I find myself going around in circles so am looking for some help. I
think I am probably up against some weird ipchains/masq problem at this
point. I am simplifying to try to get things working one step at a time
so forget about security and the all mighty question of why I would want
to do such a thing. Here we go:
The goal:
Be able to ping from the win32 box (192...2) through the LRP machine
(doing ip masq) to router1 (240...57) and out to the internet.
The Problem:
It works when I use the "main" table ie. remove my custom rule. With
the rule to match internal traffic coming in on eth2 added, I get
"request timed out". The interesting thing is that it seems that the
ping is getting to router1 (240...57) as I can see traffic lights
corresponding to the pings, but doesn't get back. Please see the full
setup below to understand what I'm trying to do.
Base config (stolen ascii art modified for my need :-):
(240...57)
+---------+
+---------------+ Router1 +
| +---------+
| |
|(240...61) |
|eth1 |
_/\__/\_ +---+----+ _/\__/\_
/ \ (63...)| LRP | / \
( Internet )-----------+ Eiger2 + ( Internet )
\_ __ _/ eth0| | \_ __ _/
\/ \/ +----+---+ \/ \/
eth2|192...24
|
|
--+---------------+----------+-- <---single physical net
| | (i.e. one hub)
| |
+---+---+ 192...1 +---+---+ 192...2
| Linux | | Win32 |
+-------+ +-------+
I start with everything clean. ip ru ls yeilds (normal stuff):
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
Then I execute something like this to setup.
#!/bin/sh
#
##############################################################################
# Define routing rules
##############################################################################
# rules for packets coming in eth2 (LAN)
ip rule add from 192...0/24 dev eth2 perf 200 table lantable
##############################################################################
# Create routing tables referenced by rules above
# Note: the table names used below must exist in the
# /etc/iproute2/rt_tables file
##############################################################################
# lantable table routes
ip ro add to 192...0/24 dev eth2 proto kernel scope \
link src 192...24 table lantable
ip route add 240...0/29 via 240...1 table lantable
ip ro add default via 240...2 table lantable
# Make rules/routes active
ip route flush cache
# Enable IP forwarding since it is disabled by default
echo "1" > /proc/sys/net/ipv4/ip_forward
# Enable automatic IP defragmenting since it is disabled by default
echo "1" > /proc/sys/net/ipv4/ip_always_defrag
##############################################################################
# ipchains and masquarade stuff
##############################################################################
# flush all ipchains to be sure what we have
ipchains -F
# open everything wide open (remember, I said forget about security for
now)
ipchains -P forward ACCEPT
ipchains -P input ACCEPT
ipchains -P output ACCEPT
# forward stuff through external interface eth1 (is this right?)
ipchains -A forward -i eth1
# setup MASQ for the internal network
ipchains -A forward -j MASQ -s 192...0/0 -d 0.0.0.0/0
#---------end script
After all this, the routing rules look like:
0: from all lookup local
200: from 192...0/24 iif eth2 lookup lantable
32766: from all lookup main
32767: from all lookup default
The "lantable" custom routing table looks like this:
192...0/24 dev eth2 proto kernel scope link src 192.168.20.24
240...56/29 via 240...61 dev eth1
default via 240...57 dev eth1
The "main" table looks like (not that it matters):
240...56/29 dev eth1 proto kernel scope link src 240...61
192...0/24 dev eth2 proto kernel scope link src 192...24
63...0/24 dev eth0 proto kernel scope link src 63...1
default via 240...57 dev eth2
Thanks a bunch,
Scott
