[Novalug] I don't understand basic routing
larkoc at iges.org
Thu Feb 18 10:41:39 EST 2010
Peter Larsen wrote:
Thank you everyone for your helpful suggestions.
I do have forwarding set-up persistently in sysctl on Box A (the dual-homed, dnsmasq, etc box).
Truthfully, forwarding from private IP on Box B did work while I had iptables running. Only in the
last week did the organization get a new firewall appliance. I was told (not "requested", "asked")
to shut off any iptables that were running and use the appliance for the filtering. Personally I
disagreed because I prefer lines of security (belt and suspenders as some say). So, the ability of
Box B to reach other boxes not on the same private IP network went away when iptables was stopped.
That was why I was trying to get it via "route" and perhaps dnsmasq.
I will try a couple of test mods to my /etc/dnsmasq.conf file. If I cannot get that to work I will
return to management and say the service from Box B (and other private boxes) to other company boxes
with public IP numbers other than Box A is no longer available to our users.
Again, thanks for all of the useful info---especially about the separation of gateway name resolving
compared with path to a box.
> I think Bryan touched on the most central part of your question. Because
> you're using non-routable (private) addresses internally, anything
> leaving your system must use a "public" address - hence the need for
> Masqerading (MASQ). There are some tools to help you setup IPTABLES with
> MASQ for you - a basic MASQ isn't that hard to do. Just remember to
> setup your forwarding rules.
> Just setting the kernel parameter will not help you if your IPTABLES
> setup by default denies forwarding. In essense, your MASQ and routing
> issues comes down to telling the kernel what to do when a package from
> your internal network comes into the network - and what to do when the
> reply comes back from the outside network.
> There's a Fedora package called system-config-firewall that'll help you
> setup a basic firewall with MASQ without knowing too much about
> iptables. You simply need to define a masq over your internal address
> space telling iptables that packages being forwarded from your internal
> network needs to go through your masq changes. What that will do is
> "tamper" with the IP package, and give your package an external IP and
> port number. When the outside system replies to that, MASQ reverses and
> puts the original local private host back into the IP package and
> forwards it back to the client.
> This may be a great topic for a NOVALug meeting one day?
> Peter Larsen
> On Wed, 2010-02-17 at 14:10 -0500, Megan Larko wrote:
>> Greetings Fellow LUGgers!
>> I am not understanding some basic TCP/IP routing concepts here.
>> I have two linux CentOS 5.3 boxes. Box A is dual-homed with both a public IP and a non-routable
>> private IP set-up. Box B has a non-routable IP only for net access.
>> Box A seems to be completely fine and behaves as expected (ping, traceroute, route, netstat all
>> show expected parameters).
>> Box B is puzzling me. It is directed to Box A as its UG (universal gateway). It communicates fine
>> with the local private network. But now I get confused. Box B uses private interface (if) on Box
>> A in /etc/resolv.conf as a nameserver after /etc/hosts. The ifcfg-eth0 sets Box A private (if) as
>> the gw IP and a netmask of 255.255.0.0. On Box B I am able to resolve hostnames not in my Box B
>> /etc/hosts, nor on Box A /etc/hosts, but hostnames that are registered in the "wild". From Box B I
>> can initiate a ping to such an hostname and the correct IP number is resolved/found. I cannot ping
>> or traceroute these "wild" hostnames because the Destination Host is unreachable. These same
>> resolved hostnames can be successfully pinged or tracerouted from Box A. This is okay. I don't
>> understand it fully, but it is okay.
>> The dual-homed Box A can get to other public IPs in our company's local network. Box A can ping,
>> traceroute (one hop) and ssh to a public IP in our company namespace. Box B cannot ping, traceroute
>> nor ssh to any IP other than the similar IPs in the private, non-routable IP range. So Box B can
>> resolve and lookup, but not access boxes not in its own IP range.
>> I don't understand how the Box A gateway configured on Box B can resolve even "wild" IPs and
>> hostnames and yet have no route/network access to those names it can successfully resolve. I would
>> like to allow Box B to have limited access to other boxes in our companies network (probably via
>> public interface as the private ones are very different---10.0.x.y compared with 172.16.x.y) to
>> place files (outgoing activity from Box B) onto our company boxes with public registered IP numbers.
>> Is this possible? I'm thinking of MASQUERADE or FORWARD in iptables on Box A, but I was
>> wondering if a "route add -net..." on Box B might be a better choice.
>> Reading through "man route" has not cleared this up for me. Other recommended search strings to
>> learn about this would be appreciated.
>> Novalug mailing list
>> Novalug at calypso.tux.org <mailto:Novalug at calypso.tux.org>
> Best Regards
> Peter Larsen
> Wise words of the day:
> "Who is General Failure and why is he reading my hard disk?"
> Microsoft spel chekar vor sail, worgs grate !!
> -- Felix von Leitner, leitner at inf.fu-berlin.de
> Novalug mailing list
> Novalug at calypso.tux.org
I will now bring you up to speed on the situation.
We know nothing!
There, you are now up to speed.
---Steve Martin as Inspector Clouseau
Pink Panther 2
More information about the Novalug