   in 2.2.x kernels.  This used to be a compile-time option but the 
#   behavior was changed in 2.2.12
#
echo "1" > /proc/sys/net/ipv4/ip_always_defrag


# Dynamic IP users:
#
#   If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this 
#   following option.  This enables dynamic-ip address hacking in IP MASQ, 
#   making the life with Diald and similar programs much easier.
#
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr


# Enable the LooseUDP patch which some Internet-based games require
#
#  If you are trying to get an Internet game to work through your IP MASQ box,
#  and you have set it up to the best of your ability without it working, try
#  enabling this option (delete the "#" character).  This option is disabled
#  by default due to possible internal machine UDP port scanning 
#  vunerabilities.
#
#echo "1" > /proc/sys/net/ipv4/ip_masq_u

Routing question, mixed real+private IP network, ARP

[Pedro Zorzenon Neto]

Hi folks,

   I have the following network:

192.168.1.2 +--- eth1 192.168.1.1
|eth0 aaa.bbb.ccc.130 +--- real IP network
192.168.1.3 +   Debian Router |
| +-aaa.bbb.ccc.129
192.168.1.4 + |
| +-aaa.bbb.ccc.132
... +
|
aaa.bbb.ccc.131 +

How can I configure "Debian router" to forward packets that come from eth0
to aaa.bbb.ccc.131 to eth1?

If I do:
   route add -host aaa.bbb.ccc.131 dev eth1
Then the Debian Router is able to ping aaa.bbb.ccc.131
Put real IP's are not able to do it. I just see incoming ARP to
aaa.bbb.ccc.131 on eth0, but these ARPs are not forwarded to eth1
neither answered by Debian router.

ipchains forward rules are MASQ for 192.168.x.y and ACCEPT for others.

I think I should use some "IP tunneling" option, but I have never used
and I don't know where to start from. I also don't know if this is
called "IP tunneling".

Any hints?

  Thanks in advance,
  Pedro

-- 
  .''`.   Pedro Zorzenon Neto <[EMAIL PROTECTED]>
 : :'  :  Debian GNU/Linux | GNU/Hurd: 
 `. `'`   Debian BR: 
   `- Be Happy! Be FREE!


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: routing question

[Michael Heldebrant]

On Wed, 2001-11-28 at 17:02, shock wrote:
> * Michael Heldebrant ([EMAIL PROTECTED]) spake thusly:
> > 
> > I am guessing that the problem must be on the interfaces on
> > the debian machine.  What does ifconfig on the debian machine show?
> 
> # ifconfig eth0
> eth0  Link encap:Ethernet  HWaddr 00:C0:F0:57:C9:AF
>   inet addr:192.168.1.99  Bcast:192.168.1.255 Mask:255.255.255.0
>   UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>   RX packets:2827 errors:0 dropped:0 overruns:0 frame:0
>   TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>   collisions:0 txqueuelen:100
>   RX bytes:228510 (223.1 Kb) TX bytes:0 (0.0 b)
>   Interrupt:10 Base address:0x7000
> 
> # route -ee
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric RefUse Iface 
>MSS   Window irtt
> localnet*   255.255.255.0   U 0  00 eth0  
>400  0
> default 192.168.1.254   0.0.0.0 UG0  00 eth0  
>400  0

> the interface /is/ up, because i can successfully gateway to the DSL
> modem.  i just can't see 192.168.1.10 on machine "a" and machine "a"
> can't see this box.

I'm all out of ideas other than these guesses.

1.  Try taking the DSL modem off the hub for a bit and retest
connectivity.  All packets destined for the 192.168.1.0 network may be
going to 192.168.1.254 as the gateway, meaning that "e" is expecting the
dsl modem to route it.  This would lead to:

2.  Add static routes to each machine for the other ie:
on a
route add -host 192.168.1.99 dev eth0

on e
route add -host 192.168.1.10 dev eth0

I'm confused at this point, hopefully some other networking guru can
step in and solve this.

--mike

Re: routing question

[shock]

* Michael Heldebrant ([EMAIL PROTECTED]) spake thusly:
> 
> I am guessing that the problem must be on the interfaces on
> the debian machine.  What does ifconfig on the debian machine show?

# ifconfig eth0
eth0  Link encap:Ethernet  HWaddr 00:C0:F0:57:C9:AF
  inet addr:192.168.1.99  Bcast:192.168.1.255 Mask:255.255.255.0
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  RX packets:2827 errors:0 dropped:0 overruns:0 frame:0
  TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:100
  RX bytes:228510 (223.1 Kb) TX bytes:0 (0.0 b)
  Interrupt:10 Base address:0x7000

# route -ee
Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse Iface   
 MSS   Window irtt
localnet*   255.255.255.0   U 0  00 eth0
 400  0
default 192.168.1.254   0.0.0.0 UG0  00 eth0
 400  0

# cat /etc/network/interfaces
# /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)
 
# The loopback interface
# automatically added when upgrading
auto lo
iface lo inet loopback
  
# The first network card - this entry was created during the Debian
# installation
# (network, broadcast and gateway are optional)
# automatically added when upgrading
auto eth0
iface eth0 inet static
 address 192.168.1.99
 netmask 255.255.255.0
 network 192.168.1.0
 broadcast 192.168.1.255
 gateway 192.168.1.254
 
> Your previous email had no auto eth0 line in your
> /etc/network/interfaces listed nor a lo stanza.  Perhaps the interface
> is just not up?

sorry about that.  the previous post didn't include the entire
interface file.  above is the complete file.

the interface /is/ up, because i can successfully gateway to the DSL
modem.  i just can't see 192.168.1.10 on machine "a" and machine "a"
can't see this box.
-- 
 ) ,_),_)
(-(__  |_  _  _ |/
 ) | |(_)(_ |\
( \_,
 ___
| http://www.exitwound.org : hard to find   |
 ___
| The horror... the horror! |
 ___
 -BEGIN GEEK CODE BLOCK-
| Version: 3.1  |
| GJ/IT d- s: a C+++>$ UL P+++ L+++ E--- W++| 
| N+@ o K- w O- M- V PS+ PE Y+ PGP++ t+@ 5@ X++ |
| R tv+@ b+ DI D+ G++ e h r+++ y+++ |
 --END GEEK CODE BLOCK--

Re: routing question

[Michael Heldebrant]

On Wed, 2001-11-28 at 14:21, shock wrote:
> * Michael Heldebrant ([EMAIL PROTECTED]) spake thusly:
> > 
> > Everything looks ok so far.  Routing information is the only thing left
> > that I can think of.
> 
> any specific flags i should be passing the route command?  here's a
> brief one:
> 
> [EMAIL PROTECTED] stephen]# /sbin/route -ee
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric RefUse Iface 
>MSS   Window irtt
> 192.168.2.0 *   255.255.255.0   U 0  00 eth1  
>0 0  0
> 192.168.2.0 *   255.255.255.0   U 0  00 eth1  
>0 0  0
> 192.168.1.0 *   255.255.255.0   U 0  00 eth0  
>0 0  0
> 192.168.1.0 *   255.255.255.0   U 0  00 eth0  
>0 0  0
> 127.0.0.0   *   255.0.0.0   U 0  00 lo
>0 0  0
> default cayman.exitwoun 0.0.0.0 UG0  00 eth0  
>0 0  0
> > 

This is interesting.  You have duplicate routes, which I don't think is
a problem.  I am guessing that the problem must be on the interfaces on
the debian machine.  What does ifconfig on the debian machine show?

Your previous email had no auto eth0 line in your
/etc/network/interfaces listed nor a lo stanza.  Perhaps the interface
is just not up?

--mike

Re: routing question

[shock]

* Michael Heldebrant ([EMAIL PROTECTED]) spake thusly:
> 
> Everything looks ok so far.  Routing information is the only thing left
> that I can think of.

any specific flags i should be passing the route command?  here's a
brief one:

[EMAIL PROTECTED] stephen]# /sbin/route -ee
Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse Iface   
 MSS   Window irtt
192.168.2.0 *   255.255.255.0   U 0  00 eth1
 0 0  0
192.168.2.0 *   255.255.255.0   U 0  00 eth1
 0 0  0
192.168.1.0 *   255.255.255.0   U 0  00 eth0
 0 0  0
192.168.1.0 *   255.255.255.0   U 0  00 eth0
 0 0  0
127.0.0.0   *   255.0.0.0   U 0  00 lo  
 0 0  0
default cayman.exitwoun 0.0.0.0 UG0  00 eth0
 0 0  0
> 
> > [EMAIL PROTECTED] stephen]# netstat -atp
> > Active Internet connections (servers and established)
> > Proto Recv-Q Send-Q Local Address   Foreign Address State   
> > PID/Program name
> > tcp0  0 pappy.exitwound.o:pop-3 calypso.exitwound:44919 
> > TIME_WAIT   -
> > tcp0  0 192.168.1.10:pop-3  calypso.exitwound:44918 
> > TIME_WAIT   -
> > tcp0  0 *:6010  *:* LISTEN  607/sshd2
> > tcp0232 pappy.exitwound.org:ssh calypso.exitwound:44912 
> > ESTABLISHED 607/sshd2
> > tcp0  0 *:smtp  *:* LISTEN  409/sendmail: 
> > accep
> > tcp0  0 192.168.1.10:www*:* LISTEN  363/httpd
> > tcp0  0 *:mysql *:* LISTEN  359/mysqld
> > tcp0  0 *:ssh   *:* LISTEN  291/sshd2
> > tcp0  0 *:pop-3 *:* LISTEN  282/inetd
> > tcp0  0 *:pop-2 *:* LISTEN  282/inetd
> 
> You are listening on both cards in theory for sshd2.  Can "a" get a ping
> response from "e"?

nope.  "a" can't see "e" and "e" can't see "a".  can't ping, ssh2, nada.

