Hello David,
Found the problem to the single ping return.
iptables -t nat -s 10.1.1.0/24 -o eth0 -j SNAT 172.16.231.57-172.16.231.59
if I leave the -s 10.1.1.0/24 out, the routing box and the outside box
stop being able to ping to the ISP or Internet (just the first one
returns the rest timeout.)
So now for the routing box and the outside box I can ping anywhere
and get all responses back. The routing box is also able to ping
the inside boxes.
The inside boxes can ping the router box and the outside box without
problem but cannot ping the ISP or an internet site. I have also
tried ftp and http protocols from the inside boxes with the same
results.
With a sniffer on the outside box I can see all the translated ping
request from an inside box and the returning response. But the
response is not getting translated back and sent to the inside box.
Is there another iptables command I am supposed to set that causes
it to translate back and sent it on out the inside interface?
--------------------
| ISP |
|(172.16.231.62/29)|
--------------------
|
|(ADSL line) outside for testing
----- ---------------
|HUB|--------------------------|172.16.231.60|
----- ---------------
| default route set to
| 172.16.231.61
--------------------------------------
| LinuxBox (router) | I need the inside addresses
| (eth0 - 172.16.231.61/29, | translated as needed when the
| eth1 - 10.1.1.1/24 | inside boxes need to go out to
| Default route 172.16.231.62 | the internet. There are more
| Addresses to translate to | inside boxes than translation
|172.16.231.57/29 - 172.16.231.59/29)| IP addresses
--------------------------------------
|
|
-------------------
|Cisco 2900 Switch|
-------------------
| | | | | |
| | | | | |
------------------------
| InsideBoxes |
|(10.1.1.2 - 10.1.1.10)|
|default route 10.1.1.1|
------------------------
Saturday, October 20, 2001, 9:27:43 PM, you wrote:
D> Robin Cook wrote:
D> 1) I added some lines here that describe what you say. * indicates the end point of
D> where it is going to (not from). It seems weird that you can do ping one
D> time from two of them to the ISP and then time out and none to the ISP
D> from internally past the router(from what I understand the router is
D> suppose to ignore addresses like 10.1.1.2 and just pass them on.) Are
D> you sure that your ISP gave you the correct number of IP Addresses. /29
D> corresponds to 8 address and 6 are useable. I wonder if they have
D> actually activated the other addresses? Maybe try disconnecting the
D> LinuxBox from the HUB and just have 216.62.231.60 connected and try
D> different IP addresses that they say they gave you.
D> --------------------
D> | ISP |
D> |(172.16.231.62/29)|
D> -------------------- *----
D> * | | 1x
D> | |(ADSL line) |--------------\
D> | ----- ---------------
D> 1x | |HUB|--------------------------|172.16.231.60|
D> | ----- ----* ---------------
D> | | | * Outide for testing
D> | | | |
D> -------------------------------------- | |
D> | LinuxBox | | | I need the inside addresses
D> | (eth0 - 172.16.231.61/29, | | | translated as needed when the
D> | eth1 - 10.1.1.1/24 | | | inside boxes need to go out to
D> | Default Gateway 172.16.231.62 | | | the internet. There are more
D> | Addresses to translate to | | | inside boxes than translation
D> |172.16.231.57/29 - 172.16.231.59/29)| | | IP addresses
D> -------------------------------------- | |
D> | | |
D> | | |
D> ---------------------------------- |
D> |Cisco 2900 Switch (Router) | |
D> ---------------------------------- |
D> | | | | | | | |
D> | | | | | | * |
D> ------------------------ |
D> | InsideBoxes |---------------
D> |(10.1.1.2 - 10.1.1.10)|
D> | Gateway 10.1.1.1 |
D> ------------------------
--
Best regards,
Robin mailto:[EMAIL PROTECTED]
