RE: Routing Problem

DEMERRE DIETER (EXT.Dieter.Demerre@siemens.be)
Thu, 30 Dec 1999 07:45:48 +0100


-----BEGIN PGP SIGNED MESSAGE-----

> -----Original Message-----
> From: Sergio A. Carvalho [mailto:XSeRgIo@brasirc.net]
...
> The internet signal comes from eth1(wavelan) and needs to be
> distributed to
> eth0,so the internal network can have internet access.The
> wavelan board
> uses a gateway to receive the signal,that has the ip
> 200.241.128.225. When i add a route as default route to the
> gateway,i can ping the gateway ip only,but only this.
>
> i did : route add default gw 200.241.128.225 dev eth1
> and the route printed this :
> 0.0.0.0 200.241.128.225 0.0.0.0 eth1

That's a bit short on information. I suppose you're administring the
Linux server.
If the gateway's address is 200.241.128.225, then what's the
ip-address of eth1 ?
(result of `/sbin/ifconfig eth1`).
I now assume you're working in following configuration (adding the
gateway's picture)
So your eth1 (on the linux srv) should look sth like 200.241.128.<n>
since the gateway will only be reachable if eth1 is configured on the
same subnet.

...
|
|
|-----| | |-----|
| |--------------------| |
|-----| | |-----|
|
|
| eth0(local network)
|===========|
| linux srv |
| |
|===========|
| eth1(external network)
|
|
| 200.241.128.225
|===========|
| gateway |
| |
Connected to the Internet

Then the internal (local) network. Is it necessary that these
machines are directly accessable from the Internet, or do you only
want to reach the internet from these machines ?

A. Internet reachable machines

In the first case, you'll have to assign them legal Internet
addresses, and have to configure your Linux box to forward these
IP-addresses (sth. that's done by default).

B. machines reach Internet

But in the latter case (you only want to set-up connections initiated
from the inside), you could assign them private-network ip-addresses
(like 10.* or 172.18.* or 192.168.*).
In any case your Linux box needs some more route-lines.

e.g.

suppose eth1 has IP-address 200.241.128.101

# /sbin/route add -net 200.241.128.101 broadcast 200.241.128.255
netmask \
255.255.255.0 eth1
# /sbin/route add default gw 200.241.128.225

Then now suppose your Internal network is in the range 192.168.12.*
and we configure eth0 as 192.168.12.254
# /sbin/ifconfig eth0 192.168.12.254 netmask 255.255.255.0 broadcast
192.168.12.255

then we also need to add the route to that internal network:

# /sbin/route add -net 192.168.12.0 broadcast 192.168.12.255 netmask
\
255.255.255.0 eth0

Now you'll have to configure all internal hosts to use 192.168.12.254
as gateway. In linux:
# /sbin/route add default gw 192.168.12.254
In Win9x:
#Start# -> #Stettings# -> #Control Pannel# -> #Network# -> \
#TCP/IP -> ...#-Properties -> #Gateway# -> \
#New gateway = 192.168.12.254# -> #Add# -> #ok# -> #ok# -> reboot
:(

While Winslow is rebooting on these hosts, you can continue to
configure your linux server by administering the forwarding rules:

# /sbin/ipchains -P forward -j MASQ
# /sbin/ipchains -P input -j ACCEPT
# /sbin/ipchains -P output -j ACCEPT

These rules are rather insecure, but should do the trick...
Better configurations could of course be composed:

# /sbin/ipchains -P forward -j DENY
# /sbin/ipchains -A forward -i eth1 -s 192.168.12.0/24 -j MASQ

Then to allow ftp-access from inside to the outside, you'd also have
to load the
ip_masq_ftp module.

# /sbin/insmod ip_masq_ftp

For other services, you'd possibly have to load other modules. Note
that some services still can't be forwarded through this
masquerading-forwarding server.

- --------------

Voil\`a, hope this helps you a bit.

Good luck !!!

Merry Greetings from - Z'ge Groetjes vanwege
*** Dieter Demerre ----- ddemerre@acm.org **
http://www.angelfire.com/de/ddemerre/
********************************************
Wanna get rid of idle Processor cycles ?
distributed.net ? Try synchronising outlook.
********************************************
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGPfreeware 6.5.1 Int. for non-commercial use
<http://www.pgpinternational.com>

mQENAzhXiLAAqQEIAMsoaNcCZFHswGBK1J4dRJvjUA7XwIICCKIKwU1HZIz5meGk
rbSgfK3SwJaqQOTRveKjPYtiZ7D6H19bjsO+P9bvdvEZHLC4dCQIvJfSMlcvSvLN
2S/wpfqaDZBsFDk2WnBmah9wilrm3QE4ATbWgGDeRd/XvPuRNc10FiZjRnEp5h+1
PcBppgljLhlJuBFEKxEXxjUsyBTl1zM3Gex8u+vNvg80DtlnlUB7Kc++JkJOSa3e
7FZAN7WEXztH9rKQmeCc/a1S00zHoPBeJnsfhjaX/nUhL2MH0AfTn0fX2W7LxgEQ
J9MJhxr8Ejlsj+a5wQD2OFGk4Ttn4ftB++EuukMABRG0IURpZXRlciBEZW1lcnJl
IDxkZGVtZXJyZUBhY20ub3JnPokBFQMFEDhXiLDh+0H74S66QwEBr2MIAJyuK5vb
4gMBZNelDedU53df23VfyrychlEH5E2fudaqpt3pspCQgX78KK4vLWsFr9ycUUYF
0FdTQBCUuhvj8BShexU9VocxjuoSaNuNwMqNZCWIAWx3OksvkTiNmXUC8rswxYKu
Z81O8LQifpjSe4tifAoZvdSBjrvKNyx6UfAWLrYlaUOmzxzRtulIIW8L429aU//a
ivhdBmBs4TKR9/NTCwI1Z/OY8Kc46keOI4cmdTNDGDYjlZHNi7UG8kj4XxajL40o
6yLY7m2TfXBbRB2aK10CjinpPhi+Vk6fA3KJ9/a4am4o2Oe8Tvqm8DPp0BM4VuyW
dT7wQMNZk5WW0Ho=
=kTdL
- -----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.1 Int. for non-commercial use
<http://www.pgpinternational.com>

iQEVAwUBOGrxh+H7QfvhLrpDAQHkdwgAmE8EECBfdPHhXDENl99xRJ+JIwkIBKxd
EUQgAB/A9JiBhDZaSmjVzgv65GMa4uMJg4Ppw3zqlx+Tg1LQeHdADwOIcGqAUfAD
p1LcgY43TVndlBD5fXI6h9RXvgUxIELsRXYaqvtIP2AjAuSwIR+RZBddYqpUU+8k
t9OZI8HZpsOhizhjCHlR3xslA0w9JjwayUt3uW4aXCXA+BaQHphN8wqohblVBsnl
KuUArE5yqPphlMSqt6aX+GjzVBF+yjIHs4Svrsl0ki/+tFIGM5qI8ZiGB5XQlRot
BpzRotjcI90tlS7s+K5SB9KBSxRIDBrVr8Mb0qFSGnPxWUgj5ZkYNQ==
=mvkw
-----END PGP SIGNATURE-----
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.rutgers.edu