> Why do you have a hole in your firewall for the dhcp information then? 
> If it's all internal to the modem (meaning you never change ip's ever)
> you may want to remove that from the firewall.

at one time i needed dhcp, but i don't use it any more.  you're right.
i need to close it.  thx.
-- 
 ) ,_),_)
(-(__  |_  _  _ |/
 ) | |(_)(_ |\
( \_,
 ___
| http://www.exitwound.org : hard to find   |
 ___
| A reverend wanted to telephone another|
| reverend. He told the operator, "This is a|
| parson to parson call."   |
 ___
 -BEGIN GEEK CODE BLOCK-
| Version: 3.1  |
| GJ/IT d- s: a C+++>$ UL P+++ L+++ E--- W++| 
| N+@ o K- w O- M- V PS+ PE Y+ PGP++ t+@ 5@ X++ |
| R tv+@ b+ DI D+ G++ e h r+++ y+++ |
 --END GEEK CODE BLOCK--

Re: routing question

[Michael Heldebrant]

On Wed, 2001-11-28 at 11:34, shock wrote:
> * Michael Heldebrant ([EMAIL PROTECTED]) spake thusly:
> >
> > What is the default policy for the input and output chains on "a". 
> > ipchains -L -v -n output will show this.  
> 
> [EMAIL PROTECTED] stephen]# /sbin/ipchains -L -v -n
> Chain input (policy ACCEPT: 3466 packets, 774392 bytes):
> pkts bytes target prot opttosa tosx  ifname mark outsize  source  
>   destination   ports
> 0 0 ACCEPT udp  -- 0xFF 0x00  eth0 0.0.0.0/00.0.0.0/0 
> 67 ->   68
> Chain forward (policy DENY: 0 packets, 0 bytes):
> pkts bytes target prot opttosa tosx  ifname mark outsize  source  
>   destination   ports
> 1206 76677 MASQ   all  -- 0xFF 0x00  * 192.168.2.0/24   0.0.0.0/0 
> n/a
> Chain output (policy ACCEPT: 3294 packets, 806120 bytes):
> 
> > The output of netstat -atp on
> > "a" would also be helpfull along with the route output from both
> > machines.  

Everything looks ok so far.  Routing information is the only thing left
that I can think of.

> [EMAIL PROTECTED] stephen]# netstat -atp
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address   Foreign Address State   
> PID/Program name
> tcp0  0 pappy.exitwound.o:pop-3 calypso.exitwound:44919 TIME_WAIT 
>   -
> tcp0  0 192.168.1.10:pop-3  calypso.exitwound:44918 TIME_WAIT 
>   -
> tcp0  0 *:6010  *:* LISTEN  607/sshd2
> tcp0232 pappy.exitwound.org:ssh calypso.exitwound:44912 
> ESTABLISHED 607/sshd2
> tcp0  0 *:smtp  *:* LISTEN  409/sendmail: 
> accep
> tcp0  0 192.168.1.10:www*:* LISTEN  363/httpd
> tcp0  0 *:mysql *:* LISTEN  359/mysqld
> tcp0  0 *:ssh   *:* LISTEN  291/sshd2
> tcp0  0 *:pop-3 *:* LISTEN  282/inetd
> tcp0  0 *:pop-2 *:* LISTEN  282/inetd

You are listening on both cards in theory for sshd2.  Can "a" get a ping
response from "e"?
> 
> > I assume the "broadcase" above for eth1 is a typo and not the
> > actual command right?  
> 
> actually, that wasn't a typo.  it's been corrected.  thanks.
> 
> >Are you using some sort of dhcp on "a" with pump?
> 
> Nope.  All of that is handled through the DSL modem/router.  I just
> simply set the default gateway to point to it.

Why do you have a hole in your firewall for the dhcp information then? 
If it's all internal to the modem (meaning you never change ip's ever)
you may want to remove that from the firewall.

--mike

Re: routing question

[shock]

* Michael Heldebrant ([EMAIL PROTECTED]) spake thusly:
>
> What is the default policy for the input and output chains on "a". 
> ipchains -L -v -n output will show this.  

[EMAIL PROTECTED] stephen]# /sbin/ipchains -L -v -n
Chain input (policy ACCEPT: 3466 packets, 774392 bytes):
pkts bytes target prot opttosa tosx  ifname mark outsize  source
destination   ports
0 0 ACCEPT udp  -- 0xFF 0x00  eth0 0.0.0.0/00.0.0.0/0   
  67 ->   68
Chain forward (policy DENY: 0 packets, 0 bytes):
pkts bytes target prot opttosa tosx  ifname mark outsize  source
destination   ports
1206 76677 MASQ   all  -- 0xFF 0x00  * 192.168.2.0/24   0.0.0.0/0   
  n/a
Chain output (policy ACCEPT: 3294 packets, 806120 bytes):

> The output of netstat -atp on
> "a" would also be helpfull along with the route output from both
> machines.  

[EMAIL PROTECTED] stephen]# netstat -atp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address   Foreign Address State   
PID/Program name
tcp0  0 pappy.exitwound.o:pop-3 calypso.exitwound:44919 TIME_WAIT   
-
tcp0  0 192.168.1.10:pop-3  calypso.exitwound:44918 TIME_WAIT   
-
tcp0  0 *:6010  *:* LISTEN  607/sshd2
tcp0232 pappy.exitwound.org:ssh calypso.exitwound:44912 ESTABLISHED 
607/sshd2
tcp0  0 *:smtp  *:* LISTEN  409/sendmail: accep
tcp0  0 192.168.1.10:www*:* LISTEN  363/httpd
tcp0  0 *:mysql *:* LISTEN  359/mysqld
tcp0  0 *:ssh   *:* LISTEN  291/sshd2
tcp0  0 *:pop-3 *:* LISTEN  282/inetd
tcp0  0 *:pop-2 *:* LISTEN  282/inetd

> I assume the "broadcase" above for eth1 is a typo and not the
> actual command right?  

actually, that wasn't a typo.  it's been corrected.  thanks.

>Are you using some sort of dhcp on "a" with pump?

Nope.  All of that is handled through the DSL modem/router.  I just
simply set the default gateway to point to it.
-- 
 ) ,_),_)
(-(__  |_  _  _ |/
 ) | |(_)(_ |\
( \_,
 ___
| http://www.exitwound.org : hard to find   |
 ___
 -BEGIN GEEK CODE BLOCK-
| Version: 3.1  |
| GJ/IT d- s: a C+++>$ UL P+++ L+++ E--- W++| 
| N+@ o K- w O- M- V PS+ PE Y+ PGP++ t+@ 5@ X++ |
| R tv+@ b+ DI D+ G++ e h r+++ y+++ |
 --END GEEK CODE BLOCK--

Re: routing question

[Michael Heldebrant]

On Tue, 2001-11-27 at 23:39, shock wrote:
> * nate ([EMAIL PROTECTED]) spake thusly:
> >
> > from the looks of the info you gave machine A and E are on
> > the same hub..the cables seem to work as they can both get to
> > the dsl..so my guess would be theres a incorrect netmask or
> > broadcast address set on either A or E, and the DSL gateway
> > doesn't seem to care. since machine A and E are on the same subnet
> > and on the same hub theres no routing involved ..its just "there".
>  
> here's the /etc/network/interfaces for machine e (debian woody):
>   
> iface eth0 inet static
>   address 192.168.1.99
>   netmask 255.255.255.0
>   network 192.168.1.0
>   broadcast 192.168.1.255
>   gateway 192.168.1.254
>
> machine a (RH6.2) fires up eth0 and eth1 via /etc/rc.d/rc.local with the
> following statements:
> 
> ifconfig eth1 192.168.2.1 netmask 255.255.255.0 broadcase 192.168.2.255 up
> ifconfig eth0 192.168.1.10 netmask 255.255.255.0 broadcast 192.168.1.255 up
> route add -net 192.168.2.0 netmask 255.255.255.0 eth1 
> route add -net 192.168.1.0 netmask 255.255.255.0 eth0
>  
> the broadcast / netmask scenario you described (while potentially
> problematic) seems to be okay.  unless i'm overlooking the obvious.
>   
> > either that or you may have
> > firewall rules on one or the other
> > that could be blocking traffic. my
> > guess would be bad broadcast
> > somewhere tho ive had similar
> > problems.
>
> machine e has no firewall.  machine a contains the following:
> 
> /sbin/ipchains -A input -j ACCEPT -i eth0 -s 0/0 67 -d 0/0 68 -p udp
> /sbin/ipchains -P forward DENY 
> /sbin/ipchains -A forward -s 192.168.2.0/24 -j MASQ
>  
> as further background, i can ssh from a machine on the internet to
> machine a.  also, i can ssh from machines on the 192.168.2.x to
> machine a.  it seems that only machine e (192.168.1.99) can't
> successfully get to (or see) machine a.

