routes are killing me - how to?

Bil yellowdog-general@lists.terrasoftsolutions.com
Thu Nov 7 10:29:01 2002 

No problem about spoon fed. I spit in IPTABLES eye. I hate it for being the
clunky <snip>

well, so long as that machine can ping the outside world, your relationship
with that machine is done.

now set all the machines on the 192.168.0.0 subnet to use it's IP as their
default gateway.

check that you can ping 192.168.0.1.

now try to ping an external IP, 195.8.69.8, if you can? you're done.

here's my sample rc.firewall:

#!/bin/sh
###                   Flushing existing chains/tables
###making sure you have an empty table before you start.
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F

###                 flushes previously defined chains.
###i.e. another cleaning procedure before putting in any IPTABLES rules

iptables -X

###another essential line i believe that makes sure some form of NAT
###is used, this is the basic setup
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE


###                   Setting default policy ACCEPT
### sets the firewall to accept all incoming, outgoing and forwarding
### requests by default.
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

#### Refuse any connection from problem sites
#### place a file called rc.firewall.blocked at /etc/rc.d/ with
#### a list of blocked sites, and it should block those out.
if [ -f /etc/rc.d/rc.firewall.blocked ]; then
  . /etc/rc.d/rc.firewall.blocked
fi


<end>

it clears all previous rules first, and has a totally open policy, and
passes packets. i ripped it direct from a machine that's currently doing
that exact job.

should work. eth1 being the external facing interface.

bil


----- Original Message -----
From: "Stefan Jeglinski" <jeglin@4pi.com>
To: <yellowdog-general@lists.terrasoftsolutions.com>
Sent: Thursday, November 07, 2002 4:29 PM
Subject: Re: routes are killing me - how to?


> Thanks Bil for your comments. Also, Keary says:
>
> >Just from what you have provided, it seems to me that the private
> >network router is simply redundant. It would be simpler to remove it from
> >the network entirely. (Now, you do mean *router* vs hub or switch?)
>
> OK, let me restate the picture, and I will clarify an item or two
> that I know I had not described well due to the lateness of my
> evening yesterday. Here again is a picture of what I am trying to do:
>
>               hub  +-----------------------+
>               | |  |                       |
> 192.168.0.0 -+ +--+ eth0 (192.168.0.1)    |
>                    |                       |   hub--dslmodem
(63.220.231.129)
>                    |                       |   | |
>                    | (63.220.231.132) eth1 +---+ +
>                    |                       |     |
>                    +-----------------------+     |
>                                                  |
>                  other 63.220.231.128/26 IPs ----+
>
>
> Yes I used the term router before and this was completely incorrect;
> I apologize profusely for the confusion that this may have caused. In
> the above diagram I use "hub" and this could be replaced with
> "switch."
>
> For the moment leaving aside security issues, it was my original
> thought that to get the private 192.168.0.0 network to exchange
> packets with the outside world, I had to correctly set up the routing
> table on the Linux box. At boot, the routing table created from
> information from ifcfg-eth0, ifcfg-eth1, and network files is:
>
>   Destination     Gateway         Genmask        Flags Iface
> 63.220.231.128  0.0.0.0         255.255.255.192 U     eth1
> 192.168.0.0     0.0.0.0         255.255.255.0   U     eth0
> 127.0.0.0       0.0.0.0         255.0.0.0       U     lo
> 0.0.0.0         63.220.231.129  0.0.0.0         UG    eth1
>
> My first question was/is: is this routing table sufficient to allow
> the packets to be exchanged? AFAICT, the answer was it didn't matter
> because using iptables would magically fix it for me. And I was
> admonished to "just do iptables."
>
> I'm still not sure I'm doing iptables right anyway, but the issue is
> more fundamental than that. The hosts on 192.168.0.0 have the gateway
> device listed as 192.168.0.1, but they cannot ping 192.168.0.1, and
> vice versa. I believe this is a problem with the routing table. Am I
> wrong on this?
>
> Believe me, I'm not trying to just be spoon fed. But I do want to
> understand why what I'm doing works (or not).
>
> I submit that all the equipment is working, because this config works:
>
>                +--------------------------------+
>                |                                |
>                +                                |
>               hub  +-----------------------+    |
>               |    |                       |    |
> 63.220.231.x-+   -+ eth0 (192.168.0.1)    |    |
>                    |                       |   hub--dslmodem
(63.220.231.129)
>                    |                       |   | |
>                    | (63.220.231.132) eth1 +---+ +
>                    |                       |     |
>                    +-----------------------+     |
>                                                  |
>                  other 63.220.231.128/26 IPs ----+
>
>
> There seems to be disagreement as to whether I should do iptables,
> nat, masquerading, or [software] routing with the Linux box. I know
> surely this is a common config, at this point I'll take a blind
> recipe and analyze why it works after. Keary, I'm working on the
> script link you sent me.
>
>
> Stefan Jeglinski
> _______________________________________________
> yellowdog-general mailing list
> yellowdog-general@lists.terrasoftsolutions.com
> http://lists.terrasoftsolutions.com/mailman/listinfo/yellowdog-general
>
>