Linux Routing Setup

[402blownstroker]

Routing/networking is not my strong suit, so I need some help.

I have a linux box that has two NICs installed. NIC 1 has a static IP of 192.168.3.1 and NIC 2 has a static IP of 192.168.100.1. Each NIC connected to a switch where other computers are also connected. I would like to setup the box to allow computers on the 192.168.3.x subnet to talk to computers on the 192.168.100.x subnet through this box.

Is there anyway to do this?

 

[toast0]

Yes, this is pretty easy on the linux side; if you don't have any firewall rules, it's as simple as
echo 1 > /proc/sys/net/ipv4/ip_forward

For the computers on either side, you'll need to configure them with a route through the linux box. If the linux box is already the default route, you're set, otherwise something like

# for 192.168.3.0/24 clients
route add -net 192.168.100.0 netmask 255.255.255.0 gw 192.168.3.1

# for 192.168.100.0/24 clients
route add -net 192.168.3.0 netmask 255.255.255.0 gw 192.168.100.1

(or whatever, for the client platform; you might be able to push this through dhcp too, but i dunno)

 

[colinstu]

You can setup a static route, which can be googled but this looks helpful, or use a routing protocol. For your needs probably only need a static route.

The wiki article mentions a number of open source programs that allow for routing. You can perform some research on which protocol would be best for you and your needs if you'd rather not go with a static route.

 

[402blownstroker]

Finally got a chance to play around with this.

On the server I enabled ip forwarding by:

echo 1 > /proc/sys/net/ipv4/ip_forward && systemctl restart network

On one client I added the route:

route add -net 192.168.100.0 netmask 255.255.255.0 gw 192.168.3.1
ping 192.168.100.156
PING 192.168.100.156 (192.168.100.156) 56(84) bytes of data.
^C
--- 192.168.100.156 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms

I looked in dmesg and /var/log/messages and did not see anything obvious. How does the server know to route traffic from eth0 to eth1 and eth1 to eth0? Seems like there should be more to configure that just enabling ip_forwarding.

 

[devman]

(or whatever, for the client platform; you might be able to push this through dhcp too, but i dunno)

You can push static routes via DHCP, and that would be the recommended way of handling this for more than a handful of machines.

 

[XOR != OR]

Finally got a chance to play around with this.

On the server I enabled ip forwarding by:

echo 1 > /proc/sys/net/ipv4/ip_forward && systemctl restart network

You only need to do the first part of that command. Restarting the network will set ip_forward back to whatever it's default value is.

Of course, that means popping 1 into proc's ip_forward is a temporary setting. You need to find the network control file on your distro and set it there if you want it to last across reboots/restarts.

Also, I didn't see mention of it, but what kind of rules are in your router's iptables? For testing purposes, I'd flush them all out and make sure the default policy is "accept".

If you have that all set already, then try running tcpdump -i <nic> host 192.168.100.156 on the router to see if the traffic is at least arriving correctly, then run it down from there.

 

[devman]

Add/Edit 'net.ipv4.ip_forward = 1' to /etc/sysctl.conf
Then, 'sysctl -p net.ipv4.ip_forward' in a root shell to enable it.

Networking does not need to be restarted.

 

[402blownstroker]

Also, I didn't see mention of it, but what kind of rules are in your router's iptables? For testing purposes, I'd flush them all out and make sure the default policy is "accept".

If you have that all set already, then try running tcpdump -i <nic> host 192.168.100.156 on the router to see if the traffic is at least arriving correctly, then run it down from there.

OK, when I run the tcpdump command on the server I get:

11:20:40.701144 IP 192.168.3.23 > 192.168.100.156: ICMP echo request, id 2685, seq 89, length 64

Not sure what that means, but the ping request does not seem to get to 192.168.100.156.

When I run route -n I get:

Kernel IP routing table
Destination       Gateway      Genmask       Flags   Metric  Ref     Use  Iface
192.168.100.0     0.0.0.0      255.255.255.0 U       0       0       0    ib0
192.168.3.0       0.0.0.0      255.255.255.0 U       1       0       0    ens32

Not sure how to set the default policy to 'accept'.

 

[devman]

Not sure how to set the default policy to 'accept'.

Show your FORWARD chain with (from root shell)

# iptables -L FORWARD

 

[402blownstroker]

OK, I think I see the problem. Running iptables -L FORWARD I get:

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
FORWARD_direct  all  --  anywhere             anywhere            
FORWARD_IN_ZONES_SOURCE  all  --  anywhere             anywhere            
FORWARD_IN_ZONES  all  --  anywhere             anywhere            
FORWARD_OUT_ZONES_SOURCE  all  --  anywhere             anywhere            
FORWARD_OUT_ZONES  all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

I think the last line is the issue since the tcpdump result was showing an 'ICMP echo request'. How do I change that from REJECT to ACCEPT?

 

[goodcooper]

reject is always the last line...

you're accepting everything above that...

that looks fine, i would make sure you have that box/network listed as a route from whichever box you're trying to test from....

 

[XOR != OR]

Let's take this one step at a time, because there's a lot of confusion here I think. In order to route packets from box A on network N to box B on network X via router H, you need to...

1) Tell router H to forward packets
2) Ensure there are no firewall rules on router H blocking traffic
3) Tell A and B how to reach one another ( routes to each other's networks on the respective boxes )

1)
Enter this command:

cat /proc/sys/net/ipv4/ip_forward

It should echo `1`. Does it? If not, then forwarding is not enabled. See earlier in this thread for the various methods to enable forwarding, but the quick and dirty way is

echo 1 > /proc/sys/net/ipv4/ip_forward

( note; this will not last past a restart of the network or a reboot of the router.

2)

Do you have direct console access? Or at east local subnet access? If so, then stop the firewall. This should clear out all of the chains and leave everything in a default "OPEN" state, allowing all traffic to freely flow. Mind you, that's *should*. I don't really know how you have your system configured, but if you lock yourself out you should be able to reboot the system and have it come up with the firewall back to it's previous state, so I wouldn't worry too much about it.

If this is a production box and you can't modify the firewall "on the fly", then we'll just have to muddle through it. Try entering this command:

iptables -I FORWARD -s 192.168.3.0/24 -d 192.168.100.0/24 -j ACCEPT

( note: same warning as before, this is transitory. A restart of the firewall or a reboot of the router will clear it )

3)
It sounds as though each client ( Boxes A & B from above ) has a different default gateway than this router. If that's so, then you'll need to add respective routes to these systems so they can talk to one another. See above for command syntax.

Wireshark would be your friend here, or tcpdump ( depending on the OS ). Fire it up on each side, send a ping, and see what traffic hits the remote target, and what the remote target tries to send back.

This should get traffic flowing from box A on network N to box B on network X via router H. From here it's just a matter of modifying the appropriate configuration files to make it permanent.