I'm tying to learn iproute2 by building a
router/firewall for my home Internet access. But
things are not working as expected.
I'm running a distribution called PakSecured
(kernel 2.4.0) on a box with 3 Ethernet
interfaces. One is connected to the Internet, the
other two are connected to 2 different private IP
segments.
At this point, all I want to do is route between
these interfaces. So far all I can do is ping the
linux-router from the devices on the various
segments. But I cannot reach devices on the other
side of the linux-router.
i.e., From a host on the inside-net, I can ping
every interface on the linux-router. But I cannot
ping a host on the other side of the linux-router.
And if sourcing from the linux-router, I am able
to ping everything.
The routes appear to be correct as far as I can
tell. I've even turned off the firewalling
(iptables) to see if that was the problem, but it
was not.
What am I missing?
Why can't I get packets through the linux-router?
Is there a way to 'debug' like in a cisco router?
I've created a ASCII top of the network, and I've
included output from :
- ip addr
- ip route
- ip rules
- iptables -L
- cat /proc/sys/net/ipv4/ip_forward
--- *** Topo Map *** ---
[inside-net] eth0>-----<eth2 [linux-router] eth1>-----<eth0 [other-net]
^ ^ ^ |^ ^ ^ ^
.1^ ^ ^.150 | ^ ^.150 ^ ^.1
^ | ^ ^
192.168.1.0/24 | ^ 192.168.2.0/24
| ^
| eth0 123.4.5.6/22
|
|
|
[Internet]
--- *** ---
[prompt]# ip addr
1: lo: <LOOPBACK,UP> mtu 3840 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope global lo
inet6 ::1/128 scope host
2: teql0: <NOARP> mtu 1500 qdisc noop qlen 100
link/void
3: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
4: tunl0@NONE: <NOARP> mtu 1480 qdisc noop
link/ipip 0.0.0.0 brd 0.0.0.0
5: gre0@NONE: <NOARP> mtu 1476 qdisc noop
link/gre 0.0.0.0 brd 0.0.0.0
6: sit0@NONE: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
7: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:c0:f0:1a:00:9c brd ff:ff:ff:ff:ff:ff
inet 123.4.5.6/22 brd 123.4.8.255 scope global eth0
inet6 fe80::2c0:f0ff:fe1a:9c/10 scope link
8: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:c0:f0:09:d3:b8 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.150/24 brd 192.168.2.255 scope global eth1
inet6 fe80::2c0:f0ff:fe09:d3b8/10 scope link
9: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:80:c8:39:b4:08 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.150/24 brd 192.168.1.255 scope global eth2
inet6 fe80::280:c8ff:fe39:b408/10 scope link
--- *** ---
[prompt]# ip ro
192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.150
192.168.1.0/24 dev eth2 proto kernel scope link src 192.168.1.150
123.4.5.0/22 dev eth0 proto kernel scope link src 123.4.5.6
default via 192.168.1.1 dev eth2 proto static src 192.168.1.150
--- *** ---
[prompt]# ip ru
0: from all lookup local
16000: from 192.168.2.0/24 to 192.168.1.0/24 lookup main
16010: from 192.168.1.0/24 to 192.168.2.0/24 lookup main
32766: from all lookup main
32767: from all lookup 253
--- *** ---
[prompt]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
--- *** ---
[prompt]# cat /proc/sys/net/ipv4/ip_forward
1
