[opensuse] ipv4 forwarding - any known issues?
I'm setting up a new box and started out with ip forwarding enabled. This seemed to prevent internet access, so I tried disabling forwarding with yast, but this only caused a hang. I ended up having to walk to the datacentre to access the physical console. Just wondering before I start digging into this - are there any (more or less) known issues wrt ip forwarding and/or the enabling/disabling thereof in 12.1 ? -- Per Jessen, Zürich (2.5°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen wrote:
I'm setting up a new box and started out with ip forwarding enabled. This seemed to prevent internet access, so I tried disabling forwarding with yast, but this only caused a hang. I ended up having to walk to the datacentre to access the physical console.
Just wondering before I start digging into this - are there any (more or less) known issues wrt ip forwarding and/or the enabling/disabling thereof in 12.1 ?
IP forwarding is used only if you're using the computer as a router. I have one box here, which is my firewall & router, where forwarding is enabled. All others do not have it enabled. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott wrote:
Per Jessen wrote:
I'm setting up a new box and started out with ip forwarding enabled. This seemed to prevent internet access, so I tried disabling forwarding with yast, but this only caused a hang. I ended up having to walk to the datacentre to access the physical console.
Just wondering before I start digging into this - are there any (more or less) known issues wrt ip forwarding and/or the enabling/disabling thereof in 12.1 ?
IP forwarding is used only if you're using the computer as a router.
Yes, this box is set up as a router. -- Per Jessen, Zürich (6.1°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen wrote:
James Knott wrote:
Per Jessen wrote:
I'm setting up a new box and started out with ip forwarding enabled. This seemed to prevent internet access, so I tried disabling forwarding with yast, but this only caused a hang. I ended up having to walk to the datacentre to access the physical console.
Just wondering before I start digging into this - are there any (more or less) known issues wrt ip forwarding and/or the enabling/disabling thereof in 12.1 ?
IP forwarding is used only if you're using the computer as a router. Yes, this box is set up as a router.
I can't think of a reason for your problems, unless something is misconfigured. My router forwards both IPv4 & IPv6 without problem. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2/23/2012 6:15 AM, Per Jessen wrote:
James Knott wrote:
Per Jessen wrote:
I'm setting up a new box and started out with ip forwarding enabled. This seemed to prevent internet access, so I tried disabling forwarding with yast, but this only caused a hang. I ended up having to walk to the datacentre to access the physical console.
Just wondering before I start digging into this - are there any (more or less) known issues wrt ip forwarding and/or the enabling/disabling thereof in 12.1 ?
IP forwarding is used only if you're using the computer as a router.
Yes, this box is set up as a router.
And you configured the SuseFirewall? (or shut it down to test?) -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
John Andersen wrote:
On 2/23/2012 6:15 AM, Per Jessen wrote:
James Knott wrote:
Per Jessen wrote:
I'm setting up a new box and started out with ip forwarding enabled. This seemed to prevent internet access, so I tried disabling forwarding with yast, but this only caused a hang. I ended up having to walk to the datacentre to access the physical console.
Just wondering before I start digging into this - are there any (more or less) known issues wrt ip forwarding and/or the enabling/disabling thereof in 12.1 ?
IP forwarding is used only if you're using the computer as a router.
Yes, this box is set up as a router.
And you configured the SuseFirewall? (or shut it down to test?)
Yes, it's disabled, I never use it. There is no other firewall active either. The YaST issue I mentioned has disappeared, but I'm still left with access to external networks (e.g. websites) not working when I activate ip forwarding. The box is set up as follows: Subnet1 = 192.168.0.0/21 Subnet2 = 192.168.8.0/21 Default route = 192.168.2.7 When forwarding is disabled, everything works as normal (as on any other box on subnet1. When I enable forwarding, access to external networks via the default route eventually time out. I have not yet investigated it in depth, I was just wondering if there were any known issues. -- Per Jessen, Zürich (2.1°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott wrote:
Per Jessen wrote:
Default route = 192.168.2.7
Do you have some other device providing your Internet connection?
