How can I get my Linux 7.1 box to forward IP? 2

[Tels]

Hi there, I have posted a few similar questions so far, but I'm still having major problems. I get the impression I'm only a step away, but I'm out of leads now.

Basically I have a multihomed Linux box, has 2 NIC's, eth0 and eth1.

eth0 = 192.168.0.51
eth1 = 192.168.4.51

The eth0 side talks to the network. It can successfully ping any address in the 192.168.0.x range, so it's connected.

the eth1 side is connected by crossover cable to an NT box, which has the address 192.168.4.1

What I want to do is to be able to ping one of the network addresses from the NT box, going via the Linux box.
(in effect the Linux box will be a router between the NT box and the Network)

So far I have not been able to do this. I can ping the eth1 address from the NT box, (192.168.4.51 - eth1) and if I set up a route for it, I can ping eth0 (192.168.0.51 - eth0) from the NT box, and the Linux box can ping the NT box. All the connections are sound - but I can't seem to flip the 'forwarding' switch, as it were.

Lots of people have given loads of sound advice and contributed greatly to my understanding of Linux, however I'm stuck here, and all the relevant howtos seem to be stuck in kernel 2.2 (no good for me on kernel 2.4.2-2)

I'm hoping someone with experience of Redhat 7.1 will be able to lay out step by step the way of routing I need.
Ultimately, I will use this config to learn and test an ipchains firewall, this is where I need to go.

Specifically I need to know:

How to switch on ipv4 (preferably ipv6) forwarding in 7.1
How to specify routing between these 2 subnets
Are there any specific settings needed on the domain controller or NT box? (both Win2000)
Are there any helpful programs out there for my quest?
Why does Linux hate me?

Plus any other relative info, there are certain terms I havn't yet got to grips with properly, just adding confusion to the task, IE gateways, (exactly how do they fit in) and multicasts etc.

I won't stop until I can ping 192.168.0.1 from the NT box!!!

I really really hope someone can help here, In advance, thanks



Tels
for pint$ = 1 to 20
for pint$ = pint$ + 1
if pint$ = 20 goto HOME
next pint$

 

[MrTom]

http://www-105.ibm.com/developerwor...A7F41AE725B03E1D86256A46005DB972?OpenDocument

unfortunately you have to register (free) for this tutorial but it has everything you need to know.

if you don't wanna read it all then just copy the script from pages 18 and 19 and you'll be away (download the pdf version from the link in the top right).

 

[ifincham]

Hi,

For ipv4, to turn on ip forwarding generally do :

echo 1 > /proc/sys/net/ipv4/ip_forward

This is one of the various settings in the /proc filesystem that configure IP. You have to put this into a script such as /etc/rc.d/rc.local to run every reboot as the /proc filesystem doesn't persist on disk . If you're really interested in the settings see -->

http://www.bb-zone.com/zope/bbzone/docs/slgfg/part2/cha04/sec08

.

Then you would just to a route add command to point traffic on the 192.168.0.0/24 subnet to eth0...

/sbin/route add -net 192.168.0.0 netmask 255.255.255.0 dev eth0

Simple really...
Rgds.

 

[Tels]

Well.. Ive read the link you gave me, mr.Tom, and its probably the single most helpful doc I've seen so far. The rules seemed to work fine, and its solved another problem for me (further down the line) but I'm still stuck...

I have echo'd the ip_forwarding and there are still no signs of anything happening.


(a) (b)<-->(c) \ | /
......... .......... \......|...../
. NT . eth1> . Linux . <eth0 . network .
. Box .-----------. Box .-----------. (star --
. . .(x.x.51). . topology).
......... / .......... ............ \ 192.168.4.51 (b) \ 192.168.0.x 192.168.4.32 (a) 192.168.0.51 (c)


Basically the NT box can ping (b) and, if I set up a route for it, it can ping (c). I set this route up on the NT box.

Linux has ipv4 forwarding ON, and the route listing for the Linux box looks like this

Dest Gateway Genmask Fl Met Ref Use Iface
192.168.4.0 * 255.255.255.0 U 0 0 0 eth1
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo

Now I know what this table means, (mostly) hopefully it will help you answer my question? although it appears that Linux should forward all packets with destination 192.168.0.x through eth0, the NT box tells me that the destination is unreachable either way. Also as I said before, Linux can ping anything either side of it, so the adapters are switched on and the connections are fine.

I have tried to set up the NT box to first use 192.168.0.51 (b) as the gateway to the network, no joy.
I have tried to set it up to use 192.168.4.51 (c) as the gateway. no joy.

I really don't know why this is not working, I can't figure it out at all, are there any further settings I need to make to ANY of the machines? I am nearly at the end of my tether, I am getting to the conclusion I might need to recompile my kernel which leads to the next problem

I havn't got a CLUE how to recompile kernels, and even RedHat's reccomended instruction sheet is out of date (applies to 2.4.x kernels, and keeps telling me to do things and go places that don't exist in my install of 2.4.2-2)
IE the (what I think is the)source has been installed from my distro cd to the /usr/src/redhat/SOURCE directory.
the guide for Linux 2.4.x tells me to go to the /usr/src/linux directory.....

If I use the 'make' command, I get

make: *** No rule to make target 'xxxxxxxx'. Stop.

no matter which one of the 'make' lines they tell me to try, I get the same message.