What is the default policy for the input and output chains on "a". 
ipchains -L -v -n output will show this.  The output of netstat -atp on
"a" would also be helpfull along with the route output from both
machines.  I assume the "broadcase" above for eth1 is a typo and not the
actual command right?  Are you using some sort of dhcp on "a" with pump?

--mike 

Re: routing question

[nate]

shock said:
> * nate ([EMAIL PROTECTED]) spake thusly:

> the broadcast / netmask scenario you described (while potentially
> problematic) seems to be okay.  unless i'm overlooking the obvious.

yeah seems network config is ok..only other thing i'd do is
run tcpdump on machine E and see what comes up when you try
to connect to machine a.

tcpdump -i eth0 dst IP_OF_MACHINE_A

and run tcpdump on machine A:
tcpdump -i  src IP_OF_MACHINE_E

Re: routing question

[shock]

* nate ([EMAIL PROTECTED]) spake thusly:
>
> from the looks of the info you gave machine A and E are on
> the same hub..the cables seem to work as they can both get to
> the dsl..so my guess would be theres a incorrect netmask or
> broadcast address set on either A or E, and the DSL gateway
> doesn't seem to care. since machine A and E are on the same subnet
> and on the same hub theres no routing involved ..its just "there".
 
here's the /etc/network/interfaces for machine e (debian woody):
  
iface eth0 inet static
  address 192.168.1.99
  netmask 255.255.255.0
  network 192.168.1.0
  broadcast 192.168.1.255
  gateway 192.168.1.254
 
machine a (RH6.2) fires up eth0 and eth1 via /etc/rc.d/rc.local with the
following statements:
  
ifconfig eth1 192.168.2.1 netmask 255.255.255.0 broadcase 192.168.2.255 up
ifconfig eth0 192.168.1.10 netmask 255.255.255.0 broadcast 192.168.1.255 up
route add -net 192.168.2.0 netmask 255.255.255.0 eth1 
route add -net 192.168.1.0 netmask 255.255.255.0 eth0
   
the broadcast / netmask scenario you described (while potentially
problematic) seems to be okay.  unless i'm overlooking the obvious.

> either that or you may have
> firewall rules on one or the other
> that could be blocking traffic. my
> guess would be bad broadcast
> somewhere tho ive had similar
> problems.
 
machine e has no firewall.  machine a contains the following:
  
/sbin/ipchains -A input -j ACCEPT -i eth0 -s 0/0 67 -d 0/0 68 -p udp
/sbin/ipchains -P forward DENY 
/sbin/ipchains -A forward -s 192.168.2.0/24 -j MASQ
   
as further background, i can ssh from a machine on the internet to
machine a.  also, i can ssh from machines on the 192.168.2.x to
machine a.  it seems that only machine e (192.168.1.99) can't
successfully get to (or see) machine a.
-- 
 ) ,_),_)
(-(__  |_  _  _ |/
 ) | |(_)(_ |\
( \_,
 ___
| http://www.exitwound.org : hard to find   |
 ___
| "The wages of sin are death; but after|
| they're done taking out taxes, it's just a|
| tired feeling:"   |
 ___
 -BEGIN GEEK CODE BLOCK-
| Version: 3.1  |
| GJ/IT d- s: a C+++>$ UL P+++ L+++ E--- W++| 
| N+@ o K- w O- M- V PS+ PE Y+ PGP++ t+@ 5@ X++ |
| R tv+@ b+ DI D+ G++ e h r+++ y+++ |
 --END GEEK CODE BLOCK--

Re: routing question

[nate]

shock said:

> however, machine e (192.168.1.99) cannot ping or otherwise see
> machine a (192.168.1.10).  it can gateway through the router
> (192.168.1.254) but that's it.  what do i need to do in order to
> allow machine e to see machine a?

from the looks of the info you gave machine A and E are on
the same hub..the cables seem to work as they can both get to
the dsl..so my guess would be theres a incorrect netmask or
broadcast address set on either A or E, and the DSL gateway
doesn't seem to care. since machine A and E are on the same subnet
and on the same hub theres no routing involved ..its just "there".

either that or you may have firewall rules on one or the other
that could be blocking traffic. my guess would be bad broadcast
somewhere tho ive had similar problems.

nate

routing question

[shock]

i think, as time progresses, it is becoming increasingly obvious
that i don't /really/ know what i'm doing.  i'm hoping there's an easy
fix, but i'm prepared for the long haul if necessary.

i have the following set up:

dsl modem - 192.168.1.254 (to hub)
machine a - 192.168.1.10 (to hub)
  - 192.168.2.1 (wireless)
machine b - 192.168.2.2 (wireless)
machine c - 192.168.2.6 (wireless)
machine d - 192.168.2.7 (wireless)
machine e - 192.168.1.99 (to hub)

(to hub) indicates an actual ethernet cable running from the NIC to the
hub, which is a simple 5-port Linksys workgroup hub.  the wireless
machines gateway through machine a (192.168.2.1) which, through IP
chains, hands off to 192.168.1.10.  this works quite nicely.

however, machine e (192.168.1.99) cannot ping or otherwise see machine a
(192.168.1.10).  it can gateway through the router (192.168.1.254) but
that's it.  what do i need to do in order to allow machine e to see
machine a?

if i haven't provided enough info, just let me know.  thanks!
-- 
 ) ,_),_)
(-(__  |_  _  _ |/
 ) | |(_)(_ |\
( \_,
 ___
| http://www.exitwound.org : hard to find   |
 ___
| One of the worst of my many faults is that|
| I'm too critical of myself.   |
 ___
 -BEGIN GEEK CODE BLOCK-
| Version: 3.1  |
| GJ/IT d- s: a C+++>$ UL P+++ L+++ E--- W++| 
| N+@ o K- w O- M- V PS+ PE Y+ PGP++ t+@ 5@ X++ |
| R tv+@ b+ DI D+ G++ e h r+++ y+++ |
 --END GEEK CODE BLOCK--

Re: eth1 messing up eth0 and routing question

[Ralf G. R. Bergs]

On 5 Sep 2001 21:06:32 -0700, [EMAIL PROTECTED] wrote:

>> On 5 Sep 2001 08:29:37 -0700, [EMAIL PROTECTED] wrote:
>> 
>> >I can ping outside and inside networks from the router, and I can ping the 
LAN 
>> side of the router from a local computer, but I can't ping outside from the 
>> local computer.
>> 
>> You need SNAT ("ip masquerading") like this:
>> 
>> if [ -n "$EXTERNAL" ]; then
>> for ext in $EXTERNAL; do
>> ipnm_cache $ext
>> $IPTABLES -t nat -A POSTROUTING -o $ext -j SNAT --to $IPOFIF
>> done
>> fi
>> 
>> $EXTERNAL is the set of external interfaces you have, "ipnm_cache" 
precomputes 
>> the IP address and netmask for the respective external interface (the IP 
address 
>> gets stored in $IPOFIF.)
>
>Ok, I've read conflicting information on this subject, and neither solution 
has worked correctly.  I can't use this solution becuase I don't seem to have 
ipnm_cache.  I tried to follow the NAT-HOWTO which says to use these commands:

Well, the above was an excerpt from my firewalling rules (scripts.) You can 
use it by simply inserting your data in the places where I have variables:

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 11.22.33.44

(if eth0 is your external interface and where 11.22.33.44 is your external 
IP.)

>#> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

The MASQUERADE target is for dynamic interfaces like ppp0. For static IPs you 
should use the above solution which I originally provided.

>at which point I get the message:
>
>iptables: No chain/target/match by that name

Hmmm, not sure why you receive this message. Any messages in syslog? Maybe 
you're simply missing the relevant modules?

Have a look at

http://netfilter.kernelnotes.org/

There you should find a tutorial about netfilter and its use.

HTH,

Ralf


-- 
Verkaufe Original-BMW-Raeder:L I N U X   .~.
http://adsl-bergs.rz.rwth-aachen.de/~rabe   The  Choice  /V\
 of a  GNU  /( )\
Generation  ^^-^^

Re: eth1 messing up eth0 and routing question

[bedlam]

> On 5 Sep 2001 08:29:37 -0700, [EMAIL PROTECTED] wrote:
> 
> >I can ping outside and inside networks from the router, and I can ping the 
> >LAN 
> side of the router from a local computer, but I can't ping outside from the 
> local computer.
> 
> You need SNAT ("ip masquerading") like this:
> 
> if [ -n "$EXTERNAL" ]; then
> for ext in $EXTERNAL; do
> ipnm_cache $ext
> $IPTABLES -t nat -A POSTROUTING -o $ext -j SNAT --to $IPOFIF
> done
> fi
> 
> $EXTERNAL is the set of external interfaces you have, "ipnm_cache" 
> precomputes 
> the IP address and netmask for the respective external interface (the IP 
> address 
> gets stored in $IPOFIF.)