Yes I do. 192.168.2.7 is the firewall/router with the fibre connection. -- Per Jessen, Zürich (7.4°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hi Per Long time ago I did this kind of work. I see you mention only one default gateway. If forwarding is a router functionality then each subnet should have its own default gateway. Am I correct ? Succes, hans On 24/02/12 19:27, Per Jessen wrote:
James Knott wrote:
Per Jessen wrote:
Default route = 192.168.2.7
Do you have some other device providing your Internet connection?
Yes I do. 192.168.2.7 is the firewall/router with the fibre connection.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hans de Faber wrote:
I see you mention only one default gateway. If forwarding is a router functionality then each subnet should have its own default gateway. Am I correct ?
Absolutely not. While there may be other routes, there can only be one default route, which is used when no other route matches. It's used when the router says "I don't know where this goes, let the next guy worry about it". -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott wrote:
Hans de Faber wrote:
I see you mention only one default gateway. If forwarding is a router functionality then each subnet should have its own default gateway. Am I correct ?
Absolutely not. While there may be other routes, there can only be one default route, which is used when no other route matches. It's used when the router says "I don't know where this goes, let the next guy worry about it".
---- Each subnet **could** have a separate default route, since each subnet may have one single machine that is different for each subnet, that allows then got "get out" (to the internet). It is not required that they be separate machines, but they WILL likely be different addresses, since a default route, AFAIK, has to be on the same subnet (or has to be directly reachable) by the machines using that gateway. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Linda Walsh wrote:
James Knott wrote:
Hans de Faber wrote:
I see you mention only one default gateway. If forwarding is a router functionality then each subnet should have its own default gateway. Am I correct ?
Absolutely not. While there may be other routes, there can only be one default route, which is used when no other route matches. It's used when the router says "I don't know where this goes, let the next guy worry about it". Each subnet **could** have a separate default route, since each subnet may have one single machine that is different for each subnet, that allows then got "get out" (to the internet).
I thought we were talking about a router with more than 1 interface. A router can only have a single default route (ignoring fall back protection etc.), no matter how many interfaces it has. In your example of those single machines, the single default route still applies. Don't forget, "default" means what you get, if you don't make a choice. You can't have more than one of those. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott wrote:
Linda Walsh wrote:
James Knott wrote:
Hans de Faber wrote:
I see you mention only one default gateway. If forwarding is a router functionality then each subnet should have its own default gateway. Am I correct ?
Absolutely not. While there may be other routes, there can only be one default route, which is used when no other route matches. It's used when the router says "I don't know where this goes, let the next guy worry about it". Each subnet **could** have a separate default route, since each subnet may have one single machine that is different for each subnet, that allows then got "get out" (to the internet).
I thought we were talking about a router with more than 1 interface. A router can only have a single default route (ignoring fall back protection etc.), no matter how many interfaces it has. In your example of those single machines, the single default route still applies. Don't forget, "default" means what you get, if you don't make a choice. You can't have more than one of those.
Well, actually you have one default route per routing table. I guess this could be construed as having multiple default routes :-) -- Per Jessen, Zürich (5.1°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen wrote:
Well, actually you have one default route per routing table. I guess this could be construed as having multiple default routes:-)
At any given time, how many routing tables would you have in use? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sunday 26 February 2012, James Knott wrote:
Per Jessen wrote:
Well, actually you have one default route per routing table. I guess this could be construed as having multiple default routes:-)
At any given time, how many routing tables would you have in use?
I guess even you have more than one routing table in use. At least 4 ones: local/ipv4, local/ipv6, main/ipv6, main/ipv6. Compare ip -6 route show ip -6 route show table local ip -6 route show table main ip -6 route show table all and the same for with -4. If want do policy based routing you need even more custom tables, see also ip rule cu, Rudi -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Ruediger Meier wrote:
At any given time, how many routing tables would you have in use? I guess even you have more than one routing table in use. At least 4 ones: local/ipv4, local/ipv6, main/ipv6, main/ipv6.
