TR Forums

cass · Tue Aug 21, 2007 2:05 am

OK, I started with Fedora 7 trying to Nat/Masq/forward from a subnet to wan.... never happened. The details of that fiasco can be viewed here. Now I went and installed debian 64bit thinking maybe the forwarding was broken in the fedora 64 bit kernel since there seemed to be some chatter about that... eh no luck with debian either.

here is what the setup is... eth0 connects to the outside world and is setup via dhcp from a 4 port router. eth1 is internal subnet. I cannot ping eth0 from anything on eth1, and eth0 works just fine... I am posting this from it. If anyone has a 64bit linux system using NAT/forwarding/Masq... can I know WTF it takes?

debianserver64:/etc/network# more interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eth0
iface eth0 inet dhcp

allow-hotplug eth1
iface eth1 inet static
             address 192.168.100.1
             netmask 255.255.255.0
             gateway 192.168.100.254
             dns-nameservers 207.69.188.185 207.69.188.186


debianserver64:/etc/network#
debianserver64:/etc/network# iptables -L -v
Chain INPUT (policy ACCEPT 3089K packets, 34G bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 ACCEPT     0    --  eth0   eth1    anywhere             anywhere         state RELATED,ESTABLISHED
    0     0 ACCEPT     0    --  eth1   eth0    anywhere             anywhere 

Chain OUTPUT (policy ACCEPT 3089K packets, 34G bytes)
 pkts bytes target     prot opt in     out     source               destination 
debianserver64:/etc/network# iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 35 packets, 5342 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain POSTROUTING (policy ACCEPT 22 packets, 66609 bytes)
 pkts bytes target     prot opt in     out     source               destination 
  133  8124 MASQUERADE  0    --  any    eth0    anywhere             anywhere 

Chain OUTPUT (policy ACCEPT 155 packets, 74733 bytes)
 pkts bytes target     prot opt in     out     source               destination 
debianserver64:/etc/network# cat /proc/sys/net/ipv4/ip_forward
1
debianserver64:/etc/network# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:19:DB:86:21:AC
          inet addr:192.168.0.9  Bcast:255.255.255.255  Mask:255.255.255.0
          inet6 addr: fe80::219:dbff:fe86:21ac/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5924 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4488 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:7326771 (6.9 MiB)  TX bytes:759245 (741.4 KiB)
          Interrupt:233 Base address:0xf200

eth1      Link encap:Ethernet  HWaddr 00:30:BD:28:E1:22
          inet addr:192.168.100.1  Bcast:192.168.100.255  Mask:255.255.255.0
          inet6 addr: fe80::230:bdff:fe28:e122/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2321 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2204 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:144670 (141.2 KiB)  TX bytes:3122129 (2.9 MiB)
          Interrupt:50 Base address:0x4000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:3714360 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3714360 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:41242950416 (38.4 GiB)  TX bytes:41242950416 (38.4 GiB)

[/url]

My Johnson · Tue Aug 21, 2007 2:10 am

Ethernet one should not have a gateway.

shank15217 · Tue Aug 21, 2007 2:50 am

your outside world is a private ip address?

shank15217 · Tue Aug 21, 2007 2:51 am

if you are trying to double nat, it may not work

Usacomp2k3 · Tue Aug 21, 2007 2:54 am

shank15217 wrote:
your outside world is a private ip address?

Well that's the one that his router gives.

cass · Tue Aug 21, 2007 9:46 am

shank15217 wrote:
if you are trying to double nat, it may not work

I don't understand what you are saying here, but it definitely don't work right now.

If you are meaning double NAT in that I am again upstream of this machine doing it again in the router, well it used to work. I have two debian 32 boxes sitting here running that are doing it. All I have to do is move My Wan cable over to one of them and it works.

If You are meaning somehow my setup is wrong... just tell me the specifics, I won't argue with you, I will just try your suggestion. I don't care if it breaks the current setup, I think I can get back to where its not working easily :-)

Tue Aug 21, 2007 12:15 pm

Double NAT shouldn't be a problem, it's messy but it will work for this.

I don't think you need the gateway or dns-nameservers lines in /etc/network/interfaces, the gateway line may be messing with your routing table, so try removing that, then bouncing the interfaces and then dumping "netstat -nr" and make sure there is only one default gateway and that it points to eth0.