Ok, I've read conflicting information on this subject, and neither solution has 
worked correctly.  I can't use this solution becuase I don't seem to have 
ipnm_cache.  I tried to follow the NAT-HOWTO which says to use these commands:

#> modprobe iptable_nat
#> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

at which point I get the message:

iptables: No chain/target/match by that name

Help?




-
Sign up for ICQmail at http://www.icq.com/icqmail/signup.html

Re: eth1 messing up eth0 and routing question

[bedlam]

> >I can ping outside and inside networks from the router, and I can ping the 
> >LAN 
> side of the router from a local computer, but I can't ping outside from the 
> local computer.
> 
> You need SNAT ("ip masquerading") like this:
> 
> if [ -n "$EXTERNAL" ]; then
> for ext in $EXTERNAL; do
> ipnm_cache $ext
> $IPTABLES -t nat -A POSTROUTING -o $ext -j SNAT --to $IPOFIF
> done
> fi
> 
> $EXTERNAL is the set of external interfaces you have, "ipnm_cache" 
> precomputes 
> the IP address and netmask for the respective external interface (the IP 
> address 
> gets stored in $IPOFIF.)

Ok, so does this just run in the script I'm setting up to execute everything?  
do I have to setup $EXTERNAL?  why is iptables executed as $IPTABLES?  I'm 
totally new to this...




-
Sign up for ICQmail at http://www.icq.com/icqmail/signup.html

Re: eth1 messing up eth0 and routing question

[dman]

On Wed, Sep 05, 2001 at 08:29:37AM -0700, [EMAIL PROTECTED] wrote:
| I have two nics in a Debian 2.2 machine w/ kernel 2.4.9.  eth0 is a
| Linksys Ether16 using the ne driver, eth1 is a Linksys 10/100 using
| the tulip driver.  I'm trying to build a router and firewall using
| iptables.  When I bring up eth0 (connected to the cable modem) it
| works fine.  I can take it down and bring it up just fine.  While it's
| up I can bring up eth1 (on the LAN) and ping both the internet and my
| other computer.  Now, if I try to bring eth0 down it won't.  It'll act
| like it does, but ifconfig shows it is still there.  When I try ifdown
| eth0 multiple times it just tells me eth0 is not configured.  Has
| anyone seen this before?  I can bring my computer and both interfaces

if{up|down} maintains a file, /etc/network/ifstate, that tells it
whether or not the interface is configured.  When ifdown is run it
removes eth0 from that file, then subsequent executions will tell you
the interface isn't there.  ifconfig looks at the kernel to see what
really exists and tells you the interface is still there.  Try the
--force option to ifdown and see if it helps.  With my connection I
have a command setup in /etc/network/interfaces to run just before the
interface is deconfigured.  If I cancel that command (ie ^C) then the
interface isn't really taken down but ifdown thinks it is.

| by hand in this condition, but it won't work on boot like this.  eth0
| connects through dhcp to roadrunner, eth1 is static.
| 
| On a side note, can anyone point me to a good tutorial on iptables,
| preferably something I can save and not need a connection to view?
| I've tried to set up just simple routing functions so I can get both
| the router on and my computer, but it isn't working.  I enter:

See netfilter.filewatcher.org.  I got the PS version and printed it.

-D

Re: eth1 messing up eth0 and routing question

[Ralf G. R. Bergs]

On 5 Sep 2001 08:29:37 -0700, [EMAIL PROTECTED] wrote:

>I can ping outside and inside networks from the router, and I can ping the LAN 
side of the router from a local computer, but I can't ping outside from the 
local computer.

You need SNAT ("ip masquerading") like this:

if [ -n "$EXTERNAL" ]; then
for ext in $EXTERNAL; do
ipnm_cache $ext
$IPTABLES -t nat -A POSTROUTING -o $ext -j SNAT --to $IPOFIF
done
fi

$EXTERNAL is the set of external interfaces you have, "ipnm_cache" precomputes 
the IP address and netmask for the respective external interface (the IP 
address 
gets stored in $IPOFIF.)


-- 
Verkaufe Original-BMW-Raeder:L I N U X   .~.
http://adsl-bergs.rz.rwth-aachen.de/~rabe   The  Choice  /V\
 of a  GNU  /( )\
Generation  ^^-^^

eth1 messing up eth0 and routing question

[bedlam]

I have two nics in a Debian 2.2 machine w/ kernel 2.4.9.  eth0 is a Linksys 
Ether16 using the ne driver, eth1 is a Linksys 10/100 using the tulip driver.  
I'm trying to build a router and firewall using iptables.  When I bring up eth0 
(connected to the cable modem) it works fine.  I can take it down and bring it 
up just fine.  While it's up I can bring up eth1 (on the LAN) and ping both the 
internet and my other computer.  Now, if I try to bring eth0 down it won't.  
It'll act like it does, but ifconfig shows it is still there.  When I try 
ifdown eth0 multiple times it just tells me eth0 is not configured.  Has anyone 
seen this before?  I can bring my computer and both interfaces by hand in this 
condition, but it won't work on boot like this.  eth0 connects through dhcp to 
roadrunner, eth1 is static.

On a side note, can anyone point me to a good tutorial on iptables, preferably 
something I can save and not need a connection to view?  I've tried to set up 
just simple routing functions so I can get both the router on and my computer, 
but it isn't working.  I enter:

iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

I can ping outside and inside networks from the router, and I can ping the LAN 
side of the router from a local computer, but I can't ping outside from the 
local computer.  I've tried DNS entries and ip addresses.  Hints?

Thanx!
Matt




-
Sign up for ICQmail at http://www.icq.com/icqmail/signup.html

Re: simple routing question

[Paul Mackinney]

Hm. Your post seems off-topic to me, but I could be wrong. If your
cousin uses an old Storm-Linux CD for a coaster then probably anything
you posted would be on topic in this list   :-)

But seriously, the problem is that you're trying to use a router that
isn't on the host's network. You can't do this. If your host has a
single NIC with a single address, it can only talk directly to nodes
on the same network as its address. The solution is to leave your
hosts' default router set to 10.10.8.254, and add a static route to
10.10.8.254's routing table to forward all packets from your host
straight to 10.10.6.1.

Regards,

Paul Mackinney
[EMAIL PROTECTED]

- Original Message -
From: "Jonathan Lupa" <[EMAIL PROTECTED]>
To: 
Sent: Saturday, June 16, 2001 5:17 AM
Subject: simple routing question

I have the feeling that I just can't do what I want, but I figured I'd
ask to be sure...

I have a host with a static IP in the 10.10.8.* network.  The router
for that network is 10.10.8.254.  There is another router 10.10.6.1,
which can be reached through 10.10.8.254.  What I would like to do is:

route add -net 10.0.0.0/8 gw 10.10.8.254
route add -host 10.10.6.1 gw 10.10.8.254
route add default gw 10.10.6.1

But every time I attempt to add that default route it gives me a
"Network Unreachable" error.

Thoughts?

-Jonathan

--
[EMAIL PROTECTED]
GPG public key available from http://lupavista.jamdata.net/gpg.asc
--
Lament 1750: "If I only had a radioactive decay source and a fast
free-running oscillator..."

simple routing question

[Jonathan Lupa]

I have the feeling that I just can't do what I want, but I figured I'd
ask to be sure...

I have a host with a static IP in the 10.10.8.* network.  The router
for that network is 10.10.8.254.  There is another router 10.10.6.1,
which can be reached through 10.10.8.254.  What I would like to do is:

route add -net 10.0.0.0/8 gw 10.10.8.254
route add -host 10.10.6.1 gw 10.10.8.254
route add default gw 10.10.6.1

But every time I attempt to add that default route it gives me a
"Network Unreachable" error.

Thoughts?

-Jonathan

-- 
[EMAIL PROTECTED]
GPG public key available from http://lupavista.jamdata.net/gpg.asc
--
Lament 1750: "If I only had a radioactive decay source and a fast 
free-running oscillator..."


pgpve3Sp0dpJR.pgp
Description: PGP signature

Re: Network routing question

[D-Man]

On Mon, Apr 16, 2001 at 02:06:35PM +0200, Hans wrote:
| Some advice needed, before I mess up big time.

I'm not very experienced, but ...

| At school I want to do 
| $route add default gw 192.168.1.1:902 eth0 
| so that all packet requests are put on
| through the proxy/firewall.
| 
| Now back at home I have to put the machine
| back in my own network.
| 
| Q2: If I create a new default route 
| ( $route add default gw 192.168.1.0 eth0 )
| will this suffice to get my machine back into my network and erase
| the old default route?

If you shutdown your laptop between school and home you should be ok
(that is, as far as the routing tables go).  Just typing "route add
..." changes the routing table at that point, but doesn't modify your
startup settings at all.  If you reboot the machine you will get your
previous settings back.  (say you are inexperienced and you try
several things with route not really knowing what you are doing and
get it really messed up,  rebooting will clear out all that changes
you made)

There is also a 'del' option for route.  You can delete the route for
the school network and then add the route for the home network if you
don't reboot your machine.