What are you referring to be local and main? Routing is only used for destinations that are not on the local network. Therefore, there shouldn't ben any routing table entries for anything on the local network. The way this works is your computer compares the destination address with the subnet mask. If the destination is on the local subnet, the computer does an arp request (IPv4, IPv6 uses neighbour discovery and advertisements), to determine the MAC address of the destination and sends the packet to that MAC address. If the destination is not on the local netork, then the computer checks the routing tables to see if it's on a known network and uses the appropriate route. If it's not on a known network, then it uses the default route, so that the next router can try to forward it. If it also doesn't know, then it passes it along it's default route etc. This process ends when the packet reaches a router that knows how to get to the destination. Top level routers, that is those that tie the Internet together, do not have default routes, as they're supposed to know how to reach everywhere. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sunday 26 February 2012 08:09:31 James Knott wrote:
Ruediger Meier wrote:
At any given time, how many routing tables would you have in use?
I guess even you have more than one routing table in use. At least 4 ones: local/ipv4, local/ipv6, main/ipv6, main/ipv6.
What are you referring to be local and main? Routing is only used for destinations that are not on the local network. Therefore, there shouldn't ben any routing table entries for anything on the local network.
local is a special routing table for localhost and broadcast. It is managed by the kernel ip r show table 255 There are other reasons for wanting to use multiple routing tables. I have seen some routing conundrums that could only be solved with them. Such problems usually involve multiple network cards, and multiple viable paths to the same host, where the kernel by default makes the wrong choice and you have to step in and force it to do the right thing Anders -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Anders Johansson wrote:
There are other reasons for wanting to use multiple routing tables. I have seen some routing conundrums that could only be solved with them. Such problems usually involve multiple network cards, and multiple viable paths to the same host, where the kernel by default makes the wrong choice and you have to step in and force it to do the right thing
Yep, I have a number of servers in just such a setup - each server has two possible outbound paths, but the kernel cannot know which one is actually available, so I control that manually (scripted). (three options: left is up, right is up, both are up). The other place where I use a 2nd routing table is on my firewall to enable transparent proxying of http traffic. -- Per Jessen, Zürich (6.1°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen wrote:
Yep, I have a number of servers in just such a setup - each server has two possible outbound paths, but the kernel cannot know which one is actually available, so I control that manually (scripted). (three options: left is up, right is up, both are up).
When both are up, how do you select? Are both on the same ISP? If not, you have to use some method to determine which becomes the default route. It is possible in Linux to have two or more ISPs and then a TCP connection uses one or the other for the duration of the connection. But again, there has to be some mechanism to chose a default route. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, 26 Feb 2012 20:21:06 +0530, James Knott <james.knott@rogers.com> wrote:
Per Jessen wrote:
Yep, I have a number of servers in just such a setup - each server has two possible outbound paths, but the kernel cannot know which one is actually available, so I control that manually (scripted). (three options: left is up, right is up, both are up).
When both are up, how do you select? Are both on the same ISP? If not, you have to use some method to determine which becomes the default route. It is possible in Linux to have two or more ISPs and then a TCP connection uses one or the other for the duration of the connection. But again, there has to be some mechanism to chose a default route.
yes, i wasn't commenting on the no. of possible default routes (i've got only one at a time), but on the no. of routing tables in use. i _think_ i could have one default route / table (not sure), but while this might be possible according to the ip command, it wouldn't make logical sense. -- phani. PS: sorry for the unintentional private mail. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
phanisvara das wrote:
On Sun, 26 Feb 2012 20:21:06 +0530, James Knott <james.knott@rogers.com> wrote:
Per Jessen wrote:
Yep, I have a number of servers in just such a setup - each server has two possible outbound paths, but the kernel cannot know which one is actually available, so I control that manually (scripted). (three options: left is up, right is up, both are up).
When both are up, how do you select? Are both on the same ISP? If not, you have to use some method to determine which becomes the default route. It is possible in Linux to have two or more ISPs and then a TCP connection uses one or the other for the duration of the connection. But again, there has to be some mechanism to chose a default route.
yes, i wasn't commenting on the no. of possible default routes (i've got only one at a time), but on the no. of routing tables in use.
i _think_ i could have one default route / table (not sure), but while this might be possible according to the ip command, it wouldn't make logical sense.
