Solved

Routong ADSL traffic through a linux box

Posted on 2001-07-04
20
498 Views
Last Modified: 2010-03-18
Hello all,

I currently have a ADSL line (with NAT) connected directly into a hub, off which there are about twenty pc's.

The address of the adsl gateway is 192.168.254.254 and each of the twenty pc's has a static ip address of 192.168.254.1 - 20.

i would like to route a external trafic through one linux box then on to the adsl gateway (eventually i would like to be able to control/remove the availabily of certain services on the network).

i have setup a multihomed linux box with the following parameters:

eth0: 192.168.254.252 / 255.255.255.0
eth1: 192.168.254.253 / 255.255.255.0

i have connected eth0 to the hub and eth1 to the adsl

Now i am stuck !!!

i have enabled ip forwarding and i am hoping all i need to do is make a few changes to the routing table.

i would greatly appreciate any further help.

cheers.
0
Comment
Question by:t4p
  • 9
  • 5
  • 5
  • +1
20 Comments
 
LVL 5

Accepted Solution

by:
vsamtani earned 150 total points
ID: 6253319
If you want to route through the linux box, then the linux box really needs to be multihomed on two separate ip networks. Currently, it has two interfaces on one network (the 192.168.254.0/255.255.255.0 network). It therefore won't route, since routing is all about getting packets from one network to another.

You have several options:

1. If you can reconfigure your adsl box so that it's on a different ip network (eg, by changing its address to 192.168.253.x), this is the simplest solution. Change the ip address of eth0 (connected to the hub) to 192.168.254.254 (the same as what the adsl box was), and change eth1 to 192.168.253.y (ie, on the same ip network as the adsl box's new ip address). You won't have to touch your pcs - their default gateway is still 192.168.254.254, except that now it's the linux box instead of the adsl box.

2. If you can't reconfigure your adsl box, then you can reconfigure your pcs. Change eth0 on the linux box to 192.168.253.254/255.255.255.0 . Change the ip addresses of your pcs to be in the same block (192.168.253.1-20) and change the default gateway on the pcs to be 192.168.253.254 (which is the address of eth0). This will achieve the same effect as solution 1, except that you will have done it by reconfiguring the "internal" network, rather than the "external" part of the network. It obviously involves reconfiguring more devices, since you have to go to all of your pcs, rather than just your adsl box and the linux box.

3. You could use the linux box as a filtering bridge, so that it sits invisibly (on Layer 2) between your pcs and your adsl box. This would require no reconfiguration of either adsl box or pcs, but it would require recompiling the linux kernel and more configuration and testing of the linux box. It's not worth doing if either of the above two methods is open to you, but if you can't do the above two, then this will work.

Vijay
0
 
LVL 10

Expert Comment

by:rbr
ID: 6254473
I agree with vsamtani. The easiest way is to split the network. eth0 and ASDL in one netrange (e.g.) (192.168.254.x) and eth1 and the PCs in another network. To route the packets through without any filtering use

ipchains -A forward -j MASK -i eth0

Default gateway in linux must be the ASDL-modem
Default gateway on the PCs must be the IP of eth1

0
 
LVL 16

Expert Comment

by:The--Captain
ID: 6254492
BTW, putting your linux box outside the network probably is not feasible unless you have a DSL media card for your linux box, and if that was the case then you could just chuck the DSL 'router', so I'm guessing this is not the case (yeah, I know I mangled the crap out of the tenses in that last sentence)

So, you will need to put the linux box internal - Vijay's suggestions all seem correct/feasible (and seem to agree with my suggestion to put the linux box internal), but I'd like to offer a 4th suggestion...

Simply slice 192.168.254.0/24 network into two /25 networks (since you appear to be able to use the entire 254 ips judging by the original config you presented) - to do this you just need to adjust the netmasks of both your linux interfaces to be 255.255.255.128, and change the IP of the interface connected to the client machines to be within the address range .1-.126 (i.e. 192.168.254.30).  The beauty of this solution is that as long as you have IP forwarding turned on, this should work no problem (and requires the least reconfiguration), since your DSL router is prusumably NATing the entire address range (.1-.254).

Cheers,
-Jon
0
 
LVL 5

Expert Comment

by:vsamtani
ID: 6254792
One thing that we've all forgotten to say is this: if you go for two ip networks (either of my first two suggestions, or Jon's eminently sensible suggestion), then you'll probably need to have a static route in your adsl box pointing to the internal network on the "internal" side of the linux box. For example, in my suggestion (1), you'd need a route:

destination: 192.168.254.0/255.255.255.0, gateway: <ip address of eth1>

for suggestion (2)

destination: 192.168.253.0/255.255.255.0, gateway: <ip address of eth1>

for Jon's suggestion

destination: 192.168.254.0/255.255.255.0, gateway: <ip address of eth1>


The reason I said "probably" above is that you could avoid having to put a static route in by making the linux box do NAT (ip masquerading) as well as forwarding. That way, your adsl box won't need to know any routes back to the "internal" network, since the linux box will be masquerading that network. I'm not sure what I think of multiple layers of NAT - by gut instinct I'm not keen, but I haven't really heard arguments one way or the other.

