Ip forwarding - Networking

This is a discussion on Ip forwarding - Networking ; Hi, I know there's much out there about this topic but I'd like you to clarify this to me. I've got 2 network interfaces: a) 192.168.0.1 mask 255.255.255.0 b) 192.168.1.1 mask 255.255.255.0 and I would like packets incoming on interface ...

+ Reply to Thread
Results 1 to 10 of 10

Thread: Ip forwarding

  1. Ip forwarding

    Hi,
    I know there's much out there about this topic but I'd like you to
    clarify this to me.
    I've got 2 network interfaces:
    a) 192.168.0.1 mask 255.255.255.0
    b) 192.168.1.1 mask 255.255.255.0

    and I would like packets incoming on interface (a) to be forwarded to
    (b) and vice verse.

    I tried with
    echo 1 > /proc/sys/net/ipv4/ip_forward
    echo 1 > /proc/sys/net/ipv4/conf/wlan0/forwarding
    echo 1 > /proc/sys/net/ipv4/conf/eth1/forwarding

    but still nothing good.. I guess I have to use the iptables tools but
    I don't know much about their usage...
    Could you lend me a hand?

    Thank you guys
    Riccardo

  2. Re: Ip forwarding

    On 2007-12-27, InuY4sha wrote:
    > I've got 2 network interfaces:
    > a) 192.168.0.1 mask 255.255.255.0
    > b) 192.168.1.1 mask 255.255.255.0
    >
    > and I would like packets incoming on interface (a) to be forwarded to
    > (b) and vice verse.
    >
    > I tried with
    > echo 1 > /proc/sys/net/ipv4/ip_forward


    That's enough. Of course, machines from network a) need to know that
    they have to send the packets for b) to the gateway machine, and the
    other way around.

    Davide

    --
    Some drink from the Fountain of Knowledge. Others just gargle. -- Dave Aronson
    And some pee in it. -- moc.oohay

  3. Re: Ip forwarding


    > > I tried with
    > > echo 1 > /proc/sys/net/ipv4/ip_forward

    >
    > That's enough. Of course, machines from network a) need to know that
    > they have to send the packets for b) to the gateway machine, and the
    > other way around.


    Thank you very much; as a prove that you are correct I'm right now
    trying tcpdump this way

    Machine1ping -----> Machine2[tcpdump]---------->router-->outerworld.

    What I get is that the request is forwarded to the router but I get no
    reply from that.
    Gonna investigate a bit more... (if I ping the router from Machine2 it
    works fine)


  4. Re: Ip forwarding

    InuY4sha wrote:

    > Hi,
    > I know there's much out there about this topic but I'd like you to
    > clarify this to me.
    > I've got 2 network interfaces:
    > a) 192.168.0.1 mask 255.255.255.0
    > b) 192.168.1.1 mask 255.255.255.0
    >
    > and I would like packets incoming on interface (a) to be forwarded to
    > (b) and vice verse.
    >


    Ja , so would I , glad you beat me to stirring this subject up, since I
    decided not to send the message I wrote couple weeks ago because it was to long.
    ..
    > I tried with
    > echo 1 > /proc/sys/net/ipv4/ip_forward
    > echo 1 > /proc/sys/net/ipv4/conf/wlan0/forwarding
    > echo 1 > /proc/sys/net/ipv4/conf/eth1/forwarding
    >

    The first (at least) is done at boot on my SLACKware 12
    but all the other files in that directory have 1 anyway.
    I have tried same subnets, different but nothing.
    The message saying "forwarding enabled" starts giving me stomach cramps.

    I have
    comp 1 eth1 comp2 eth0 comp3
    win200 192.168.0.1 -- 192.168.0.8 Slack 12 192.168.67.1 --- 192.168.67.9 slack 12
    currently mask 255.255.0.0 everywhere.