It does make sense - you will only have one active routing table per package, without a default route any traffic with external destination won't go anywhere. -- Per Jessen, Zürich (5.5°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sunday 26 February 2012, James Knott wrote:
Per Jessen wrote:
Yep, I have a number of servers in just such a setup - each server has two possible outbound paths, but the kernel cannot know which one is actually available, so I control that manually (scripted). (three options: left is up, right is up, both are up).
When both are up, how do you select? Are both on the same ISP? If not, you have to use some method to determine which becomes the default route.
There is no such thing as the_one_and_only default route. Each routing table may (or may not) have it's own default route. The only trick is how to get an IP packet routed via the right routing table, see ip rule
It is possible in Linux to have two or more ISPs and then a TCP connection uses one or the other for the duration of the connection. But again, there has to be some mechanism to chose a default route.
cu, Rudi -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Ruediger Meier wrote:
There is no such thing as the_one_and_only default route. Each routing table may (or may not) have it's own default route.
The only trick is how to get an IP packet routed via the right routing table, see
Let's try again. There can be many routes, but only one, 1, count 'em, one, default that 's used when all other selection criteria fails. It's where you send packets that you don't otherwise know how to handle. That's what the word "default" means in this context. The various selection methods may have preferred routes, but there's still only one default route in a router. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott wrote:
Ruediger Meier wrote:
There is no such thing as the_one_and_only default route. Each routing table may (or may not) have it's own default route.
The only trick is how to get an IP packet routed via the right routing table, see
Let's try again. There can be many routes, but only one, 1, count 'em, one, default that 's used when all other selection criteria fails.
But there may be one default route per routing table, and you may have multiple routing tables. See /etc/iproute2/rt_tables -- Per Jessen, Zürich (5.2°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sunday 26 February 2012, James Knott wrote:
Ruediger Meier wrote:
There is no such thing as the_one_and_only default route. Each routing table may (or may not) have it's own default route.
The only trick is how to get an IP packet routed via the right routing table, see
Let's try again. There can be many routes, but only one, 1, count 'em, one, default that 's used when all other selection criteria fails. It's where you send packets that you don't otherwise know how to handle. That's what the word "default" means in this context. The various selection methods may have preferred routes, but there's still only one default route in a router.
No you are wrong. Of course finally an IP packet will take exactly one (or none) route. But the term "default route" means just a final default per table. Usually users have only 2 default routes in use - one in IPv6 and one in IPv4 main table. These are the ones which are modified if you add a default route without specifing the table name. BTW you can even add more than one default route per table, which could make sense to achieve some kind of load balancing. cu, Rudi -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Ruediger Meier wrote:
Compare ip -6 route show ip -6 route show table local ip -6 route show table main ip -6 route show table all
and the same for with -4.
All that shows is local interfaces, which are not part of the routing table. As I mentioned in another note, routing is not used for destinations on the local LAN. Instead, address look up (arp in IPv4 and neighbour discovery in IPv6) is used to determine the MAC address for the destination. That MAC address is then used to send packets to the destination.
If want do policy based routing you need even more custom tables, see also ip rule
I was speaking in general terms and even mentioned things such as fall back as exceptions. Policies etc. are exceptions to the general routing principles that I thought we were discussing. How many people, other than network admins? even consider those exceptions? The vast majority of people have never even heard of them, but they may buy a consumer grade router and try to set it up. More advanced people, such as those on this list may even roll their own router on a Linux box and possibly have mulitple subnets, but again would never consider those exceptions. Even with those policies, you'd still have only one default route for each policy, class of service, protocol type, load balancing etc. You simply can't have a packet hit a router and have it face more than one default route. Which way would it go??? As I mentioned earlier, default means what you get when you don't make a choice. Policies etc., are making a choice, based on some criteria in addition to destination address. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott wrote:
Per Jessen wrote:
Well, actually you have one default route per routing table. I guess this could be construed as having multiple default routes:-)
At any given time, how many routing tables would you have in use?
