Hello,
A long winded problem!
I have been trying for 2-3weeks to put in place a
simple IP router or more exactly a packet filter firewall
without IP masquarading but to no avail.
Unfortunately this `should be' simple setup
has been harder than a satellite fed usenet server to setup!
I have tried various redhat 6's with kernel's 2.2.14 / 2.2.8 / 2.2.12
Topology is simple.
(Due to problems i setup the following)
-------- ----------- --------
| | SWITCH | FW/ | HUB | |
| HOST1| ---- | ROUTER | ---- |HOST2 |
| NIC|----| |--------|NIC1 NIC2|-----| | ----|NIC |
-------- ---- ----------- ---- --------
Firewall/router & hosts have correctly setup NICs and
IP forwarding is enabled on FW/router by sysctl method
or ~sysconfig/network
Forgetting IP masquarading - I think this uses a different method/code
for picking up/transforming then forwards it.
Interestingly i think IP masquarading will work fine (even though it's
tacked on to IP forwarding) but the problems with straight
unmodified IP forwarding/routing.
I am absolutely certain configuration is correct but something's
preventing/trapping/picking up on straight IP forwarding to occur.
/proc/sys/net/ipv4/ip_forward is set to 1 on boot up on FW/router
host1 has FW as gateway (address of NIC1) and so does host2 (address
of NIC2)
Admittedly a hub or switch can introduce another destination for
packets. On the hub theirs is only two connections - one for host2
and one for NIC2 of router. I think this is OK.
I have also tried a crossover cable directly between NIC2 of FW
and NIC of HOST2 but this didn't work. I would probably have to
use `Fast switching' in kernel for direct NIC-NIC for tulip
based cards. This was to try eliminate the hub from being a problem.
I presume a Cisco router would use a crossover cable to a NIC
instead of normal lead to hub/switch.
When running a suffuciently bland ipchains script like this
it should forward everything between hosts or at least ping.
Note the absence of a default deny policy
ipchains -F
ipchains -A input -i lo -j ACCEPT
ipchains -A output -i lo -j ACCEPT
ipchains -A input -i eth0 -s $HOST1 -j ACCEPT
ipchains -A output -i eth0 -d $HOST1 -j ACCEPT
ipchains -A input -i eth1 -s $HOST2 -j ACCEPT
ipchains -A output -i eth1 -d $HOST2 -j ACCEPT
ipchains -A forward -i eth1 -s $HOST1 -d $HOST2 -j ACCEPT
ipchains -A forward -i eth0 -s $HOST2 -d $HOST1 -j ACCEPT
I have ruled out ipchains as source of trouble.
I have tried pinging on all NICs on router/fw the following
observed. (this was with/without ipchains script.)
I can ping from fw/router to host1 NIC2
I can ping from host1 to fw/router
I can ping from fw/router to host2 NIC1
I can't ping from host2 to fw/router (it freezes - no ICMP replys)
but i could be pinging from fw/router to host2 simultanously (replying)
Conversely if i switch eth0 & eth1 over it does it again using hub
instead of switch.
Nothings faulty - wiring,NICs,computers etc i've checked.
I need help delving further. It's like as soon as you have
individual nic's going to seperate hubs/switches instead of all
going to same hub/switch something screws up.
Help appreciatted
Kevin.D
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Tue Aug 15 2000 - 21:00:20 EST