Linux second NIC: Linux can ping XP but XP can't ping Linux

I have set up a Linux box with two NIC's:

eth0 192.168.0.2 connected to ADSL router 192.168.0.1
eth1 192.168.1.1 connected to netgear Fs108 switch and onto win XP m/c 192.168.1.2

I can ping 192.168.0.1 from linux
I can't ping 192.168.0.2 from linux (not sure if this is possible)
I can ping 192.168.1.2 (XP) from linux
I can't ping 192.168.1.1 from XP (192.168.1.2)

Any help would be appreciated.

Many thanks

Andy
DonossAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

paranoidcookieCommented:
What is your subnet mask should be somthing like 255.255.248.0 or even 255.255.0.0

Is ip forwarding turned on cat /proc/sys/net/ipv4/ip_forward should give 1 if not echo 1 > /proc/sys/net/ipv4/ip_forward

0
reketnetCommented:
Hi
to me this sounds me like there is some iptable rule that is blocking pings. Execute iptables -L and show us .

regards,
0
DonossAuthor Commented:
Hi,

below is the ifconfig, iptables, and route output (is the subnet mask the same as the netmask?)

Many thanks


eth0      Link encap:Ethernet  HWaddr 00:0B:CD:E7:7B:3F
          inet addr:192.168.0.2  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::20b:cdff:fee7:7b3f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1301 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1095 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:919110 (897.5 Kb)  TX bytes:155375 (151.7 Kb)
          Interrupt:17 Memory:e8200000-e8210000

eth1      Link encap:Ethernet  HWaddr 00:10:A7:0A:ED:0B
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::210:a7ff:fe0a:ed0b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:52 errors:0 dropped:0 overruns:0 frame:0
          TX packets:57 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:5602 (5.4 Kb)  TX bytes:5909 (5.7 Kb)
          Interrupt:21 Base address:0x6000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1496 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1496 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:359008 (350.5 Kb)  TX bytes:359008 (350.5 Kb)

[root@sambaserver1 root]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

ernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     *               255.255.255.0   U     0      0        0 eth1
192.168.0.0     *               255.255.255.0   U     0      0        0 eth0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo

0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

DonossAuthor Commented:
And ......

cat /proc/sys/net/ipv4/ip_forward
1
0
paranoidcookieCommented:
Change your subnet masks to 255.255.0.0
0
DonossAuthor Commented:
Is that on all interfaces, i.e. eth0, 1 and on the XP machine?
0
paranoidcookieCommented:
Well as you effectivly have one network I see no reason to stop the pcs communicating. Alternatilvy you could use the same subnet throughout 192.168.0.x
0
DonossAuthor Commented:
I've changed the netmask and still the XP machine can't ping the linux box.  For reference my ultimate aim is to have another NIC eth2 and use the Linux box as a router for two subnets, 192.168.1.0 and 192.168.2.0 routered through eth0 to a cable modem.  However I thought I would start simple and just get one PC talking to the linux box!

Regards

Andy
0
paranoidcookieCommented:
Can you ping beyond the linux box?

Check the proc settingsby using cat

 /proc/sys/net/ipv4/icmp_echo_ignore_all

When enabled, ignore all ICMP ECHO REQUEST (ping) packets. Does nothing to actually increase security, but can hide you from ping sweeps, which may prevent you from being port scanned. Nmap, for example, will not scan unpingable hosts unless -P0 is specified. This will prevent normal network connectivity tests, however.

 /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

When enabled, ignore broadcast and multicast pings. It's a good idea to ignore these to prevent you from becoming an inadvertent participant in a distributed denial of service attack, such as Smurf.

 /proc/sys/net/ipv4/conf/*/accept_source_route

When source routed packets are allowed, an attacker can forge the source IP address of connections by explicitly saying how a packet should be routed across the Internet. This could enable them to abuse trust relationships or get around TCP Wrapper-style access lists. There's no need for source routing on today's Internet.

