...making Linux just a little more fun!
Peter [petercmx at gmail.com]
I have been following "Serving Your Home Network on a Silver Platter with Ubuntu" which is an August article. Just what I needed One problem is that I cannot access the Internet from a client. Not sure why and do not know where to look. Any ideas please? There are two NIC's, eth0 which connects only to the router and eth1 which is the local network connected to a hub. This is the route from the server and it appears to work - I can ping and download
> routeKernel IP routing tableDestination Gateway Genmask > Flags Metric Ref Use Iface10.0.0.0 * > 255.255.255.0 U 0 0 0 eth1192.168.1.0 * > 255.255.255.0 U 0 0 0 eth0default > 192.168.1.1 0.0.0.0 UG 100 0 0 eth0
This is the route from a client. I can access the server by putty but I cannot reach the Internet.
Kernel IP routeing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.0.0.0 * 255.255.255.0 U 0 0 0 eth0 link-local * 255.255.0.0 U 1000 0 0 eth0This is the hosts file on the server
$ cat /etc/hosts127.0.0.1 localhost127.0.1.1 spider # The following lines are desirable for IPv6 capable hosts::1 ip6-localhost ip6-loopbackfe00::0 ip6-localnetff00::0 ip6-mcastprefixff02::1 ip6-allnodesff02::2 ip6-allroutersff02::3 ip6-allhostsThis is the hosts file on the client (at present I need to switch the cable to get the Internet which is why there are two entries for spider)
127.0.0.1 localhost 127.0.1.1 client-1 10.0.0.88 spider 192.168.1.70 spider # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhostsAnd this is a trace from the client
tracert google.com google.com: Name or service not known Cannot handle "host" cmdline arg `google.com' on position 1 (argc 1)So I know not .... where should I look?
Peter
Kapil Hari Paranjape [kapil at imsc.res.in]
HEllo,
On Wed, 09 Jan 2008, Peter wrote:
> One problem is that I cannot access the Internet from a client.
Did you remember to turn on IP forwarding on the server?
> google.com: Name or service not known > > Cannot handle "host" cmdline arg `google.com' on position 1 (argc 1)
Second thing is the "/etc/resolv.conf" on the client. It should point to the server where your DNS caching service is running.
Regards,
Kapil. --
Peter [petercmx at gmail.com]
Thanks for the response. You may well be on target here ....
> "Did you remember to turn on IP forwarding on the server?"
Remember to .... no not at all .... how do I do that?
Well the resolv.conf points to opendns as follows
cat /etc/resolv.conf nameserver 208.67.222.222 nameserver 208.67.220.220you say that this may not be correct. What is the syntax of what I need to write please? Is it simply a matter of making it
nameserver 10.0.0.88Peter
Karl-Heinz Herrmann [kh1 at khherrmann.de]
Hi,
On Wed, 9 Jan 2008 21:31:07 +0700 Peter <petercmx@gmail.com> wrote:
> "Did you remember to turn on IP forwarding on the server?" > Remember to .... no not at all .... how do I do that? > > Well the resolv.conf points to opendns as follows > > cat /etc/resolv.conf > nameserver 208.67.222.222 > nameserver 208.67.220.220 > > you say that this may not be correct. What is the syntax of what I > need to write please? Is it simply a matter of making it
by default a linux-"server" will not accept and resend packages which were not intended for itself. It will drop them silently.
You need to do two things to get ip-forwarding for clients on a private network:
1) tell the network module to do ANY forwarding at all 2) masq(erade) private IPs when sent out in the WWWorldThe following script does both. The echo switches on forwarding, i.e. if the server gets an ip-packet which is intended for somewhere else, it will now forward them according to the routing table.
Then the firewall rules are completely wiped out and replaced by the three allow everything rules followed by the masqerade rule which will send ip-packets from clients on the private network (192,168.*.*) with the real IP of the server and remembers where to send answers back to.