Most of my systems have just one routing table, some have two, some have three. I know /etc/iproute2/rt_tables has three listed, I tend to count just the default plus whatever I've set up. -- Per Jessen, Zürich (5.7°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, 26 Feb 2012 18:00:30 +0530, James Knott <james.knott@rogers.com> wrote:
Per Jessen wrote:
Well, actually you have one default route per routing table. I guess this could be construed as having multiple default routes:-)
At any given time, how many routing tables would you have in use?
i'm using two, because i have to ISPs connected simultaneously. i'm routing requests via different ports of a squid proxy, to use either one or the other ISP, depending on where i want to go & what i want to do. -- phani. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
phanisvara das wrote:
depending on where i want to go & what i want to do.
So, they're no longer default routes, because you take some action to choose. A default route is for those packets that the computer or router doesn't know how to handle. By making that selection, you're making a choice based on your criteria and then sending to the appropriate ISP. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen wrote:
John Andersen wrote:
On 2/23/2012 6:15 AM, Per Jessen wrote:
James Knott wrote:
Per Jessen wrote:
I'm setting up a new box and started out with ip forwarding enabled. This seemed to prevent internet access, so I tried disabling forwarding with yast, but this only caused a hang. I ended up having to walk to the datacentre to access the physical console.
Just wondering before I start digging into this - are there any (more or less) known issues wrt ip forwarding and/or the enabling/disabling thereof in 12.1 ?
IP forwarding is used only if you're using the computer as a router. Yes, this box is set up as a router.
And you configured the SuseFirewall? (or shut it down to test?)
Yes, it's disabled, I never use it. There is no other firewall active either.
But do you have iptables built into your kernel? (probably) How are those rules set? Is forwarding in the iptables set to drop or forward? Since you can reach the box, I assume that the input/output chains are ok.... But I can turn on forward all I want, you also have to have the interfaces set to forward and the iptables set to be 'compatible' (not running a FW DOESN'T mean they are instantly compatible....especially if the default FORWARDING rules are set to drop. Are you wanting it to route your packets to your internal net? (i.e. it sounds like you want it to do masquarading? -- if so, have I got a script for you...)... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Linda Walsh wrote:
Per Jessen wrote:
John Andersen wrote:
On 2/23/2012 6:15 AM, Per Jessen wrote:
James Knott wrote:
Per Jessen wrote:
I'm setting up a new box and started out with ip forwarding enabled. This seemed to prevent internet access, so I tried disabling forwarding with yast, but this only caused a hang. I ended up having to walk to the datacentre to access the physical console.
Just wondering before I start digging into this - are there any (more or less) known issues wrt ip forwarding and/or the enabling/disabling thereof in 12.1 ?
IP forwarding is used only if you're using the computer as a router. Yes, this box is set up as a router.
And you configured the SuseFirewall? (or shut it down to test?)
Yes, it's disabled, I never use it. There is no other firewall active either.
But do you have iptables built into your kernel? (probably)
It's the vanilla openSUSE 12.1 kernel, so yes.
How are those rules set? Is forwarding in the iptables set to drop or forward? Since you can reach the box, I assume that the input/output chains are ok....
No iptables rules are set. Thank for your help everyone - there's something basic missing here, I suspect operator error. -- Per Jessen, Zürich (5.2°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
If you are going from one subnet A over the linux box to another subnet B and then via router to the internet, you will need to do a SNAT on the linux box. You have to hide subnet A on the Linux box to it's IP address on the B subnet. Or you have to add a static route on your router for subnet A going to the linux box subnet B IP address. This way host on subnet B can also talk to hosts on subnet A, as their traffic will go to your router (default gateway on PC's) and the router will send then the traffic for subnet A to the Linux box because of the static route. Rob. -----Original Message----- From: Per Jessen [mailto:per@opensuse.org] Sent: Sunday, February 26, 2012 9:33 AM To: opensuse@opensuse.org Subject: Re: [opensuse] ipv4 forwarding - any known issues? Linda Walsh wrote:
Per Jessen wrote:
John Andersen wrote:
On 2/23/2012 6:15 AM, Per Jessen wrote:
James Knott wrote:
Per Jessen wrote:
I'm setting up a new box and started out with ip forwarding enabled. This seemed to prevent internet access, so I tried disabling forwarding with yast, but this only caused a hang. I ended up having to walk to the datacentre to access the physical console.