-D

Re: Network routing question

[Ramin Motakef]

Hans <[EMAIL PROTECTED]> writes:

> Some advice needed, before I mess up big time.
> 
> At home I have a small
> network with three machines: 192.168.1.1 till 192.168.1.3
> 
> I want to take
> 192.168.1.2 to school and hook it up to the network there to do a dist
> upgrade (at home I have dial-up only, school's free bandwidth). They have a
> proxy/firewall with IP 192.168.1.1, but the bad news is all ports are
> closed, except port 902 for http access to the net. Using Netscape I can
> configure a proxy server within the program and this works. I can also set
> up my apt-sources with an http site instead of ftp, so no problem there.
> But then...
> 
> The routing part scares me:
> At school I want to do $route add
> default gw 192.168.1.1:902 eth0 so that all packet requests are put on
> through the proxy/firewall.
> 
> Q1: Is the right approach and can I specify a
> default port number like this?
> 

No, you can't route Packets throu the proxy, thats what makes the
difference between a proxy (working on application layer) and a router
(on IP layer). 
The solution is to tell the applications (each one you need) to use
the proxy. For apt-get that means to set the environment variable
"http_proxy" 

bash$ export http_proxy=http://192.168.1.1:902

or to set the proxy in apts configuration file (see apt.conf(5) ).

> Now back at home I have to put the machine
> back in my own network.
> 
> Q2: If I create a new default route ($route add
> default gw 192.168.1.0 eth0) will this suffice to get my machine back into
> my network and erase the old default route?
> 
> Or am I on the wrong track
> completely? The things that confuse me are the odd port number for http and
> the fact that both my home network and school network have the same group
> of network addresses for localnet. Anybody some kind words of
> explanation?
> 
> Hans
> 

Ramin

Network routing question

[Hans]

Some advice needed, before I mess up big time.

At home I have a small
network with three machines: 192.168.1.1 till 192.168.1.3

I want to take
192.168.1.2 to school and hook it up to the network there to do a dist
upgrade (at home I have dial-up only, school's free bandwidth). They have a
proxy/firewall with IP 192.168.1.1, but the bad news is all ports are
closed, except port 902 for http access to the net. Using Netscape I can
configure a proxy server within the program and this works. I can also set
up my apt-sources with an http site instead of ftp, so no problem there.
But then...

The routing part scares me:
At school I want to do $route add
default gw 192.168.1.1:902 eth0 so that all packet requests are put on
through the proxy/firewall.

Q1: Is the right approach and can I specify a
default port number like this?

Now back at home I have to put the machine
back in my own network.

Q2: If I create a new default route ($route add
default gw 192.168.1.0 eth0) will this suffice to get my machine back into
my network and erase the old default route?

Or am I on the wrong track
completely? The things that confuse me are the odd port number for http and
the fact that both my home network and school network have the same group
of network addresses for localnet. Anybody some kind words of
explanation?

Hans

Re: Routing question

[Jonathan D. Proulx]

On Tue, Dec 05, 2000 at 11:58:48AM -0300, Eduardo Gargiulo wrote:
:Hi.
:
:I've tried your configuration and now I can ping the second interface (eth1) 
from the router, but not the other hosts. I run the following commands
:
:ifconfig eth1 200.16.224.3 netmask 255.255.255.255 up
:route add -host 200.16.224.3 eth1
:route add -host 200.16.224.4 eth1
:route add -host 200.16.224.5 eth1
:
:eth0 have 200.16.224.2 and the router 200.16.224.1
:The netmask is 255.255.255.248

First I'm not sure, my suggestion will work so don't bang your head on
it for too long.

Some things to check though:

can you ping all machines from the box you're configuring

did you echo 1 > /proc/sys/net/ipv4/ip_forward

did you set the default gateway properly


Another thing to try is a netmask calculator to make sure
255.255.255.248 is what you want.  In fact if you're going that far
figure out the masking you need on each interface so you don't have to
bother with static routing.

http://www.csc.fi/english/funet/calc/laskin2.html

don't forget when playing with strange subnetting that the network
address and broadcast will change too (this calculator shows all the
info)

-Jon

Re: Routing question

[Jonathan D. Proulx]

Hi,

If there is a limited number a machine behind the firewall try this:

set the interface to the router normally
set the interface to the hub with a 255.255.255.255 mask, then add
static routes the the hosts behind this interface

I *think* that will work.

-Jon

Re: Routing question

[Nathan E Norman]

On Mon, Dec 04, 2000 at 03:55:58PM -0300, Eduardo Gargiulo wrote:
> Hi all.
> 
> I have a subnet with real IPs and I want configure a firewall with two 
> interfaces, the first one (eth0) connected to the router ant the other (eth1) 
> connected to the hub. Two interfaces have the same subnetmask.
> When I log to the router, I can ping eth0, but not eth1. Which is my problem?

You are actually configuring a bridge, not a router (a router divides
subnets and thus each NIC in a router needs to belong to a seperate
network).

You'll need to recompile your kernel to support bridging at the very
least.  I believe there's a bridge HOWTO but I've never set up
bridging in Linux.

HTH,

-- 
Nathan Norman - Staff Engineer | A good plan today is better
Micromuse Inc. | than a perfect plan tomorrow.
mailto:[EMAIL PROTECTED]   |   -- Patton


pgpdt2tMPlwQ9.pgp
Description: PGP signature

Re: Routing question

[Timo Benk]

Hi,

On Mon, Dec 04, 2000 at 03:55:58PM -0300, Eduardo Gargiulo wrote:
> I have a subnet with real IPs and I want configure a firewall with two 
> interfaces, the first one (eth0) connected to the router ant the other (eth1) 
> connected to the hub. Two interfaces have the same subnetmask.
> When I log to the router, I can ping eth0, but not eth1. Which is my problem?

Only an idea:
echo 1 >> /proc/sys/net/ipv4/ip_forward

 Ciao,
 Timo<[EMAIL PROTECTED]>
--

.-'~~~-.   
   .'o oOOOo`.  | Timo Benk 
  ;~~~-.oOo   o`.   | Germany
   `. \ ~-.  oOOo.  | Registered Linux User #186431
 `.; / ~.  OO:  | 
 .'  ;-- `.o.'  | 
,' ; ~~--'~ | Fax/Voicemail:+49891488214215
;  ;| 
_\\;_\\//_  


pgpmF98GlEL8p.pgp
Description: PGP signature

Re: Routing question

[Raphael Deimel]

- Original Message -
From: "Eduardo Gargiulo" <[EMAIL PROTECTED]>
To: 
Sent: Monday, December 04, 2000 7:55 PM
Subject: Routing question


> Hi all.
>
> I have a subnet with real IPs and I want configure a firewall with two
interfaces, the first one (eth0) connected to the router ant the other
(eth1) connected to the hub. Two interfaces have the same subnetmask.
you can't have the same subnet mask for more than one subnet, because the
routing process has to decide to which interface it should send data to.
if you *really* want the same subnet on both eth's, you need an ethernet
bridge (support in kernel), then it doesn't matter on which interface your
ip is bound.
the easiest way to solve this problem is to split the ip's into 2 subnets on
each ethernet segment.
(and configure forwarding to forward packets between those subnets)


i hope i helped you

Raphael

Routing question

[Eduardo Gargiulo]

Hi all.

I have a subnet with real IPs and I want configure a firewall with two 
interfaces, the first one (eth0) connected to the router ant the other (eth1) 
connected to the hub. Two interfaces have the same subnetmask.
When I log to the router, I can ping eth0, but not eth1. Which is my problem?

-- 
:%s/Micros~1/GNU\/Linux/g^M
:wq!

Re: bad NICs vs bad routing question: potato

[Oswald Buddenhagen]

> Destination Gateway Genmask Flags Metric RefUse Iface
> 192.168.3.0 *   255.255.255.0   U 0  00 eth2

according to then man-page and a real case in the last few days, this
should help:
route add -net 192.168.x.0/24 gw 192.168.x.1 eth?
(provieded, that x.1 is the ip of the local NICs (don't know your's
any more).

-- 
Hi! I'm a .signature virus! Copy me into your ~/.signature, please!
--
Linux - the last service pack you'll ever need.

Re: bad NICs vs bad routing question: potato

[Stan Kaufman]

Oswald Buddenhagen wrote:
> 
> > Here's the ifconfig output:
> > ...
> it looks good.
> 
> > Here's dmesg:
> > ...
> don't know, what the multicast errors mean, but they should be harmless.
> probably you got some dos tool to setup the card - try some options which
> seem to have something to do with it.
> 
> please post the output of "route".

Oswald, thanks for the help.

Oops, sorry; meant to include route:

Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse
Iface
192.168.3.0 *   255.255.255.0   U 0  00
eth2
192.168.2.0 *   255.255.255.0   U 0  00
eth0
192.168.1.0 *   255.255.255.0   U 0  00
eth1

The multicast errors which are generated by ifconfig must be due to some
setup option on the cards. I put the cards in a Windoze box and they
work just fine there. I don't see any configurations relevant to
multicast in isapnp though.

Stan

Re: bad NICs vs bad routing question: potato

[Oswald Buddenhagen]

> But I can't ping either of them from other boxes on their networks. I haven't
> implemented any type of firewall yet; I'm just trying to connect. The question
> is whether there is something wrong with the NICs or if it's something I 
> haven't
> configured right (OK, I admit it--I'm a relative newbie here).
> 

> Here's the ifconfig output:
> ...
it looks good.