    I have even added explicit "host routes"
    route add 192.168.0.1 eth1
    route add 192.168.67.8 eth0

    When I ping from comp3 to 1 tcpdump -i eth1 on comp2 shows no traffic
    and tcpdump on comp3 shows 'only' 'arp where are you: 192.168.0.1'

    So is this forwarding part of the basic kernel or does this "networking/forwarding
    kernel" just mean capable,??
    While I was looking for where 'route add 192.168.0.1 eth1' is set (not in rc.local with the other one), I opened rc.ip_forward , which mentions rp_filter and therefore
    ip_tables ( which is not exactly what I would consider part of kernel even if it is compiled with it).
    When I type ip_tables -L 2 modules get loaded, is it just the 'user interface'
    and what is the situation till then (if it is not just interface) , is it supposed to forward?
    Few days ago I got into serioulish reading about iptables which said somewhere that packets are matched against only one chain so I tried the following without any luck.

    iptables -A FORWARD -s 192.168.67.8 -d 192.168.0.1 -i eth0 -o eth1

    and probably backwards too.

    Thought I had it couple of times, but because I prefer to interact with comp2
    over telnet , it is possible I forgot to switch to local console when trying both mounting and the other time ping.

    After about 5 years of christmas messing around with this I am desperate enough
    that I installed the kernel source tree few days ago.
    Oh and high speed is on the way, but I am only trying it.
    LOL.

    cheers.



  5. Re: Ip forwarding

    On Dec 27 2007, 4:30 am, InuY4sha wrote:
    > > > I tried with
    > > > echo 1 > /proc/sys/net/ipv4/ip_forward

    >
    > > That's enough. Of course, machines from network a) need to know that
    > > they have to send the packets for b) to the gateway machine, and the
    > > other way around.

    >
    > Thank you very much; as a prove that you are correct I'm right now
    > trying tcpdump this way
    >
    > Machine1ping -----> Machine2[tcpdump]---------->router-->outerworld.
    >
    > What I get is that the request is forwarded to the router but I get no
    > reply from that.
    > Gonna investigate a bit more... (if I ping the router from Machine2 it
    > works fine)


    Does the router know how to send packets back to machine1? from your
    description it does not. I would hazard this is your typical linksys
    or other
    type dsl/cable router, in which you would have to tell it about a new
    static
    route which says "machine2 is the gateway to machine1"

  6. Re: Ip forwarding

    Hello,

    Sambo a écrit :
    >
    >> I tried with
    >> echo 1 > /proc/sys/net/ipv4/ip_forward
    >> echo 1 > /proc/sys/net/ipv4/conf/wlan0/forwarding
    >> echo 1 > /proc/sys/net/ipv4/conf/eth1/forwarding
    >>

    > The first (at least) is done at boot on my SLACKware 12
    > but all the other files in that directory have 1 anyway.


    Changing net/ipv4/ip_forward also affects net/ipv4/conf/*/forwarding.

    > I have tried same subnets, different but nothing.


    Same IP subnets on different links is a bad idea. Keep the subnets
    differents on each link. That's what IP subnets are for : tell what's on
    the same link and what's not.

    > The message saying "forwarding enabled" starts giving me stomach cramps.
    > I have comp 1 eth1 comp2 eth0 comp3
    > win200 192.168.0.1 -- 192.168.0.8 Slack 12 192.168.67.1 --- 192.168.67.9 slack 12
    > currently mask 255.255.0.0 everywhere.


    That's wrong, because it means that the same subnet 192.168.0.0/16 is
    used on both links. Use 255.255.255.0 everywhere instead, so you'll have
    192.168.0/24 and 192.168.67.0/24.

    > I have even added explicit "host routes"
    > route add 192.168.0.1 eth1
    > route add 192.168.67.8 eth0


    This is useless when you have the right mask, and insufficient to get
    things working when you have the wrong mask.

    > When I ping from comp3 to 1 tcpdump -i eth1 on comp2 shows no traffic
    > and tcpdump on comp3 shows 'only' 'arp where are you: 192.168.0.1'


    Because of the wrong mask, comp3 thinks that comp1 is on the same link.

    > So is this forwarding part of the basic kernel or does this
    > "networking/forwarding kernel" just mean capable,??


    Forwarding is not responsible for the failure. Wrong subnet setup is.

    > and what is the situation till then (if it is not just interface) , is
    > it supposed to forward?


    The router is supposed to forward packets that are sent to it. But here
    no packets are sent to it as comp1 expects comp3 to be on the same link.

    > Few days ago I got into serioulish reading about iptables [...]


    Please don't involve iptables yet. Just accept everything, which is the
    default when iptables is not loaded.