#!/bin/bash # einschalten des IP Forwarding echo 1 >/proc/sys/net/ipv4/ip_forward # Leeren und loeschen aller evtl. existierenden Regeln /sbin/iptables -F # Wir erlauben einfach alles /sbin/iptables -A INPUT -j ACCEPT /sbin/iptables -A OUTPUT -j ACCEPT /sbin/iptables -A FORWARD -j ACCEPT # Wir schalten nur noch masquerading an iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADEIf you would like somewhat less open firewall rules you could set up a few iptable rules yourself or you might want to look into firestarter, which is a gui for firewall configuration. It even has a checkbox for "ip forwarding" doing the above.
K.-H.
Peter [petercmx at gmail.com]
I am struggling on this .... I have been trying to understand for the last three hours. Guess I must be real stupid though ...
I can change the resolv.conf simply through the network settings of the nic. Easy
For the firewall .... I really think that the rules I followed in the tutorial are properly entered. They do seem to be following what you have set out.
Taking one step back, is it possible that I have made a mess with the IP addresses or at least the netmask ... ? The reason for asking is that I saw an error SIOCADDRT: No such process. There is lots of information on google but it is all over the place. Generally google responses seem to suggest that the address range is wrong but this seems a bit wild to me .... the ip calculators no doubt work but were written by people who really know. Clueless me then has to try and work out what all the information means .... Since I have also seen an error of Network is unreachable I really wonder if this is not a fundamental error of mine in setting up the NIC's
Peter
Peter [petercmx at gmail.com]
I have just completed playing with the IP settings ...... I changed everything, got the same result and changed them back again. Tried both with Webmin and manually.
Also experimented in a similar way on the client.
I think that the router is kicking in and allocating the IP addresses - I powered off the router and there were error messages and problems getting an IP on the client. I edited the router to act as a bridge but I could not see any effect.
So I get the idea that this problem is all to do with how traffic is routed which seems to support the error messages.
Peter
Karl-Heinz Herrmann [kh1 at khherrmann.de]
Hi again,
On Wed, 9 Jan 2008 17:02:05 +0700 Peter <petercmx@gmail.com> wrote:
since you replied you think the routnig is at fault I tried to go over this again....
> > routeKernel IP routing tableDestination Gateway > > Genmask Flags Metric Ref Use Iface10.0.0.0 > > * 255.255.255.0 U 0 0 0 > > eth1192.168.1.0 * 255.255.255.0 U 0 > > 0 0 eth0default 192.168.1.1 0.0.0.0 UG > > 100 0 0 eth0
But I find this extremely difficult to read. Hm... why do you have TWO private networks? Or is the one assigned from the router?
Do you want the router to the NAT masquerading or do you want the linux box to do the maquerading?
I guess from the "G" above that 192.168.1.1 is your router ?
Then your client would have 10.*.*.* IPs?
> This is the route from a client. I can access the server by putty but > I cannot reach the Internet. > > Kernel IP routeing table > > Destination Gateway Genmask Flags Metric Ref Use Iface > > 10.0.0.0 * 255.255.255.0 U 0 0 0 eth0 > > link-local * 255.255.0.0 U 1000 0 0 eth0
Where is the default route on the client?
> 127.0.0.1 localhost > > 127.0.1.1 client-1 > > 10.0.0.88 spider > > 192.168.1.70 spider
You should not have the same box twice with different IPs on the same interface I think. You should decide if you have one private network between your server and your router and another for the clients -- or if you put your clients in the same subnet. If your router can do NAT properly for more than one client (DSL router should, even if it has only one eth-connector), I would give all clients a 10.*.*.* IP and then you can switch off all firewalling on the server and activate the forwarding (that echo line in the script, IMPORTANT!).
Right now I guess your clients go to the router (you siad that works) but have another private IP the router doesn't know about so the router does its job and drops them. Or the server already is not forwarding them.
K.-h.