> Here's dmesg:
> ...
don't know, what the multicast errors mean, but they should be harmless.
probably you got some dos tool to setup the card - try some options which
seem to have something to do with it.

please post the output of "route".

-- 
Hi! I'm a .signature virus! Copy me into your ~/.signature, please!
--
Linux - the last service pack you'll ever need.

bad NICs vs bad routing question: potato

[Stan Kaufman]

I'm setting up a gateway box with potato on a scavenged P75 box with one newer
Intel EtherExpress 10/100 PCI NIC (eth0) and two older Intel EtherExpress PRO/10
ISA NICs (eth1 and eth2). Target topology is a DMZ network and an internal
network, both masqueraded to the outside.

However, I've got problems with the two ISA NICs. I configured them with
isapnptools, and they show up ok in ifconfig. I can ping them from the keyboard
of the gateway box. When hooked to their hubs, their connection LEDs come on,
and their activity LEDs flash as network traffic goes by. So far so good.

But I can't ping either of them from other boxes on their networks. I haven't
implemented any type of firewall yet; I'm just trying to connect. The question
is whether there is something wrong with the NICs or if it's something I haven't
configured right (OK, I admit it--I'm a relative newbie here).

During boot (shown in dmesg), the two NICs report "multicast setup failed", and
when I ifconfig them from the command line, I see this also. Nevertheless,
ifconfig reports them UP RUNNING MULTICAST. Any idea what this discrepency
means? I've
posted this question to an Intel forum to ask whether this is a hardware
problem. Or is there some stupid configuration error I'm making here?

*Many* TIA for any ideas. Following is more detail:

Stan

---

Here's the ifconfig output:

eth0Link encap:Ethernet  HWaddr 00:A0:C9:E6:97:49
inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:33 errors:0 dropped:0 overruns:0 frame:0
TX packets:16 errors:0 dropped:0 overruns:6 carrier:0
collisions:0 txqueuelen:100 
Interrupt:9 Base address:0xfcc0

eth1Link encap:Ethernet  HWaddr 00:AA:00:BD:AE:A1
inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100 
Interrupt:5 Base address:0x200

eth2Link encap:Ethernet  HWaddr 00:AA:00:BD:B0:90  
inet addr:192.168.3.1  Bcast:192.168.3.255  Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100 
Interrupt:10 Base address:0x220 

lo  Link encap:Local Loopback  
inet addr:127.0.0.1  Mask:255.0.0.0
UP LOOPBACK RUNNING  MTU:3924  Metric:1
RX packets:38 errors:0 dropped:0 overruns:0 frame:0
TX packets:38 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0

Here's dmesg:

Linux version 2.2.14 ([EMAIL PROTECTED]) (gcc version 2.95.2 2220 (Debian
GNU/Linux)) #1 Wed Mar 22
15:27:14 EST 2000
Detected 75171537 Hz processor.
Console: colour VGA+ 80x25
Calibrating delay loop... 29.90 BogoMIPS
Memory: 37892k/40960k available (1684k kernel code, 412k reserved, 832k data,
140k init)
Dentry hash table entries: 8192 (order 4, 64k)
Buffer cache hash table entries: 65536 (order 6, 256k)
Page cache hash table entries: 16384 (order 4, 64k)
VFS: Diskquotas version dquot_6.4.0 initialized
CPU: Intel Pentium 75 - 200 stepping 04
Checking 386/387 coupling... OK, FPU using exception 16 error reporting.
Checking 'hlt' instruction... OK.
Checking for popad bug... OK.
Intel Pentium with F0 0F bug - workaround enabled.
POSIX conformance testing by UNIFIX
PCI: PCI BIOS revision 2.10 entry at 0xfc8e0
PCI: Using configuration type 1
PCI: Probing PCI hardware
Linux NET4.0 for Linux 2.2
Based upon Swansea University Computer Society NET3.039
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP, IGMP
TCP: Hash tables configured (ehash 65536 bhash 65536)
Starting kswapd v 1.5 
Detected PS/2 Mouse Port.
pty: 256 Unix98 ptys configured
apm: BIOS not found.
Real Time Clock Driver v1.09
RAM disk driver initialized:  16 RAM disks of 4096K size
loop: registered device at major 7
TRM290: ignored by ide_scan_pci_device() (uses own driver)
hda: Conner Peripherals 1080MB - CFS1081A, ATA DISK drive
ide0 at 0x1f0-0x1f7,0x3f6 on irq 14
hda: Conner Peripherals 1080MB - CFS1081A, 1032MB w/0kB Cache, CHS=2097/16/63
Floppy drive(s): fd0 is 1.44M
FDC 0 is a post-1991 82077
md driver 0.36.6 MAX_MD_DEV=4, MAX_REAL=8
scsi:  Detection failed (no card)
NCR53c406a: no available ports found
sym53c416.c: Version 1.0.0
Failed initialization of WD-7000 SCSI card!
IBM MCA SCSI: No Microchannel-bus support present -> Aborting.
DC390: 0 adapters found
megaraid: v1.05 (October 27, 1999)
aec671x_detect: 
scsi : 0 hosts.
scsi : detected total.
Partition check:
  hda: [PTBL] [524/64/63] hda1 hda2 hda3 < hda5 hda6 hda7 hda8 >
VFS: Mounted root (ext2 filesystem) readonly.
Freeing unused kernel memory: 140k freed
NET4: Unix domain sockets 1.0 for Linux NET4

Re: Firewall Routing Question

[Bill White]

Thank you very much for your reply.  The answers to most of your
questions were in the first email I sent.  I tried to simplify it
by leaving out details, but apparently the details were what you
wanted to see.

In any case, my current network topology is this:
>  [DSL]--[HUB]--[216.254.24.95]
>   \ \--[216.254.24.96]
>[Firewall]
> |
>   [HUB]
> |
>Internal LAN on [192.168.1.0/24] subnet
> 
> Obviously this provides no firewalling for 216.254.24.9[56]!
> 
It's not so bad, since the two 216.254.24.9[56] machines use VPN software
which reject everything into their interface except for packets which
are properly encrypted from the other side.  This is not the way I would
want it, but for the moment it is the way it is.

I think I am going to look into the bridging solution.  The aliasing
solution was the obvious one, but the VPN software doesn't work at all
through IP Masquerade, or at least that was what the MIS guys said.

Thanks again.

Re: Firewall Routing Question

[Nathan E Norman]

On Fri, Feb 18, 2000 at 10:16:19AM -0500, Bill White wrote:
: Hi.  Sorry to bother you again, but my problem is not fixed.  I looked
: at the ICMP Masquerade Enabled setting in my kernel, and it appears to
: be enabled.
: 
: I think that the problem I am having is:
: o I have a firewall machine, with an interface whose number is 192.168.2.10.
: o I have machines on the same hub as this interface whose numbers are not on
:   the 192.168.2.0/24 subnet.
: o I want these machines to route through the 192.168.2.10 interface to the
:   firewall's gateway.

That's not going to work without some rethinking of your network.  A
basic understanding of IPv4 would make this more clear ... (that's not
meant as a knock against you, but I sense some confusion here.  That
might be because I don't have enough info ...)

: o I have a second hub whose machines are all on a 192.168.1.0/24 subnet,
:   and do IP Masquerade to the internet.  This works fine.
: 
: My routing tables are:
: Kernel IP routing table
: Destination Gateway Genmask Flags Metric RefUse Iface
: 216.254.24.10.0.0.0 255.255.255.255 UH0  01 eth0
: 216.254.24.95   0.0.0.0 255.255.255.255 UH0  00 eth1
  ^^
This is a host route, not a network route.

: 192.168.1.0 0.0.0.0 255.255.255.0   U 0  01 eth2
: 192.168.2.0 0.0.0.0 255.255.255.0   U 0  00 eth1
: 127.0.0.0   0.0.0.0 255.0.0.0   U 0  01 lo
: 0.0.0.0 216.254.24.10.0.0.0 UG1  02 eth0
: 
: and this is what I expect:
: o The default route is 216.254.24.1, which is the DSL gateway.
: o 216.254.24.95 is on eth1, which is the hub whose if address is
:   192.168.2.10.  I can in fact ping 216.254.24.95.

Your terminology is confusing.  "216.254.24.95 is on eth1" implies
that IP 216.254.24.95 is bound to eth1 - that doesn't appear to be the
case.

: o The 192.168.1.0/24 subnet is on eth2.  This subnet works fine
:   through IP Masquerade.
: o The 192.168.2.0/24 subnet is on eth1, even though the only
:   address in this subnet is the if address.

If it's the only address on a subnet, it's of little value.
Networking requires two addresses per subnet - that's how
communication works :)

: o The 216.254.24.1 DSL gateway is on eth0, where it is supposed
:   to be.
: 
: Just for completeness, the behavior seems to be that things are routed
: from eth2 (the mixed subnet hub) through the fw machine to eth1 just
: fine when they are for the eth1 subnet.  But they do not get out to
: the default gateway when they are for addresses on the wider internet.
: 
: So, I guess the real question is: is it possible to have an interface
: accept packets which are not on the subnet of the interface's address?
: It seems as if it is possible, since I can ping machines which go
: 216.254.24.95 to 192.168.1.1 just fine.  But it doesn't seem to route
: these to the default gateway.