I think more of your problem may be the hosts that you bring up on the NAT'd network and the config they are getting from dhcp. Can you dump the contents of /etc/dhcp3/dhcpd.conf and make sure the routers is set to 192.168.100.1 and domain-name-servers are set correctly (presumably 207.69.188.185, 207.69.188.186). If you edit that file, remember to bounce the server itself (/etc/init.d/dhcp3-server restart).

cass · Tue Aug 21, 2007 1:45 pm

notfred wrote:
Double NAT shouldn't be a problem, it's messy but it will work for this.

I don't think you need the gateway or dns-nameservers lines in /etc/network/interfaces, the gateway line may be messing with your routing table, so try removing that, then bouncing the interfaces and then dumping "netstat -nr" and make sure there is only one default gateway and that it points to eth0.

I think more of your problem may be the hosts that you bring up on the NAT'd network and the config they are getting from dhcp. Can you dump the contents of /etc/dhcp3/dhcpd.conf and make sure the routers is set to 192.168.100.1 and domain-name-servers are set correctly (presumably 207.69.188.185, 207.69.188.186). If you edit that file, remember to bounce the server itself (/etc/init.d/dhcp3-server restart).

*edit... I did remove the gateway line from eth1 in ifaces and try that before I came to work, but it didn't work.

I watched one node boot through your diskless setup (its a 32bit node amd axp), and the dns come down right, its IP gets right, but I don't really know about the routers... I'll have to check that. When I get home I will try some stuff and post for you. I turned dhcp off and restarted the ifaces, iptables, and inetd, and it still wouldn't forward from another debian box that I manually configured the nic on.

This evening I'll probably just install a copy of debian32 on an axp and copy over the working setup from my other box, if it happens to be a problem with 64bit that would eliminate it. I have tried so many different scripts and setups and restarted so many different ways, it looks like one of them would have accidentally worked.

What would I have to do to set up a path across the two nics manually? I mean can't I just start up a machine with a manually assigned IP and have the debian64 box configured to just send anything from that IP straight out to the other nic?

I went through some syslogs this morn, and there are some errors relating to some gconf files being read only.

Tue Aug 21, 2007 2:02 pm

I don't think it's a problem with 64 bit Debian as my server / firewall / router / myth box is Debian Stable 64bit. I copied my setup over from 32bit when I switched to 64 bit so what you are trying to do should work.

One other thought, are the conntrack modules loading, try

lsmod | grep conn
ip_conntrack_ftp       13136  1 ip_nat_ftp
ip_conntrack           63140  6 ipt_MASQUERADE,iptable_nat,xt_state,ip_nat_ftp,ip_nat,ip_conntrack_ftp
nfnetlink              11976  2 ip_nat,ip_conntrack

I have added ip_nat_ftp in to /etc/modules and that seems to load the rest as well at boot time.

My Johnson · Tue Aug 21, 2007 4:46 pm

What would I have to do to set up a path across the two nics manually? I mean can't I just start up a machine with a manually assigned IP and have the debian64 box configured to just send anything from that IP straight out to the other nic?

You don't setup a path. Doing NAT requires software, which is obviously built into the Linux kernel. You just need to configure the router (Debian64 box) correctly. And you don't need a gateway or DNS on eth1 interface, but having DNS populated on my windows box isn't hosing it. Only if I populate the gateway do I lose connectivity.

What's the gateway and DNS on a host on the 100 network? It should be 192.168.100.1 for both. Just checking...

UPDATE:

Your network mask is also borked or I'm retarded.

Change it to... 1+2+4+8+16+32+64... 255.255.128.0.

cheesyking · Tue Aug 21, 2007 4:57 pm

wouldn't it just be easier to use something like shorewall?

bitvector · Tue Aug 21, 2007 7:47 pm

cass wrote:
If anyone has a 64bit linux system using NAT/forwarding/Masq... can I know WTF it takes?

Setting up your interfaces/routes/iptables rules correctly? I've got 64-bit linux systems doing similar jobs; why do you think that this is a 64-bit issue? Don't you think people would have noticed if core functionality like netfilter didn't work right on 64-bit kernels?

cass wrote:
What would I have to do to set up a path across the two nics manually? I mean can't I just start up a machine with a manually assigned IP and have the debian64 box configured to just send anything from that IP straight out to the other nic?

You could have it bridge traffic from one interface to the other... but, really, what is it that you are actually trying to do here?

My Johnson · Tue Aug 21, 2007 8:45 pm

He's trying to route between two networks.

bitvector · Tue Aug 21, 2007 9:04 pm

My Johnson wrote:
He's trying to route between two networks.

