I can't make routing work

[yasinaydin]

Hello everyone.

First, I'm no linux expert. I know some basics of networking and windows servers mostly. And now I want to use a Linux distro (Centos 5.4) to build up a firewall for my servers on my hosting company.


What I want to / have to configure is:
- A linux router
- Which works on transparent routing mode (I guess its opposite to NAT mode)
- Which has Proxy-ARP feature.


My expected network plan is as follows:

Internet
|
|
Internet Gateway
ip = 10.0.0.1/24
|
|
Linux Firewall > Which I'm configuring
eth0 = 10.0.0.2/24, gw=10.0.0.1 , eth1 = 10.0.0.3/24
|
|
A server
ip= 10.0.0.5/24, gw=10.0.0.1


I guess I managed to enable Proxy-ARP and iptables, but I guess I couldn't configure routing.


My config is below:

cat /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.conf.eth1.proxy_arp = 1

netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.0.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
0.0.0.0 10.0.0.1 0.0.0.0 UG 0 0 0 eth0

iptables -L -v
Chain INPUT (policy ACCEPT 7983 packets, 737K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 31809 packets, 3221K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 9930 packets, 1218K bytes)
pkts bytes target prot opt in out source destination


On the Linux Firewall, I can successfully ping 8.8.8.8 (or an external IP), 10.0.0.1, 10.0.0.2, 10.0.0.3 and 10.0.0.5.

But on the server (10.0.0.5), I can ping 10.0.0.2 only, I can't ping an external IP, 10.0.0.1 or 10.0.0.3.


Could you please help me to find out where the problem is.

As I said in the introduction, I'm not a network or linux guy

Thanks in advance.

[kaushalpatel1982]

You need to do NATting on Linux server using IPTables. Just use following command :

# iptables -t nat -I POSTROUTING -i <LAN Interface - eth0> -o <WAN Interface - eth1> -j MASQUERADE

change <LAN Interface -eth0> and <LAN Interface -eth0> with respective network interfaces eg. eth0 or eth1.

check you are able to access internet. If you succeeded just save configuration of IPTables using following command:

#service iptables save

One more thing, Kindly try the same after changing your WAN interface IP address as both LAN and WAN interface have same Network range. This may create problem.

best of luck

[yasinaydin]

Hello,

Thank you for your reply.

But I think that I don't need NAT, because I want the server ip (10.0.0.5  for instance but its actually a real internet IP address) to remain as it goes through the firewall, so that it will be globally accessible.

Does NAT and/or the commands u gave me provide that?

Thanks.

[kaushalpatel1982]

As per my understanding, You have servers with Live IP address inside to the firewall. And your requirement is to provide their access to the external world.

Internet >>>> ISP >>>> LiveIP >>>> Firewall >>>> LiveIP >>>> Servers with LiveIP

If you have above scenario, You need to configure reverse route on ISP router to reach to the server.

[yasinaydin]

Hello,

Thank you for your reply.
How do I configure a reverse routing? I checked the internet as I know but couldnt find a proper info.

Thanks.

[kaushalpatel1982]

This will be done but you ISP.  You just have to provide information regarding routes to the ISP

[yasinaydin]

Thanks all for trying to help.
I solved my problem with pfSense (www.pfsense.org).

What I did exactly:
- In the prev. conf., I enabled ARPproxy but didn't create any Virtual IP. I also created an Advanced Outbound NAT (AON). With this 3 things, the servers behind the firewall went through the firewall without knowing it. And btw doing those in pfsense was too easy.

Thanks again,
Yasin.