What kind of machine is on this other hub?  Where did you get this
216.254.24.95 address?  What is the external address of the firewall?

You don't include the output of `/sbin/ifconfig', nor your ipchains
rules, nor a physical layout diagram, so I don't want to make too many
assumptions.  However, if I had to guess, I'd venture the following:

You've been assigned two addresses from your DSL provider.  You've
bound one of those to your firewall, and the other to some other
machine.  The simplest way to make that setup work is like this:

 [DSL]--[HUB]--[216.254.24.95]
  \
   [Firewall]
|
  [HUB]
|
   Internal LAN

Obviously this provides no firewalling for 216.254.24.95!

If you want 216.254.24.95 behind the firewall, there are two ways to
do it:

1) Bridging

 [DSL]--[Firewall]*--[HUB]--[216.254.24.95]
 |
   [HUB]
 |
Internal LAN

The interface marked with a '*' is bridging traffic.  Your kernel
needs to be recompiled to support this.

2) Aliasing

 [DSL]--[Firewall]
 |
   [HUB]--[192.168.1.42]
 |
Internal LAN

In this scenario, you bind both IPs from the provider to the external
firewall interface.  You masq all traffic from 192.168.1.42 to
216.254.24.95.  You masq all traffic from net 192.168.1.0/24 to the
other IP.

There are a couple ways to do option 2.  One requires aliasing support
in the kernel.  The other requires netfilter.  SysAdmin magazine had a
writeup on netfilter recently that addressed several scenarios like
this.

Hope that helps,

-- 
Nathan NormanNetwork Magician, Eclectic Engineer
GPG Key ID 1024D/51F98BB7   "Eschew Obfuscation"
Key fingerprint = C5F4 A147 416C E0BF AB73  8BEF F0C8 255C 51F9 8BB7


pgpMGNoVhsZEG.pgp
Description: PGP signature

Re: Firewall Routing Question

[Bill White]

Hi.  Sorry to bother you again, but my problem is not fixed.  I looked
at the ICMP Masquerade Enabled setting in my kernel, and it appears to
be enabled.

I think that the problem I am having is:
o I have a firewall machine, with an interface whose number is 192.168.2.10.
o I have machines on the same hub as this interface whose numbers are not on
  the 192.168.2.0/24 subnet.
o I want these machines to route through the 192.168.2.10 interface to the
  firewall's gateway.
o I have a second hub whose machines are all on a 192.168.1.0/24 subnet,
  and do IP Masquerade to the internet.  This works fine.

My routing tables are:
Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse Iface
216.254.24.10.0.0.0 255.255.255.255 UH0  01 eth0
216.254.24.95   0.0.0.0 255.255.255.255 UH0  00 eth1
192.168.1.0 0.0.0.0 255.255.255.0   U 0  01 eth2
192.168.2.0 0.0.0.0 255.255.255.0   U 0  00 eth1
127.0.0.0   0.0.0.0 255.0.0.0   U 0  01 lo
0.0.0.0 216.254.24.10.0.0.0 UG1  02 eth0

and this is what I expect:
o The default route is 216.254.24.1, which is the DSL gateway.
o 216.254.24.95 is on eth1, which is the hub whose if address is
  192.168.2.10.  I can in fact ping 216.254.24.95.
o The 192.168.1.0/24 subnet is on eth2.  This subnet works fine
  through IP Masquerade.
o The 192.168.2.0/24 subnet is on eth1, even though the only
  address in this subnet is the if address.
o The 216.254.24.1 DSL gateway is on eth0, where it is supposed
  to be.

Just for completeness, the behavior seems to be that things are routed
from eth2 (the mixed subnet hub) through the fw machine to eth1 just
fine when they are for the eth1 subnet.  But they do not get out to
the default gateway when they are for addresses on the wider internet.

So, I guess the real question is: is it possible to have an interface
accept packets which are not on the subnet of the interface's address?
It seems as if it is possible, since I can ping machines which go
216.254.24.95 to 192.168.1.1 just fine.  But it doesn't seem to route
these to the default gateway.

I'm sorry if this is an obvious question.  I really have read through
the FAQS and NAG, but I haven't found what could be wrong.

Thanks in advance.

Re: Firewall routing question.

[John Pearson]

On Mon, Feb 14, 2000 at 10:41:35AM -0500, Bill White wrote
> Hi.  I have a routing question.  I have tried this in various combinations,
> but I don't seem to have the right one.
> 
> This is my desired HW and SW configuration.
> o One GNU/Linux firewall machine.  This also has its own IP number.  This
>   will also handle incoming email, ftp and web traffic, but that is not
>   the issue here.
> o Two Windows machines, each with 1 ethernet card, and each with their
>   own IP address.  They are going to run proprietary VPN SW to my
>   employer's office in San Jose CA.  (I am in MA.)  It goes through
>   the firewall machine.
> o Two or more Unix/Hurd/Windows machines.  These don't have their own
>   IP numbers, but do IP Masq. through the firewall.  These aren't
>   on the VPN, even when they are booted into Windows.
> o One DSL Modem.
> o Two hubs, many ethernet cards and much ethernet cabling.
> o I want to be able to mount Samba shares from the Unix machines on
>   the VPN'd Windows machines, but not necessarily to export them to
>   machines on the company VPN.  I don't need to mount the VPN's file
>   systems on the Unix machines, though it wouldn't hurt.
> 
> In this explanatation I will say the real IP numbers are 10.100.3.1,
> 10.100.3.2 and 10.100.3.3, though these are of course not the real ones.
> 
> Right now, I have the 
> o VPN'd Windows machines, the firewall (eth0) and the dsl modem all on one
>   hub
> o the firewall (eth1) and the Unix/Hurd/Windows machines on the second hub.
> o the firewall routes and masquerades the Unix/Hurd/Windows machines.
> 
> This means that the VPN'd Windows machines are not behind the firewall.
> I'm not completely happy with this, though these machines crash 10-20
> times a day, and it would be hard to portscan them.  (If you don't
> reboot your Window machine at least 20 times a day you aren't working
> hard enough.)
> 
> I would like to have:
> o The firewall has three interfaces:
>   - One connecting to the DSL modem.  This if has IP number 10.100.3.1.
>   - One connecting to a hub for the VPN'd Windows machines.  The
> IP number for this if is 192.168.2.10.
>   - One connecting to a hub for the IPMasq'd Unix/Hurd/Windows machines.
> The IP number for this if is 192.168.1.10.
> o The firewall does IP masquerade for the Unix/Hurd/Windows machines.
> o Everything is routed easily and seamlessly.
> 
> I connected it this way, and then I tried the obvious thing:
> o Each non-firewall machine has the firewall machine as a default gw,
>   on their only interface.
> o The fw machine has a default gw route to the DSL gateway.
> o The fw machine routes the 192.168.1.0/24 net to eth2 (the if to the
>   192.168.1.0/24 hub.)
> o The fw machine routes the two real IP addresses 10.100.3.2 and 10.100.3.3
>   to eth1 (the if to the 10. hub)
> o The fw does proxy arp for the 192.168.1.0/24 machines.  (I tried both
>   with this and without this.)

Unnecessary, and probably a bad idea.

> 
> With this, all machines can get out to the internet, but the IPMasq'd
> machines could not ping the 10. machines through the fw machine.
> 
> What am I doing wrong?
> 

Quick check: did you enable ICMP masquerading in the firewall
machine's kernel?



John P.
-- 
[EMAIL PROTECTED]
[EMAIL PROTECTED]
"Oh - I - you know - my job is to fear everything." - Bill Gates in Denmark

Firewall routing question.

[Bill White]

Hi.  I have a routing question.  I have tried this in various combinations,
but I don't seem to have the right one.

This is my desired HW and SW configuration.
o One GNU/Linux firewall machine.  This also has its own IP number.  This
  will also handle incoming email, ftp and web traffic, but that is not
  the issue here.
o Two Windows machines, each with 1 ethernet card, and each with their
  own IP address.  They are going to run proprietary VPN SW to my
  employer's office in San Jose CA.  (I am in MA.)  It goes through
  the firewall machine.
o Two or more Unix/Hurd/Windows machines.  These don't have their own
  IP numbers, but do IP Masq. through the firewall.  These aren't
  on the VPN, even when they are booted into Windows.
o One DSL Modem.
o Two hubs, many ethernet cards and much ethernet cabling.
o I want to be able to mount Samba shares from the Unix machines on
  the VPN'd Windows machines, but not necessarily to export them to
  machines on the company VPN.  I don't need to mount the VPN's file
  systems on the Unix machines, though it wouldn't hurt.

In this explanatation I will say the real IP numbers are 10.100.3.1,
10.100.3.2 and 10.100.3.3, though these are of course not the real ones.

Right now, I have the 
o VPN'd Windows machines, the firewall (eth0) and the dsl modem all on one
  hub
o the firewall (eth1) and the Unix/Hurd/Windows machines on the second hub.
o the firewall routes and masquerades the Unix/Hurd/Windows machines.