Peter [petercmx at gmail.com]
Sorry that the information did not appear very well ..... sounds like I have really made a mess. What I was trying to do was to set up eth0 only for connection to the router and to set up eth1 only for the local network. I would like to stay away from the router and get the server to do the NAT. Think I have this set up correctly as part of the shorewall configuration.Accessing the Webmin front end has now really slowed down ..... perhaps this is a reflection of my having confused the network traffic.... What should I now delete? (presumably the static and active route to eth0 since it is already stated as a gateway)eth0 uses 192.168.x.x and eth1 uses 10.0.x.x and yes, 192.168.1.1 is the router.I have restated the routing table in a column form to try and make it easier to read the information.
Destination 10.0.0.0Gateway *Genmask 255.255.255.0Flags UMetrics 0Ref 0Use 0iface eth1 Destination 192.168.1.0 Gateway * Genmask 255.255.255.0 Flags U Metrics 0 Ref 0 Use 0 iface eth0 Destination default Gateway 192.168.1.1Genmask 0.0.0.0Flags UGMetrics 100Ref 0Use 0iface eth0
Peter [petercmx at gmail.com]
Just a follow up from my last message ......
I googled the webmin slow down and fixed it by deleting the static and active route. Nothing else changed though but webmin is back to fast. I restarted the network connections on the server and noticed that the IP for eth0 may be coming from the router which is not what was intended. I looked at the leases in dhcp on the server and can only see the eth1 leases.
So it looks like if I can work out how to get eth0 to get its lease from the server then perhaps it may then be identified and work ..... (perhaps is probably the right word)...
Peter [petercmx at gmail.com]
Sorry to be boring but another update ....
I am able to now browse websites, so squid is working and somehow finding the gateway. I have killed dhcp on the router and taken eth0 out of the server dhcp settings since it has nothing to do (fixed nic and fixed router)
Email and skype do not work at all though.
If I ping server eth0 from a client I get Network is not reachable.
Peter [petercmx at gmail.com]
Sorry to be boring but another update ....
I am able to now browse websites, so squid is working and somehow finding the gateway. I have killed dhcp on the router and taken eth0 out of the server dhcp settings since it has nothing to do (fixed nic and fixed router)
Email and skype do not work at all though.
If I ping server eth0 from a client I get Network is not reachable.
Ben Okopnik [ben at linuxgazette.net]
On Thu, Jan 10, 2008 at 05:32:37PM +0700, Peter wrote:
> Sorry that the information did not appear very well ..... sounds > like I have really made a mess. > > What I was trying to do was to set up eth0 only for connection to the > router and to set up eth1 only for the local network. I would like > to stay away from the router and get the server to do the NAT. Think > I have this set up correctly as part of the shorewall configuration. > Accessing the Webmin front end has now really slowed down ..... > perhaps this is a reflection of my having confused the network > traffic.... What should I now delete? (presumably the static and > active route to eth0 since it is already stated as a gateway) > eth0 uses 192.168.x.x and eth1 uses 10.0.x.x and yes, 192.168.1.1 is > the router. > I have restated the routing table in a column form to try and make it > easier to read the information.
I've always found that when things get this confusing, the best bet is to go back to a "known state" and build up from there. I also suggest making the changes - e.g., in your /etc/resolv.conf - by hand rather than via some interface such as Webmin; that way, you know, 100%, that those changes have happened, and happened corectly.
Step 1: Get your router connected to your ISP; make sure you can ping your upstream host from it. Note its IP range for the local network. (For ease of explanation, I'm going to assume that you're using a Linux box as your router, that the router is called 'Tyr' and that the NATted host is 'Fenrir' - because that's what mine are actually called.
Example of a connected router:
ben@Tyr:~$ ifconfig lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:745 errors:0 dropped:0 overruns:0 frame:0 TX packets:745 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:805084 (786.2 KiB) TX bytes:805084 (786.2 KiB) ppp0 Link encap:Point-to-Point Protocol inet addr:75.203.129.78 P-t-P:66.174.36.13 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:623 errors:0 dropped:0 overruns:0 frame:0 TX packets:787 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:456969 (446.2 KiB) TX bytes:66302 (64.7 KiB) eth0 Link encap:Ethernet HWaddr 00:0F:B0:74:76:35 inet addr:192.168.0.100 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) Interrupt:50 Base address:0x8400'ppp0' is the "outside" interface, connecting to the ISP; 'eth0' is the inside one, facing the LAN.
