Hmm I seem to be the only person with lots of free time here :).
Well I will put Sanjeev out his misery (temporarily ???).
To summarize he has the following configuration:
1. Ethernet card connected to the local network 192.168.200.0 (A valid class C
network to be used only within a local network with no direct connection to the
internet).
2. Ethernet card connected to the "outer network" 12.10.198.0 (whatever network
that is - it doesn't seem to be reachable from the general network - DNS root
server says ATT.NET might be more knowledgable in this issue - I wonder about
that !!).
3. Some kind of NIC (defined as ets0) giving internet access. [Gateway is
defined as 12.10.199.61 - this doesn't seem to be reachable from the internet
either - might be a private network who knows ]
His routing table says
1. Any packet for the gateway 12.10.199.61 goes to the ets0 NIC.
2. Any packet for the machine 12.10.198.112 goes to the eth1 NIC [Hmm only one
machine in the whole of "other network" - sounds fishy to me].
3. Any packet for the local intranet 192.168.200.0 goes to the eth0 NIC [seems
reasonable enuff].
4. Any packet for the localhost (120.0.0.0) goes to the lo device.
5. Any packet with other destinations are sent of to the gateway 12.10.199.61
via the ets0 NIC [this one seems to be fine too].
[Snipped off all the blurb about RedHat vs Debian, and running IPFWADM with IP
Forwarding enabled]
Now here comes the fun part. We are trying to ping the ISP (unless this ISP has
some real wierd network configuration the machine will be part of the internet)
- from 12.10.198.112 [the machine earth doesn't know/will not acknowledge the
existance of any other machine in the 12.10.198.0 network curtsey the routing
table]. The problem lies with the "other network" - from the internet point of
view this network doesn't exist at all - I tried a traceroute from three
different domains and the packets went to lala land so unless Sanjeev got the
ISP to modify it's routing table [highly unlikely] he wont hear anything back
from them.
Now what happens when he enables Firewall. Well I am assuming he tried
masquerading - in which case all the packets from 12.10.198.112 will be
processed by the machine "earth" and for all practical purpose the internet
will think that the packets are arriving from "earth". If you use proxy server
the method is different but the final outcome is the same all packets seem to
arrive from "earth".
The conclusion nothing from the 192.168.200.0 and 12.10.198.0 network is going
to be able to connect to the internet [unless ofcourse somebody bought the
whole set of Class C IP address 12.10.198.0 - or atleast 12.10.198.112]
directly.
The solution - stick to using IP Masquerading [unless you have lots of money to
spare :)]
Now finally we come to the other questions.
1. Yes it was in RedHat - that variable is used to decide the IP Forwarding for
the box when the system is booted.
2. TCPDUMP will dump the traffic on any/all ethernet cards - you were supposed
to do a TCPDUMP on ets0 and watch whether anything from 12.10.198.0 network to
your ISP was going out or not.
Hope this clarifies most if not all your questions.
Regards
Mithun
-
On Fri, 22 Oct 1999, Mithun Bhattacharya wrote:
If possible mail the routing table (don't need the exactIP addresses
- can mask it). Also do a ifconfig and see whether it is giving any errors for
any of the devices (highly unlikely).eth0Local (192.168.x.y) card
eth1"valid" IP card (12.10.198.112/29) card, for mail servers, etc
ets0Card to talk to RF Modem, runs PPP[ghane@earth:~ netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
12.10.199.610.0.0.0 255.255.255.255 UH 1500 0 0 ets0
12.10.198.112 0.0.0.0 255.255.255.248 U 1500 0 0 eth1
192.168.200.0 0.0.0.0 255.255.255.0 U 1500 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 3584 0 0 lo
0.0.0.0 12.10.199.610.0.0.0 UG 1500 0 0 ets0
Check /etc/sysconfig/network for the value of FORWARD_IPV4 - it should be
"yes"
or "true".
I think that is RedHat, I use Debian. What does this parameter do in the
script?
Also when we use Masquerading and proxy we usually disable IP forwarding -
but
/proc/sys/net/ipv4/ip_forward seems to say something different who
knows..
Yes. However, I/sbin/ipfwadm -F -e -p accept
What are the IP addresses of each card and how did you set up the routing
table
??? How did you test whether IP forwarding is working or not ???
I have a machine on the "outer" network (12.10.198.x), through which I am
pinging my ISP. In case forwarding works, I will get a beep. That setup
is OK, as I get a beep when I masq it.
Mithun
-
Is your routing OK? What do netstat and tcpdump say