Just wondering before I start digging into this - are there any (more or less) known issues wrt ip forwarding and/or the enabling/disabling thereof in 12.1 ?
IP forwarding is used only if you're using the computer as a router. Yes, this box is set up as a router.
And you configured the SuseFirewall? (or shut it down to test?)
Yes, it's disabled, I never use it. There is no other firewall active either.
But do you have iptables built into your kernel? (probably)
It's the vanilla openSUSE 12.1 kernel, so yes.
How are those rules set? Is forwarding in the iptables set to drop or forward? Since you can reach the box, I assume that the input/output chains are ok....
No iptables rules are set. Thank for your help everyone - there's something basic missing here, I suspect operator error. -- Per Jessen, Z rich (5.2 C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
suse@robberg.net wrote:
If you are going from one subnet A over the linux box to another subnet B and then via router to the internet, you will need to do a SNAT on the linux box. You have to hide subnet A on the Linux box to it's IP address on the B subnet.
???? If you have to go from subnet A via subnet B then just use a router. That's what they're used for. If a subnet uses RFC1918 addresses, then NAT is required. Eitherway, any device on either subnet still has one default route. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen wrote:
No iptables rules are set.
Thank for your help everyone - there's something basic missing here, I suspect operator error.
---- This is a script that I use to setup and shutdown my ip masquerade on demand... It's a continual work in progress -- (i.e. I run into another need and add more to it..) It's structured as an 'RC' script so you can use it at start stop. It isn't respectful of firewalls or such.. (as I don't usually run one)... It's currently setup to deal with 2 inside ethernet ports that both will be forwarded to my outside port. Right now, you have to specify the ethernet ports -- planned to have it find them but not done yet... At least it does automatically try to pick up the right addresses... Any Q's I'll try to answer -- not guaranteeing perfection!!! It's not real long or complex, so it shouldn't be too hard to understand and modify to your needs.... I have never used ip6tables before, -- so there is only very basic support for it included...(trying to setup frame work as I write, for future needs)... -------------- /etc/rc.d/masquerade script... #!/bin/bash -eu #include standard template: # gvim=:noSetNumberAndWidth #rm 'no' to activate in gvim, '=:' is not error _prgpth="${0:?}"; _prg="${_prgpth##*}"; _prgdr="${_prgpth%/$_prg}" [[ -z $_prgdr || $_prg == $_prgdr ]] && $_prgdr="$PWD" export PATH="$_prgdr:$_prgdr/lib:$PATH" shopt -s expand_aliases extglob sourcepath ; set -o pipefail # # V 1.0 of masquerade -- based some other version... # a work in progress...(linda walsh) suse(at)tlinx(dot)org # source {errnos,stdlib}.shlib #full trace support: #export PS4='>>${BASH_SOURCE:+${BASH_SOURCE[0]}}#${LINENO}${FUNCNAME:+(${FUNCNAME[0]})}> ' ### BEGIN INIT INFO # Provides: masquerade # Required-Start: $network # Should-Start: # Required-Stop: # Should-Stop: # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Short-Description: setup masquerade rules with fw drop rules for incoming traffic # Description: upnpd daemon a internet connection gateway # that creates temporary dhcpd-like reserved paths # through the firewall so applications can talk over # the internet; Mostly MS-based clients use this # Service. ### END INIT INFO # # Check for missing binaries (stale symlinks should not happen) # we use iptables to do our work, so check for it. Have_ip6tables=0 external_intf="eth2" internal_intf="eth0 eth1" test -x /usr/sbin/iptables || { echo "iptables4 not installed" exit 5 } test -x /usr/sbin/ip6tables && test -e /proc/sys/net/ipv6 || Have_ip6tables=0 function iptables { sudo /usr/sbin/iptables "$@" ((!