Lik I said, I have installed the kernel source rpm from my distro cd, and I am fairly sure what I have now is the kernel source, but I really don't know what to do with it. If a recompile is neccesary please help, none of the help files out there do anything, It seems to me that all the different versions of Linux are different in terms of structure etc, I've never seen anything so confusing, and the 7.1 distro must be pretty new to not have much support yet..... (the joys of open source)

HELPPP!!! I hope I've given you enough info... if you need more leave a message here.

Cheers for the brill advice so far....

Tels

p.s. for all the linux lovers out there, although I hate linux right now, I am sticking with it because I am impressed with it's abilities.
(So don't take it to heart if I say nasty things about Linux and the open source way)

for pint$ = 1 to 20
for pint$ = pint$ + 1
if pint$ = 20 goto HOME
next pint$

 

[ifincham]

Hi,

I guess it might be a problem with ipchains/iptables preventing forwarding of packets. Can you ping the NT box from a host on the 192.168.0.0/24 subnet ? If not then it must be a forwarding problem. Assuming you have ipchains active try this :

ipchains -F forward
ipchains -F input
ipchains -F output
ipchains -P forward ACCEPT
ipchains -P input ACCEPT
ipchains -P output ACCEPT

This flushes all existing rules and sets default of ACCEPT - i.e. it allows everything through.

Also forgot to mention previously, that on redhat you can configure ip forwarding as normal by editing /etc/sysconfig/network so that it shows :
FORWARD_IPV4=true

Regards

 

[ifincham]

Hi,

On the kernel ... Actually I did give you te info on this before thread54-137588 - at least the 'standard' compilation process.

With the Redhat SRPMS, I'm a bit puzzled because according to

http://rpmfind.net/linux/RPM/redhat/7.1/i386/kernel-source-2.4.2-2.i386.html

(see the bottom of this) the files are all installed where you would expect. The only thing missing would be making the symbolic link from /usr/src/linux-2.4-2 to /usr/src/linux.
If you don't have anything in /usr/src/linux try to do :

cd /usr/src
ln -sf linux-2.4.2 linux

Then cd /usr/src/linux and it will all be there (actually in the other directory - a soft link is roughly like a windows shortcut).

Hope this helps...

 

[Tels]

Thanx ifincham

Well thats a development!!! I can ping the NT box from my server here at 192.168.0.1, (after adding a static route to Linux for that subnet) BUT it isn't bi-directional, even with a similar route (for the opposite direction) on the NT box...... I'll try what you said about flushing ALL the tables (I'm using iptables)

I also just got WebMin whirring away, something which didn't seem to be happening a while ago.

Now we've got this far, is there anything you think I can do to make this router operational in both directions??

PS, there seems to be loads of different ways of changing a single configuration setting, such as the suggestion you made last, how do I know which takes precedence lets say, if there are 2 conflicting arguments in different parts of Linux?

Lastly, when I know how to get the routing working properly, I'll be on the next project, which I have almost finished (as a side effect of doing so much research on routing) that is, I'll be constructing an IPTABLES firewall that can masq incoming VPN connections to the NT server and block EVERY OTHER incoming request from non-trusted addresses

Really, I just need to know if there are any unsupported protocols with this version of IPTABLES (exception of AH)

ps I've read rusty's guide, good, but a bit rusty! (grin)

Many many thanks ifincham

Tels
for pint$ = 1 to 20
for pint$ = pint$ + 1
if pint$ = 20 goto HOME
next pint$

 

[Tels]

IT WORKED !
IT WORKED !
I flushed the tables and it worked like a charm!

I'm now gonna try and give you 2 votes because I am so happy.

for pint$ = 1 to 20
for pint$ = pint$ + 1
if pint$ = 20 goto HOME
next pint$

 

[ifincham]

Hi,





Well you probably have the redhat firewall 'lokkit' active. This creates ipchains scripts that are run when you boot up. You could either disable it all together by '/sbin/service --level 2345 ipchains off' or, more correctly, configure it to allow forwarding. Do 'lokkit' or 'gnome-lokkit' as root.





Rgds

 

[Tels]

OK. Theres more. I've moved on a few steps, (feeling quite comfy with Linux now), I've created a IPTABLES firewall with the ability to apply DNAT/SNAT to NT VPN connections.
It works fine, that is the VPN conncetion points at the Linux box and works as if it was pointed at the Server itself (not the linux box), and I did it by adding 3 lines:

iptables -t nat -A POSTROUTING -o eth0 -j SNAT 192.168.4.51
iptables -t nat -A POSTROUTING -o eth1 -j SNAT 192.168.4.51
iptables -t nat -A PREROUTING -j DNAT --to 192.168.0.1

The last line, although it works, was a bit of a shot in the dark, and I'd like to know what's happening here.

What I understand is that the first two lines change the source address of any packets going out eth0 and eth1 to that of the router itself, what I don't understand is the last line changes the destination address to that of the VPN server, what of packets which are coming back from the VPN server. Obviously they are directed at the linux box itself, as the VPN server will see that as the VPN source IP, how does the linux box know to forward it on to the NT machine I am using??? (IE how does DNAT differentiate between the packets which need to be DNAT'ed to the Server and the ones which need to be DNAT'ed to the NT machine??? - obviously DNAT is carried out on the returning packets else the NT machine wouldn't accept them as they would be addressed to the Linux box)

I think this might have something to do with stateful firewalling - the Firewall will accept incoming packets which are recognised as part of a current connection, however this still doesn't explain how it can work out where the packet should be going when I haven't explicitly stated a rule for it)

Thankyou lots for all the help.... One day I'll be a Linux Guru.

Tels for pint$ = 1 to 20
for pint$ = pint$ + 1
if pint$ = 20 goto HOME
next pint$