Step 2: Connect the host for which you're going to do NAT to the router, give it an IP (whether via a DHCP request - i.e., "pump", "dhclient", or something similar - or manually, e.g. "sudo ifconfig eth0 192.168.0.101") and make sure that you can ping the router from that host.
ben@Fenrir:~$ ping -c 3 192.168.0.100 PING 192.168.0.100 (192.168.0.100) 56(84) bytes of data. 64 bytes from 192.168.0.100: icmp_seq=1 ttl=64 time=0.042 ms 64 bytes from 192.168.0.100: icmp_seq=2 ttl=64 time=0.059 ms 64 bytes from 192.168.0.100: icmp_seq=3 ttl=64 time=0.041 ms --- 192.168.0.100 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2008ms rtt min/avg/max/mdev = 0.041/0.047/0.059/0.010 msStep 3: Configure and enable forwarding on the router. Here's the script that I use; note that I enable forwarding for anything except the ports used by Spamassassin (it was a fix for an old problem, perhaps no longer necessary, but - like dead yeast in beer - it does me no harm):
#!/bin/bash # Created by Ben Okopnik on Wed Mar 16 11:36:35 EST 2005 # Optional IP spec ip=$1 [ -z "$ip" ] && ip=192.168.0.101 # Flush iptables iptables -F # Masquerade any packets that go our from the specified address iptables -t nat -I POSTROUTING -j MASQUERADE -s $ip/32 # Forward any packets for host (except spamassassin) iptables -I FORWARD -s $ip/32 --protocol tcp --sport ! 783 -j ACCEPT iptables -I FORWARD -s $ip/32 --protocol udp --sport ! 783 -j ACCEPT # Forward any packets from host (except spamassassin) iptables -I FORWARD -d $ip/32 --protocol tcp --dport ! 783 -j ACCEPT iptables -I FORWARD -d $ip/32 --protocol udp --dport ! 783 -j ACCEPT echo 1 > /proc/sys/net/ipv4/ip_forwardStep 4: Make sure that the routing and the DNS services are properly configured on the local host. This means that the "route" command should report the router as the gateway, and that 'cat /etc/resolv.conf' should show the appropriate entries for your DNS server (either your router, if it's configured to do that, or some other upstream DNS host.)
Note: the 'ping' and the 'host' commands are your friends in any troubleshooting you do. The first will show you whether you have a connection, at least locally (many Internet-connected hosts turn off UDP to that port to prevent ping-flood attacks); the second will show you if you're actually resolving host names.
-- * Ben Okopnik * Editor-in-Chief, Linux Gazette * https://LinuxGazette.NET *
Peter [petercmx at gmail.com]
Thanks for the response. This information is very good ..... and it will help me
I have been thinking about what to do and I really do appreciate the assistance that has been given to me .... but I do not want to drive anyone crazy.
I started this process with the server working but also not working in that the network was not performing. Then I surfed around and found the tutorial in the August issue which is very good.
So the decision I have just made is that I am going to get out the install CD and start again from scratch. Having now been to hell and back again means that I have at least some idea now. What I am going to do is to follow the tutorial from the very beginning and see what happens.....
thanks for all the input and I will post soon when I have the system back up again ....
Peter
Peter [petercmx at gmail.com]
Final response ...... just in the last few stages of setting up the server from scratch. All went reasonably well. The biggest problem was the ISP loosing the Internet just when I was updating ... did not realize it was their headache at the time .....
Quite why I had the initial problems I really do not understand since I cannot see anything different in the process but things are now working
Thanks to everyone who added comments.
Peter