    First, you need to set different subnet on each link.
    Second, you need to tell comp1 and comp3 how to reach the other subnet.
    This can be done by using the router's address in the same subnet as the
    default gateway, or by adding a network route to the other subnet via
    the router :

    comp1(windows) : route add 192.168.67.0 mask 255.255.255.0 192.168.0.8
    comp3(linux) : route add -net 192.168.0.0/24 gw 192.168.67.1

  7. Re: Ip forwarding

    Pascal Hamburg wrote:

    > Hello,
    >
    > Sambo a écrit :
    >
    >>
    >>> I tried with
    >>> echo 1 > /proc/sys/net/ipv4/ip_forward
    >>> echo 1 > /proc/sys/net/ipv4/conf/wlan0/forwarding
    >>> echo 1 > /proc/sys/net/ipv4/conf/eth1/forwarding
    >>>

    >> The first (at least) is done at boot on my SLACKware 12
    >> but all the other files in that directory have 1 anyway.

    >
    >
    > Changing net/ipv4/ip_forward also affects net/ipv4/conf/*/forwarding.
    >


    little correction to this ??filter files contain 0.

    >> I have tried same subnets, different but nothing.

    >
    >
    > Same IP subnets on different links is a bad idea. Keep the subnets
    > differents on each link. That's what IP subnets are for : tell what's on
    > the same link and what's not.
    >
    >> The message saying "forwarding enabled" starts giving me stomach cramps.
    >> I have comp 1 eth1 comp2
    >> eth0 comp3
    >> win200 192.168.0.1 -- 192.168.0.8 Slack 12 192.168.67.1 ---
    >> 192.168.67.9 slack 12
    >> currently mask 255.255.0.0 everywhere.

    >
    >
    > That's wrong, because it means that the same subnet 192.168.0.0/16 is
    > used on both links. Use 255.255.255.0 everywhere instead, so you'll have
    > 192.168.0/24 and 192.168.67.0/24.
    >



    Ok I have changed back to 255.255.255.0 and restarted.


    > The router is supposed to forward packets that are sent to it. But here
    > no packets are sent to it as comp1 expects comp3 to be on the same link.
    >

    I hope by "sent to it" you mean "reaching it" as opposed to "addressed to it",
    or is packet wrapping involved here.

    [on windows/ comp1]
    Somehow I managed to enter route badly and ended up with the following table

    C:\WINNT\SYSTEM32>route print
    ================================================== =========================
    Interface List
    0x1 ........................... MS TCP Loopback interface
    0x1000003 ...00 01 02 43 e8 32 ...... 3Com EtherLink PCI
    ================================================== =========================
    ================================================== =========================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
    192.168.0.0 255.255.255.0 192.168.0.1 192.168.0.1 1
    192.168.0.1 255.255.255.255 127.0.0.1 127.0.0.1 1
    192.168.0.255 255.255.255.255 192.168.0.1 192.168.0.1 1
    192.168.67.8 255.255.255.255 192.168.0.9 192.168.0.1 1
    224.0.0.0 224.0.0.0 192.168.0.1 192.168.0.1 1
    255.255.255.255 255.255.255.255 192.168.0.1 192.168.0.1 1
    ================================================== =========================
    Persistent Routes:
    None

    Since ping complained "network unreachable"
    I deleted it and after many unsuccessful attempts to enter host route I had to settle
    for network route.

    C:\WINNT\SYSTEM32>route add 192.168.67.0 mask 255.255.255.0 192.168.0.9

    C:\WINNT\SYSTEM32>route print
    ================================================== =========================
    Interface List
    0x1 ........................... MS TCP Loopback interface
    0x1000003 ...00 01 02 43 e8 32 ...... 3Com EtherLink PCI
    ================================================== =========================
    ================================================== =========================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
    192.168.0.0 255.255.255.0 192.168.0.1 192.168.0.1 1
    192.168.0.1 255.255.255.255 127.0.0.1 127.0.0.1 1
    192.168.0.255 255.255.255.255 192.168.0.1 192.168.0.1 1
    192.168.67.0 255.255.255.0 192.168.0.9 192.168.0.1 1
    224.0.0.0 224.0.0.0 192.168.0.1 192.168.0.1 1
    255.255.255.255 255.255.255.255 192.168.0.1 192.168.0.1 1
    ================================================== =========================
    Persistent Routes:
    None

    C:\WINNT\SYSTEM32>

    But when I tried the following :
    C:\WINNT\SYSTEM32>route add 192.168.67.0 mask 255.255.255.0 interface 10000003
    ROUTE: bad gateway address interface

    So is the gateway address really needed to address the packets to the gateway?
    Did I read about packet wrapping in masqrading. Hmmm.

