On 1/13/06, Manish Kathuria <manish@xxxxxxxxxxxx> wrote: > Janne Raatikainen wrote: > > I configured multiple isp (actually only multiple gw) according > > http://lartc.org/howto/lartc.rpdb.multiple-links.html. > > > > Now NAT (Internet) seems to work, both external interfaces work ( I > > didnt configure load balancing because I dont need it). However I have > > problem that I can not ping from NAT to public ip of my Linux box. > > Problem is that I can not connect from 192.168.1.0/24 network to > > services listening 84.248.213.195, but I can connect to Internet from > > NAT through that interface gateway (84.248.192.0). Connecting with > > public ip worked fine when I had simple NAT, with single > > Internet-connection. > > Have you used any firewall rules which prevent INPUT from the LAN ? > I have, but according my logging any iptables dropping-rule doesn't reject packets. I have also tried disabling all those droppings, but it still doesnt work. Like I said, I have used same kind of rules, which I used with normal NAT, where is only 1 external nic and one internal nic. I just added new nic there, to have multiple ip's. Here you can see connections works and which doesnt: http://www.raatikainen.org/extra/multigw/router3.png (Some fix to that photo: I can connect from under nat to computers in Internet, web pages work, but I can not connect from Internet to my NAT even if I use portforwarding. (same rules which work fine with only single external nic) So problem is that I can not connect from 192.168.1.0/24 to 84.248.213.195 (Linux-server), but I have to use internal ip 192.168.1.50 of that same Linux server. If I go to Linux-server and do following: pinging from inside-interface (eth1) goes fine to Internet: # ping -I 192.168.1.50 google.com PING google.com (64.233.187.99): 56 data bytes 64 bytes from 64.233.187.99: icmp_seq=0 ttl=240 time=139.8 ms but: #traceroute -i eth1 google.com traceroute: Warning: google.com has multiple addresses; using 72.14.207.99 traceroute to google.com (72.14.207.99), 30 hops max, 38 byte packets traceroute: sendto: Operation not permitted 1 traceroute: wrote google.com 38 chars, ret=-1 even traceroute -I -i eth1 google.com (using icmp-packets, instead udp) gives same error. Next thing is that I try to ping from NAT to external ip of my Linux-server and see from Linux logs where packet disappears. I will get following lines: Jan 7 01:43:28 raatikainen kernel: mangleprerouting IN=eth1 OUT= MAC=00:04:75:cb:66:00:00:13:8f:3f:8f:05:08:00 SRC=192.168.1.79 DST=84.248.213.195 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=65178 PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=25346 Jan 7 01:43:28 raatikainen kernel: natprerouting IN=eth1 OUT= MAC=00:04:75:cb:66:00:00:13:8f:3f:8f:05:08:00 SRC=192.168.1.79 DST=84.248.213.195 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=65178 PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=25346 Like you see, there is no icmp-reply from 84.248.213.195 -> 192.168.1.79. Why? If I ping from 192.168.1.79 -> 192.168.1.50 it will get icmp reply back too. > > > > I also notice that portforwarding from Linux-box (public ip) to computer > > under nat doesnt work too. Anyone has idea what is the problem? > > You will have to accept the traffic in the FOWARD chain in addition to > the port forwarding rule for the system which is being accessed. > > I think it will be better if you list your firewall rules here to make > the things clear. It will make it easier to identify the reason. You can see iptables-rules and routes in: http://www.raatikainen.org/extra/multigw/verkkoongelma.txt Janne _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