$Have_ip6tables)) || sudo /usr/sbin/ip6tables "$@" } function ip_addr_parse { ## TBD - try to auto-determine what intfs to use local -A ip_addrs } sys_ipv4_fwd_file=/proc/sys/net/ipv4/ip_forward function ipf { if [[ $# > 0 ]]; then sudo bash -c "echo -n \"$1\" >\"$sys_ipv4_fwd_file\"" stat=$? if [[ $stat != 0 ]]; then echo "Error setting system ipv4 ip forwarding" return $stat fi fi cat "$sys_ipv4_fwd_file" } function ipi { intf_fwd_file="/proc/sys/net/ipv4/conf/$1/forwarding" shift if [[ $# > 0 ]]; then sudo bash -c "echo -n \"$1\" > \"$intf_fwd_file\"" stat=$? if [[ $stat != 0 ]]; then echo "Error setting interface forwarding" return $stat fi fi cat "$intf_fwd_file" } #external interfaces (could be multiple, but not well tested) declare -a ExtIntf=($external_intf) #internal declare -a IntIntf=($internal_intf) #IntNets="192.168.3.0" IntNets="$(ip route |grep eth0|grep kernel|cut -d\/ -f1)" ##help func's #iptables Forward In 2 out #sub ipt_AD_Fwd_IO_rule { # local ad="$1" i="$2" o="$3" ;shift 3 # iptables -$ad FORWARD ${i:+-i "$2"} ${o:+-o "$3"} "$@" #} # #sub iptFI2O { # ipt_AD_Fwd_IO_rule "A" i$iptables -A FORWARD -i $_"[0]" -o_"[1]" function set_forwarding_state { local -a ifs=( "${ExtIntf[@]}" "${IntIntf[@]}" ) if [[ $# -gt 0 && $1 != 0 && $1 != 1 ]]; then echo "Error: set_forwarding_state called with state=\"$1\". Must be 0 or 1." return 1 fi local -a forward_policy=(DROP ACCEPT) if [[ $# -gt 0 ]]; then echo IPV4 Forwarding: $(ipf $1) for ea in "${ifs[@]}"; do echo Interface fwd $ea: $(ipi $ea $1) done iptables --policy FORWARD ${forward_policy[$1]} iptables --list FORWARD|head -1 else echo IPV4 Forwarding: $(ipf) for ea in "${ifs[@]}" ; do echo Interface fwd $ea: $(ipi $ea ) done iptables --list FORWARD|head -1 fi return 0; } setlist="$sys_ipv4_fwd_file" # add fwding interfaces to setlist declare -a fwlist=("${ExtIntf[@]}" "${IntIntf[@]}") for expr in "${fwlist[@]}"; do var="/proc/sys/net/ipv4/conf/$expr/forwarding" setlist="$setlist $var" done saved_settings="/var/run/masquerade/saved_proc_settings" boot_time_file="/var/logboot.omsg" function restore_saved_settings { if [[ -e "$saved_settings" ]] ; then if [[ $saved_settings -ot $boot_time_file ]] ; then cat > "$saved_settings" return fi # restore 1st saved settings, so we can restore them later. . $saved_settings fi } function save_current_settings { echo "# Settings saved at $(date)">$saved_settings for proc_var in $setlist; do oval=$(<$proc_var); echo -n 1 >$proc_var printf "echo -n $oval >$proc_var\n" >>$saved_settings done } # Check for existence of config file and read it MASQUERADE_CONFIG="/etc/sysconfig/masquerade" test -r $MASQUERADE_CONFIG && . $MASQUERADE_CONFIG function start_masquerade { for net in "${IntNets[@]}"; do for ext in "${ExtIntf[@]}"; do iptables -A FORWARD -i $ext -s $net -j DROP done; done for extp1 in "${ExtIntf[@]}"; do for extp2 in "${ExtIntf[@]}"; do iptables -A FORWARD -i $extp1 -o $extp2 -j DROP done; done for extp1 in "${ExtIntf[@]}"; do for intp1 in "${IntIntf[@]}"; do iptables -A FORWARD -i $extp1 -o $intp1 -m state \ --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $intp1 -o $extp1 -j ACCEPT done done iptables -A FORWARD -j DROP for extp1 in "${ExtIntf[@]}"; do iptables -t nat -A POSTROUTING -o $extp1 -j MASQUERADE iptables -t nat -A POSTROUTING -j ACCEPT done set_forwarding_state 1 } function stop_masquerade { set_forwarding_state 0 for extp1 in "${ExtIntf[@]}"; do iptables -t nat -D POSTROUTING -o $extp1 -j MASQUERADE iptables -t nat -D POSTROUTING -j ACCEPT done iptables -D FORWARD -j DROP for extp1 in "${ExtIntf[@]}"; do for intp1 in "${IntIntf[@]}"; do iptables -D FORWARD -i $extp1 -o $intp1 -m state \ --state ESTABLISHED,RELATED -j ACCEPT iptables -D FORWARD -i $intp1 -o $extp1 -j ACCEPT done; done for extp1 in "${ExtIntf[@]}"; do for extp2 in "${ExtIntf[@]}"; do iptables -D FORWARD -i $extp1 -o $extp2 -j DROP done; done for net in "${IntNets[@]}"; do for ext in "${ExtIntf[@]}"; do iptables -D FORWARD -i $ext -s $net -j DROP done; done } function status_masquerade { iptables -t nat -L POSTROUTING iptables -L FORWARD echo "" set_forwarding_state } # Source LSB init functions # providing start_daemon, killproc, pidofproc, # log_success_msg, log_failure_msg and log_warning_msg. # This is currently not used by UnitedLinux based distributions and # not needed for init scripts for UnitedLinux only. If it is used, # the functions from rc.status should not be sourced or used. #. /lib/lsb/init-functions # Shell functions sourced from /etc/rc.status: # rc_check check and set local and overall rc status # rc_status check and set local and overall rc status # rc_status -v be verbose in local rc status and clear it afterwards # rc_status -v -r ditto and clear both the local and overall rc status # rc_status -s display "skipped" and exit with status 3 # rc_status -u display "unused" and exit with status 3 # rc_failed set local and overall rc status to failed # rc_failed <num> set local and overall rc status to <num> # rc_reset clear both the local and overall rc status # rc_exit exit appropriate to overall rc status # rc_active checks whether a service is activated by symlinks set +eu . /etc/rc.status set -eu # Reset status of this service rc_reset # Return values acc. to LSB for all commands but status: # 0 - success # 1 - generic or unspecified error # 2 - invalid or excess argument(s) # 3 - unimplemented feature (e.g. "reload") # 4 - user had insufficient privileges # 5 - program is not installed # 6 - program is not configured # 7 - program is not running # 8--199 - reserved (8--99 LSB, 100--149 distrib, 150--199 appl) # # Note that starting an already running service, stopping # or restarting a not-running service as well as the restart # with force-reload (in case signaling is not supported) are # considered a success. #echo "Groups: (${!_GROUPS_[@]}) = (${_GROUPS_[@]})" #echo "EUID=$EUID" if [[ $EUID -ne 0 ]]; then if [[ -z ${_GROUPS_[wheel]:-""} && ${_GROUPS_[wheel]:-""} -ne 10 ]] ; then echo Please Rerun as root /bin/false rc_status -v exit fi fi shopt -s expand_aliases if ((EUID==0 )); then ##|| ${_GROUPS_[wheel]:-} != 10 )); then alias sudo=eval else alias sudo=$(type -p sudo) fi arg="${1:-"help"}" if [[ -z "$arg" ]]; then arg="?" fi case "$arg" in start) echo -n "Starting MASQUERADE " start_masquerade # Remember status and be verbose rc_status -v ;; stop) echo -n "Stopping MASQUERADE " stop_masquerade # Remember status and be verbose rc_status -v ;; restart) ## Stop the service and regardless of whether it was ## running or not, start it again. $0 stop $0 start # Remember status and be quiet rc_status ;; status) echo -e "MASQUERADE relevant iptable rules:\n" status_masquerade rc_status -v ;; *) echo "Usage: $0 {start|stop|status|restart}" exit 1 ;; esac rc_exit # vim: ts=2 sw=2 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (9)
-
Anders Johansson -
Hans de Faber -
James Knott -
John Andersen -
Linda Walsh -
Per Jessen -
phanisvara das -
Ruediger Meier -
suse@robberg.net