    So here is the routing table for comp2

    root@LNX-A350:/home/sambo# route
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    LNX-P800 * 255.255.255.255 UH 0 0 0 eth0
    192.168.67.0 * 255.255.255.0 U 0 0 0 eth0
    localnet * 255.255.255.0 U 0 0 0 eth1
    loopback * 255.0.0.0 U 0 0 0 lo
    default sambo-main 0.0.0.0 UG 1 0 0 eth1
    root@LNX-A350:/home/sambo#

    Well the explicit route from (the one I was not sure of where it was coming from),
    I may have to remove the LNX-P800 to eth0 from my rc.local

    STRANGE thing is that localnet is now on eth1 not eth0???


    Well off to comp3
    SACREBLE it's working, was it the windows route?
    windows dialed out

    tcpdump -i eth1
    where are you 192.168.0.1
    at aa:bb:cc:dd:ee:ff
    ICMP echo request
    ICMp reply
    a.iana-severs.net.domain ------------ AAAA?
    [lau]
    ptr <-- I think
    ^c

    200 packets captured
    2000+ received by filter
    3000+ dropped by kernel

    and similarly strange packets to about 100 other computers(nameservers?)
    whose list I have seen somewhere.

    Heh, hope I can get this to happen on comp2.

    From slack 9 , 10, 10.2 and 12, thinking 192.168.0.x only had 256 addresses and trying to subnet with 255.255.255.224, ( address 192.168.0.33 and 34 ), I couldn't get this right?....


    One more thing I was wondering about for the last few days is
    the difference between gateway and IFace column in the Linux
    route listing. Since my understanding always was that this is only
    to indicate which interface to send a packet addressed to given address on.

    In any case.

    Thanks a lot.



  8. Re: Ip forwarding

    Sambo a écrit :
    >>>
    >>>> echo 1 > /proc/sys/net/ipv4/ip_forward
    >>>> echo 1 > /proc/sys/net/ipv4/conf/wlan0/forwarding
    >>>> echo 1 > /proc/sys/net/ipv4/conf/eth1/forwarding
    >>>>
    >>> The first (at least) is done at boot on my SLACKware 12
    >>> but all the other files in that directory have 1 anyway.

    >>
    >> Changing net/ipv4/ip_forward also affects net/ipv4/conf/*/forwarding.

    >
    > little correction to this ??filter files contain 0.


    Filter files ? What do you mean ?

    >> The router is supposed to forward packets that are sent to it. But
    >> here no packets are sent to it as comp1 expects comp3 to be on the
    >> same link.
    >>

    > I hope by "sent to it" you mean "reaching it" as opposed to "addressed
    > to it", or is packet wrapping involved here.


    I mean "addressed to it" at link layer (MAC address). Packets that are
    meant to be forwarded by a router must be sent to its MAC address on the
    link. This MAC address is obtained by doing an ARP query to the router's
    local IP address, which is the gateway address in the routing table.

    > [on windows/ comp1]

    [...]
    > C:\WINNT\SYSTEM32>route add 192.168.67.0 mask 255.255.255.0 192.168.0.9


    Why 192.168.0.9 ? According to your diagram, comp2's eth1 address is
    192.168.0.8.

    > But when I tried the following :
    > C:\WINNT\SYSTEM32>route add 192.168.67.0 mask 255.255.255.0
    > interface 10000003
    > ROUTE: bad gateway address interface


    According to route help, the correct keyword to specify an interface is
    "IF", not "INTERFACE". Anyway you don't want to create a direct route,
    so you must specify a gateway, not just an interface.

    > So is the gateway address really needed to address the packets to the
    > gateway?


    Yes it is.

    > Did I read about packet wrapping in masqrading. Hmmm.