 /proc/sys/net/ipv4/conf/*/rp_filter

When enabled, if a packet comes in on one interface, but our response would go out a different interface, drop the packet. Unnecessary on hosts with only one interface, but remember, PPP and VPN connections usually have their own interface, so it's a good idea to enable it anyway. Can be a problem for routers on a network that has dynamically changing routes. However on firewall/routers that are the single connection between networks, this automatically provides spoofing protection without network ACLs.

 /proc/sys/net/ipv4/conf/*/accept_redirects

When you send a packet destined to a remote machine you usually send it to a default router. If this machine sends an ICMP redirect, it lets you know that there is a different router to which you should address the packet for a better route, and your machine will send the packet there instead. A cracker can use ICMP redirects to trick you into sending your packets through a machine it controls to perform man-in-the-middle attacks. This should certainly never be enabled on a well configured router.

 /proc/sys/net/ipv4/conf/*/secure_redirects

Honor ICMP redirects only when they come from a router that is currently set up as a default gateway. Should only be enabled if you have multiple routers on your network. If your network is fairly static and stable, it's better to leave this disabled.

 /proc/sys/net/ipv4/conf/*/send_redirects

If you're a router and there are alternate routes of which you should inform your clients (you have multiple routers on your networks), you'll want to enable this. If you have a stable network where hosts already have the correct routes set up, this should not be necessary, and it's never needed for non-routing hosts
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
wesly_chenCommented:
Hi,

   Could you check /etc/sysctl.conf
and comment out all the ipv6 stuff and reboot?

Wesly
0
DonossAuthor Commented:
Hi,

Results as follows, do any need changing and how do I do it?

/proc/sys/net/ipv4/icmp_echo_ignore_all
1

/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
1

/proc/sys/net/ipv4/conf/*/accept_source_route
0, 1, 1, 1, 1

/proc/sys/net/ipv4/conf/*/rp_filter
1, 1, 1, 1, 1

/proc/sys/net/ipv4/conf/*/accept_redirects
0, 1, 1, 1, 1

/proc/sys/net/ipv4/conf/*/secure_redirects
1, 1, 1, 1, 1

/proc/sys/net/ipv4/conf/*/send_redirects

1, 1, 1, 1, 1
0
DonossAuthor Commented:
/etc/sysctrl.conf looks like this, I can't see any ipv6 stuff:

net.ipv4.ip_forward=1
net.ipv4.tcp_ecn=0
net.ipv4.conf.all.log_martians=1
net.ipv4.icmp_echo_ignore_all=1
net.ipv4.ip_dynaddr=0
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.icmp_echo_ignore_broadcasts=1
kernel.sysrq=1
dev.cdrom.autoclose=0
dev.cdrom.lock=0
net.ipv4.icmp_ignore_bogus_error_responses=1
kernel.core_uses_pid=1
0
paranoidcookieCommented:
If net.ipv4.icmp_echo_ignore_all=1 then your linux box is ignoring all icmp (read ping traceroute)

echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all

and try again.
0
DonossAuthor Commented:
Hi,

I changed the netmask on the Linux m/c to 255.255.255.0 and 255.255.0.0 on the XP and all works OK.  Is this correct, why should it now work?

Andy
0
paranoidcookieCommented:
Because subnet masks restrick traffic from crossing networks except via a gateway.

So if you have 192.168.0.0/255.255.255.0 it can talk directly to any clients on the last 254 bits of the address so 192.168.0.1 - 192.268.0.254

Where as by changing the subnet mask to 255.255.0.0 you are explicitly saying the last two octects are connected.

Not sure if what Ive said makes sence so read this if not
http://xtronics.com/reference/ip-subnetmasks.htm
or
http://ask-leo.com/c000084.html
Might help
0
DonossAuthor Commented:
Have set icmp_echo_ignore_all to 0 and all is fine.  

On the XP m/c should the default gateway be 192.168.1.1 my linux box or 192.168.0.1 my gateway router to the internet?  What do I need to add the the linux m/c router table to enable it to route subnet 192.168.1.0 to 192.168.0.0 ?  Or should I raise tis as another question?

Many thanks for your help thus far.

Andy
0
paranoidcookieCommented:
The gateway should be set to the ip which gives access to other networks which I guess is your adsl router (which I assume runs some sort of NAT system).
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.