This means that the VPN'd Windows machines are not behind the firewall.
I'm not completely happy with this, though these machines crash 10-20
times a day, and it would be hard to portscan them.  (If you don't
reboot your Window machine at least 20 times a day you aren't working
hard enough.)

I would like to have:
o The firewall has three interfaces:
  - One connecting to the DSL modem.  This if has IP number 10.100.3.1.
  - One connecting to a hub for the VPN'd Windows machines.  The
IP number for this if is 192.168.2.10.
  - One connecting to a hub for the IPMasq'd Unix/Hurd/Windows machines.
The IP number for this if is 192.168.1.10.
o The firewall does IP masquerade for the Unix/Hurd/Windows machines.
o Everything is routed easily and seamlessly.

I connected it this way, and then I tried the obvious thing:
o Each non-firewall machine has the firewall machine as a default gw,
  on their only interface.
o The fw machine has a default gw route to the DSL gateway.
o The fw machine routes the 192.168.1.0/24 net to eth2 (the if to the
  192.168.1.0/24 hub.)
o The fw machine routes the two real IP addresses 10.100.3.2 and 10.100.3.3
  to eth1 (the if to the 10. hub)
o The fw does proxy arp for the 192.168.1.0/24 machines.  (I tried both
  with this and without this.)

With this, all machines can get out to the internet, but the IPMasq'd
machines could not ping the 10. machines through the fw machine.

What am I doing wrong?

Thanks in advance.

Re: routing question

[Ian Keith Setford]

Yo-

> Please do so. You could tell us *what* problems you have. What makes you
> "feel" something is wrong? How is the connection "corrupted"? What makes
> you think your routes are messed up.
I have a "bogus" connection sometimes as already stated.  

By corrupted I mean that sometimes I be working and have a telnet session
running, Netscape open somewhere and then Netscape can't connect and just
hangs.  At that point my telnet sessions that are currently connected
still work but I can't start new ones.  The only way to fix things is by
having the router re-dial and connect again.

I also can't get traceroute to work.  Ascend gave me a non-sensical reply
when I asked if could run a traceroute through their NAT translation.
Shouldn't the trace show the first hop from my Debian box to the router at
least? It doesn't.

Also when I manually hang-up the ISDN call through the router it will
redial when I am (should) be sending no packets to a different subnet.
The router is set for Switched/Switched so it shouldn't connect unless it
receives packets destined for a different network.

twist# traceroute -v www.debian.org
traceroute to www.debian.org (209.81.8.242), 30 hops max, 40 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * *
-
That is what I get when I traceroute and it takes forever too (over 2
min).

Any ideas?

-Ian
_
Ian K. Setford  [EMAIL PROTECTED]
  H: 940.566.0461
Pgr: 817.901.0255


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: routing question

[Martin Bialasinski]

> "i" == ian  <[EMAIL PROTECTED]> writes:
i> I think I am having a routing problem which is responsible for
i> "corrupting" my ISDN connection intermittently.  I have ISDN with an

i> routed directly to the router.  My current set-up is working but I feel
i> like something is wrong so I thought I'd post here and let the network
i> guru's look at it.
 [...]
i> Can anybody tell if my routes are messed up?  What should they be?

i> Any info is greatly appreciated.  I can provide any other relevant info if
i> you need it to help diagnose anything!

Please do so. You could tell us *what* problems you have. What makes you
"feel" something is wrong? How is the connection "corrupted"? What makes
you think your routes are messed up.

Ciao,
Martin

BTW: Your setup looks OK.


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

routing question

[ian]

Yo-

I think I am having a routing problem which is responsible for
"corrupting" my ISDN connection intermittently.  I have ISDN with an
Ascend Pipeline 50 router using NAT (network address translation) for a
dial-up connection.  My desire is to have traffic not destined for the
internet to stay on the local LAN segment and for internet traffic to be
routed directly to the router.  My current set-up is working but I feel
like something is wrong so I thought I'd post here and let the network
guru's look at it.

My setup:

ISDN w/Pipe 50 router (setup to use NAT exactly as on Ascend's
white-paper) ip address 192.168.100.101
Debian box ip address 192.168.100.102
Win95  ip address 192.168.100.103

/etc/init.d/network
-
#!  /bin/sh
ifconfig lo 127.0.0.1
route add -net 127.0.0.0
IPADDR=192.168.100.102
NETMASK=255.255.255.0
NETWORK=192.168.100.0
BROADCAST=192.168.100.255
GATEWAY=192.168.100.101
ifconfig eth0 ${IPADDR} netmask ${NETMASK} broadcast ${BROADCAST}
route add -net ${NETWORK} && route add default gw ${GATEWAY} metric 1


/sbin/route -v
--
Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse
Iface
localnet*   255.255.255.0   U 0  0   19
eth0
127.0.0.0   *   255.0.0.0   U 0  05 lo
default pipe.lucidity.o 0.0.0.0 UG1  0   87
eth0


Can anybody tell if my routes are messed up?  What should they be?

Any info is greatly appreciated.  I can provide any other relevant info if
you need it to help diagnose anything!

Thanks,

-Ian
_
Ian K. Setford  [EMAIL PROTECTED]
 [EMAIL PROTECTED]
  H: 940.566.0461
Pgr: 817.901.0255


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: routing question

[Tim Sailer]

In your email to me, Pete Templin, you wrote:
> 
> 
> Hi there,
> 
>   I'm in the process of setting up a 486 sx/25 as a dialup router
> (with one modem and one network card).  Unfortunately, the ISP can't seem
> to get the external routing right yet, so my testing is being held up.
> 
>   The question is this: I've compiled a lean, mean kernel with the
> appropriate IP forwarding enabled (no firewalling or masquerading is being
> used).  Will it "route" by default, or do I need to add a specific package
> or other external software?
> 
>   Here's the output of "route":
> 
> Kernel IP routing table
> Destination Gateway  Genmask Flags Metric RefUse Iface
> cs10.mil.ptd.ne *255.255.255.255 UH0  02 ppp0
> cs10.mil.ptd.ne *255.255.255.255 UH1  00 sl0
> 204.186.230.0   *255.255.255.0   U 0  0   35 eth0
> 127.0.0.0   *255.0.0.0   U 0  0   18 lo
> default *0.0.0.0 U 0  0   87 ppp0
> default *0.0.0.0 U 1  0   15 sl0
> 
> The modem is 204.186.27.145 (cs10-01.mil.ptd.net).  Our IP addresses (not
> yet completely routed, but will be routed through the modem) are:
> 204.186.230.1, 204.186.230.2, 204.186.230.3 .  The first address is given
> to the network card in the Linux dialup router, and the second address is
> assigned to an NT server on the network, so once the external router to
> the ISP recognizes the route, pinging 204.186.230.2 is a good test.

I take it that the sl0 is a dialup connection? You have to add a static
route (maybe) and proxyarp it (arp -s). The rest should be OK. The dialups
are the real pains since they have no MAC address to arp to.

Tim

-- 
 (work) [EMAIL PROTECTED] / (home) [EMAIL PROTECTED] - http://www.buoy.com/~tps
   "You cannot paint the 'Mona Lisa' by assigning one dab 
 each to a thousand painters."
  -- William F. Buckley, Jr.
** Disclaimer: My views/comments/beliefs, as strange as they are, are my own.**


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
[EMAIL PROTECTED] . 
Trouble?  e-mail to [EMAIL PROTECTED] .

routing question

[Pete Templin]

Hi there,

I'm in the process of setting up a 486 sx/25 as a dialup router
(with one modem and one network card).  Unfortunately, the ISP can't seem
to get the external routing right yet, so my testing is being held up.

The question is this: I've compiled a lean, mean kernel with the
appropriate IP forwarding enabled (no firewalling or masquerading is being
used).  Will it "route" by default, or do I need to add a specific package
or other external software?

Here's the output of "route":

Kernel IP routing table
Destination Gateway  Genmask Flags Metric RefUse Iface
cs10.mil.ptd.ne *255.255.255.255 UH0  02 ppp0
cs10.mil.ptd.ne *255.255.255.255 UH1  00 sl0
204.186.230.0   *255.255.255.0   U 0  0   35 eth0
127.0.0.0   *255.0.0.0   U 0  0   18 lo
default *0.0.0.0 U 0  0   87 ppp0
default *0.0.0.0 U 1  0   15 sl0

The modem is 204.186.27.145 (cs10-01.mil.ptd.net).  Our IP addresses (not
yet completely routed, but will be routed through the modem) are:
204.186.230.1, 204.186.230.2, 204.186.230.3 .  The first address is given
to the network card in the Linux dialup router, and the second address is
assigned to an NT server on the network, so once the external router to
the ISP recognizes the route, pinging 204.186.230.2 is a good test.

_Any_ advice would certainly be helpful!

Pete

--
Peter J. Templin, Jr.   Client Services Analyst
Computer & Communication Services   tel: (717) 524-1590
Bucknell University [EMAIL PROTECTED]



--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
[EMAIL PROTECTED] . Trouble? 
e-mail to [EMAIL PROTECTED] .