... yes, I gathered that. :roll:

cass · Tue Aug 21, 2007 11:29 pm

My Johnson wrote:
You don't setup a path. Doing NAT requires software, which is obviously built into the Linux kernel. You just need to configure the router (Debian64 box) correctly. And you don't need a gateway or DNS on eth1 interface, but having DNS populated on my windows box isn't hosing it. Only if I populate the gateway do I lose connectivity.

I don't know, but I tried your suggestion.

debianserver64:/etc/dhcp3# cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eth0
iface eth0 inet dhcp

allow-hotplug eth1
iface eth1 inet static
             address 192.168.100.1
             netmask 255.255.255.0

The besit I could tell that changed nothing, but in between your smart a$$ comments you still offered more suggestions some of which made sense, and since dhcpd reassigned the values, and the only side affect of the above changes was having to manually kick start eth1 with ifup eth1, I lett it and plodded on.

I left the iptables alone

debianserver64:/etc/dhcp3# iptables -L -v
Chain INPUT (policy ACCEPT 1468K packets, 16G bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 1307 1855K ACCEPT     0    --  eth0   eth1    anywhere             anywhere            state RELATED,ESTABLISHED
  872 50323 ACCEPT     0    --  eth1   eth0    anywhere             anywhere

Chain OUTPUT (policy ACCEPT 1468K packets, 16G bytes)
 pkts bytes target     prot opt in     out     source               destination
debianserver64:/etc/dhcp3# iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 964 packets, 161K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 412 packets, 91415 bytes)
 pkts bytes target     prot opt in     out     source               destination
   61  3947 MASQUERADE  0    --  any    eth0    anywhere             anywhere

Chain OUTPUT (policy ACCEPT 731 packets, 111K bytes)
 pkts bytes target     prot opt in     out     source               destination

My Johnson wrote:
What's the gateway and DNS on a host on the 100 network? It should be 192.168.100.1 for both. Just checking...

That made some sense to me, so I checked it in dhcpd.conf

subnet 192.168.100.0 netmask 255.255.255.0 {
  range dynamic-bootp 192.168.100.40 192.168.100.240;
  option broadcast-address 192.168.100.255;
  option routers 192.168.100.254;
  option domain-name-servers  205.69.188.185, 205.69.188.186;
  next-server 192.168.100.1;
  filename "PXEClient/pxelinux.0";
  use-host-decl-names on;

So I changed the option routers to 192.168.100.1
and then I could ping machines on the 192.168.0.xxx subnet for the first time, but still I could not get a machine on the 192.168.100.xxx subnet to resolve a dns lookup. Then it dawned on me from looking at the setup....

subnet 192.168.100.0 netmask 255.255.255.0 {
range dynamic-bootp 192.168.100.40 192.168.100.240;
option broadcast-address 192.168.100.255;
option routers 192.168.100.1;
option domain-name-servers 192.168.0.254, 205.69.188.185, 205.69.188.186;
next-server 192.168.100.1;
filename "PXEClient/pxelinux.0";
use-host-decl-names on;
}

Once I added that in red it fired right up and works.... well it booted a diskless folding node and was able to wget.

My Johnson wrote:
UPDATE:

Your network mask is also borked or I'm retarded.

Change it to... 1+2+4+8+16+32+64... 255.255.128.0.

it works with the 255.255.255.0, but I don't think that is a reflection of your mental acuity. :-)

Thanks for the help BTW.

cass · Tue Aug 21, 2007 11:40 pm

cheesyking wrote:
wouldn't it just be easier to use something like shorewall?

Damn right, but where is the fun in that? I'm trying to get a handle on where things are and how they work so I googled, nano'd and tried to transplant my working arrangement in.... Needless to say I flamed out. But now I have another setup that works. thanks to the helpful TR folks.

My Johnson · Wed Aug 22, 2007 12:03 am

I didn't know that you were running a dhcp server on eth1. I missed that.

cheesyking · Wed Aug 22, 2007 8:52 am

cass wrote:
cheesyking wrote:
wouldn't it just be easier to use something like shorewall?

Damn right, but where is the fun in that? I'm trying to get a handle on where things are and how they work so I googled, nano'd and tried to transplant my working arrangement in.... Needless to say I flamed out. But now I have another setup that works. thanks to the helpful TR folks.

Yeah, I suppose I should be so lazy, but it comes so naturally to me.

TR Forums

NAT hell/ fixed

NAT hell/ fixed

Re: NAT hell

Who is online