Vijay
0
 

Author Comment

by:t4p
ID: 6254838
cheers guys,

unfortunatly i am unable to change the adsl box and i would like to try to keep 253 usable ips so i am going to try vijay's second solution.

but humour me for a second (i'm new to this and i'm getting my inferfaces in a muddle!!)

i am going to setup the linux box as follows

eth0: 192.168.253.254 / 255.255.255.0 (and change the ip of all my internal pc's)
eth1: 192.168.254.253 / 255.255.255.0

i will then make eth1 the default gateway on the linux box (i think this is the opposite way around to rbr's suggestion) so to turn off filtering i use:
ipchains -A forward -j MASK -i eth1

i have added to following lines to etc/sysconfig/network:
GATEWAY="192.168.254.254"
GATEWAYDEV="eth1"
FORWARD_IPV4="yes"

am i missing anything ??

once again thanks very much for your help.

cheers
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 6254896
"am i missing anything ??"

Yup - I'd use a line like:

ipchains -A forward -s 192.168.253.0/255.255.255.0 -j MASQ

rather than:

ipchains -A forward -j MASK -i eth1

Note the use of MASQ instead of MASK, as well as the explicit specification of your MASQ'ed IPs, rather than relying on the interface number (which could change over time, not to mention the fact that you are using the wrong interface number within the ipcahins ruleset).

I still think adjusting your netmasks is an easier solution than using two distinct subnets (for one of which your router will not do NAT), but in any case, you can ask Cutsomer Service to split points on your question simply by posting a zero-point question in the CS forum that details how many points you wish to delegate to each expert in this question...

Cheers,
-Jon


0
 
LVL 5

Expert Comment

by:vsamtani
ID: 6254915
Small change:

ipchains -A forward -j MASQ -i eth1

(MASQ is short for MASQUERADE, hence MASQ not MASK)

This command doesn't turn off filtering in itself. What it does is enable masquerading, or NAT, for packets which are being forwarded and sent out on eth1. You will get two layers of NAT (your linux box, and then the ADSL box), and this will alleviate the need for a static route on the ADSL box. On the down side, you will find that some software is not happy when NAT is enabled - ftp and icq are two notable exceptions. I would read the HOWTO document on the subject:

http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO.html

Thanks for the grade :)

Vijay
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 6254974
Indeed - Vijay is correct - my criticism of the interface number was unwarranted (I've been awake too long - I seemed to be transposing .253.254 with .254.253)...

In any case, we await your response.

Cheers,
-Jon

0
 
LVL 5

Expert Comment

by:vsamtani
ID: 6255008
By the way, glad to see you back Jon - it's been a while since I've seen you post. How's life?

Vijay
0
 

Author Comment

by:t4p
ID: 6255160
right, i don't fancy two layers of NAT, however i don't think i can add a static route to the adsl box as vijay suggests. is there any other way around this apart from enabling masquerading on the linux box?.

at present the setup does not work, here is a dump of my routing table:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.253.0   *               255.255.255.0   U     0      0        0 eth0
192.168.254.0   *               255.255.255.0   U     0      0        0 eth1
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         192.168.254.254 0.0.0.0         UG    0      0        0 eth1

jon, sorry did'nt realise that i could split the points and i sort of awarded them on a first come first served basis, however i did quite like vijay's answer !! you are quite welcome to the rest of my points tho :)

cheers

pat

0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:t4p
ID: 6255193
right, i don't fancy two layers of NAT, however i don't think i can add a static route to the adsl box as vijay suggests. is there any other way around this apart from enabling masquerading on the linux box?.

at present the setup does not work, here is a dump of my routing table:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.253.0   *               255.255.255.0   U     0      0        0 eth0
192.168.254.0   *               255.255.255.0   U     0      0        0 eth1
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         192.168.254.254 0.0.0.0         UG    0      0        0 eth1

jon, sorry did'nt realise that i could split the points and i sort of awarded them on a first come first served basis, however i did quite like vijay's answer !! you are quite welcome to the rest of my points tho :)

cheers

pat

0
 
LVL 5

Expert Comment

by:vsamtani
ID: 6257002
Have you changed the default gateway on your pcs to be the ip address of the linux box eth0? Can you ping the linux box from a pc and vice versa? Can you ping the adsl box from the linux box? Have you enabled ip masquerading?

Can you post the output of ipchains -L here once you've checked the above, please.

Vijay

0
 
LVL 16

Expert Comment

by:The--Captain
ID: 6257672
(Advance apologies for sounding like a broken record)

Pat - If you don't like double NAT, then just adjust the netmasks as I previously described, and adjust the gateway of your PCs to point to the new linux IP, i.e.:

ifconfig eth1 192.168.254.253 netmask 255.255.255.128 up
ifconfig eth0 192.168.254.30 netmask 255.255.255.128 up
echo 1 > /proc/sys/net/ipv4/ip_forwad

and then adjust your PC 'gateway' setting to point to 192.168.254.30 (If you feel like adjusting the netmasks on the PCs, go for it, but it will still probably work with the old settings)

Ian't this exactly what you want?

Vijay - yeah, been super-busy with a new project.  I'm still lurking about, tho ;-)

-Jon

0
 
LVL 5

Expert Comment

by:vsamtani
ID: 6259180
Jon -

I'm just a bit confused: if Pat can't put in a static route on the adsl box, specifying the linux box as a gateway back to the internal (192.168.254.0/25, or 192.168.253.0/24) network, how are packets going to make it back from the adsl box to the pcs, eg 192.168.254.15 or 192.168.253.x? The adsl box would simply pump the packet out on the local wire, because it wouldn't know that it needed to send it to eth1 on the linux box for onward routing...Surely two layers of NAT are required to solve the routing problem?

Vijay
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 6259242
I think proxy arp would solve that (well, at least in my config it would), but you are correct, I had forgotten that element of the config (been awake too long).  

While proxy arp would make this unnecessary, I find the inability to add a static route on the DSL box strange - is this an equipment limitation (the box simply won't do it), or an access limitation (doesn't know the password to the box, or maybe doesn't have the right console cable)?  What make/model of DSL box do you have?

-Jon

0
 
LVL 5

Expert Comment

by:vsamtani
ID: 6259305
Yes that's very true - proxy arp ought to do the trick. If enabling proxy arp requires recompiling the kernel, though, then I'd be tempted to go for the filtering bridge solution. Not sure though - don't know enough about the pros and cons of proxy arp to feel certain either way.

But best of all is, as you say, to get into the adsl box and put the static route in. Pat, is there any way you can get into the adsl box?

Vijay

0
 

Author Comment

by:t4p
ID: 6264319
sorry guys been out of the office for a couple of days.

i have been playing with the setup i detailed before, this works when i issue: ipchains -A forward -j MASQ -i eth1

the box will route trafic, howerver as vijay rightly says irc and ftp don't work with two layers of NAT (i'm getting 'port opperation' errors). irc i can live without but i really need ftp!!

i'll give you a little background on the ADSL box, its nothing more than a glorified hub (a sort of out of the box pre-configured job) there is no way to get access to it. all the configuration is done at the exchange end.

i have spoken to my ISP and they said i can't add a static route to the box. What they can do however is remove the NAT on the adsl and give me a couple of static ip's. There is an extortionate admin charge envolved with this and i would have to setup a firewall.

if you could think of any way to get ftp working with my current setup it would save me loads of hastle

cheers

pat
0
 
LVL 5

Expert Comment

by:vsamtani
ID: 6265508
Well, you plan to set up a firewall anyway with your linux box, so that's not a problem. I suppose it's possible that you could simply replace their adsl box with one of your own, but that might not be possible, either technically or because it might violate an agreement you've signed with them.

If they turn off NAT, you only need one public ip address - static/dynamic is neither here nor there, unless you are planning to run publically accessible services on your end of the adsl box. The only one it would be sensible to run on your end would be a mail receiver, and for that you'd need a static ip address so that you can publish it on the DNS as a mail exchanger for any domains you own or manage email for.

Regarding ftp: It's not that two layers of NAT break ftp, it's that ftp (at least when the server is in "active" mode) tries to open connections from the server to your client pc, and both layers of NAT software has to be able to handle this. First of all, be aware that ftp should work through NAT if you use the "passive" mode. Look for such an option in your ftp client configuration. If you're using a command-line ftp client, just use the command PASV to put the server in passive mode. If you want to make ftp useable with active mode as well, read on. Did it work through the adsl box before you put the linux box in? If so, its current failure is clearly down to the linux box, and can easily be fixed by carrying out the steps detailed in the masquerading howto (I put the url in one of my earlier comments), and in the links therein. Try executing:

modprobe -l | grep 'ip_masq'

and you should see a list of modules (*.o) that are available, such as ip_masq_ftp.o, ip_masq_irc.o, etc. To enable support for ftp, for example, just issue:

/sbin/insmod ip_masq_ftp

And then try ftp through the linux box.

If ftp didn't work pre-linux, then the adsl box is contributing to the problem, and you probably should shout at your ISP.

Vijay
0
 

Author Comment

by:t4p
ID: 6265539
thanks Vijay

ftp worked fine before so i'll give your suggestion a try!!
0
 
LVL 5

Expert Comment

by:vsamtani
ID: 6297586
Some points should go to The--Captain for his contribution - they are on:

http://www.experts-exchange.com/jsp/qShow.jsp?qid=20153402

Vijay
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Cpanel and Mail logs 1 46
CentOS7 Xvnc gdm login 9 178
apache and php 3 89
Linux Login using LDAP or Active Directory 4 80
I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now