    What are you talking about ? No masquerading is involved here, just
    plain IP forwarding.

    > So here is the routing table for comp2


    Please use "route -n" (ou even better "ip route") so numeric IP
    addresses are not resolved into obscure names.

    > Well off to comp3
    > SACREBLE it's working, was it the windows route?
    > windows dialed out
    > tcpdump -i eth1 where are you 192.168.0.1


    Same here, pleas use option -n so numeric addresses are not resolved
    into names.

    > Heh, hope I can get this to happen on comp2.


    Get *what* to happen ?
    Please try to be clearer and more precise in describing your settings,
    tests and results.

    > From slack 9 , 10, 10.2 and 12, thinking 192.168.0.x only had 256
    > addresses


    And only 254 usable host addresses, .0 and .255 being reserved as
    network and broadcast addresses. So what ?

    > and trying to subnet with 255.255.255.224, ( address
    > 192.168.0.33 and 34 ), I couldn't get this right?....


    Get *what* right ?
    Why the hell would you want to subnet 192.168.0.0/24 ?

    > One more thing I was wondering about for the last few days is the
    > difference between gateway and IFace column in the Linux route listing.
    > Since my understanding always was that this is only to indicate which
    > interface to send a packet addressed to given address on.


    The interface column contains the output interface for a given
    destination. The gateway column optionnally contains the address of the
    next hop router if the destination is not directly reachable on the
    network attached to the output interface. The gateway address must be
    directly reachable on the network attached to the output interface.

    "*" or 0.0.0.0 as the gateway means that the destination is directly
    reachable on the network attached to the output interface. In this case
    you can consider that the next hop address is equal to the destination
    address.

    In both cases the packet is sent on the link to the next hop MAC address.

  9. Re: Ip forwarding

    Pascal Hambourg wrote:
    > Sambo a écrit :
    >
    >>>
    >>> Changing net/ipv4/ip_forward also affects net/ipv4/conf/*/forwarding.

    >>
    >>
    >> little correction to this ??filter files contain 0.

    >
    >
    > Filter files ? What do you mean ?
    >


    /proc/sys/net/ipv4/conf/eth0/rpfilter
    /proc/sys/net/ipv4/conf/eth1/rpfilter

    >>>

    >> I hope by "sent to it" you mean "reaching it" as opposed to "addressed
    >> to it", or is packet wrapping involved here.

    >
    >
    > I mean "addressed to it" at link layer (MAC address). Packets that are
    > meant to be forwarded by a router must be sent to its MAC address on the
    > link. This MAC address is obtained by doing an ARP query to the router's
    > local IP address, which is the gateway address in the routing table.
    >

    Oh , sorry, that makes sense.

    >
    >
    > Why 192.168.0.9 ? According to your diagram, comp2's eth1 address is
    > 192.168.0.8.
    >


    Yes, interchanged the 8 and 9 the first time.

    > The interface column contains the output interface for a given
    > destination. The gateway column optionnally contains the address of the
    > next hop router if the destination is not directly reachable on the
    > network attached to the output interface. The gateway address must be
    > directly reachable on the network attached to the output interface.
    >
    > "*" or 0.0.0.0 as the gateway means that the destination is directly
    > reachable on the network attached to the output interface. In this case
    > you can consider that the next hop address is equal to the destination
    > address.
    >
    > In both cases the packet is sent on the link to the next hop MAC address.


    Yes, must be MAC addressed to somebody in the neighbourhood, carrying any INET
    destination address, GOT IT.

  10. Re: Ip forwarding

    Sambo a écrit :
    >
    >>> little correction to this ??filter files contain 0.

    >>
    >> Filter files ? What do you mean ?

    >
    > /proc/sys/net/ipv4/conf/eth0/rpfilter
    > /proc/sys/net/ipv4/conf/eth1/rpfilter


    I guess you mean rp_filter. This parameter is not involved in forwarding.

    ip-sysctl.txt :

    rp_filter - BOOLEAN
    1 - do source validation by reversed path, as specified in RFC1812
    Recommended option for single homed hosts and stub network
    routers. Could cause troubles for complicated (not loop free)
    networks running a slow unreliable protocol (sort of RIP),
    or using static routes.

    0 - No source validation.

    conf/all/rp_filter must also be set to TRUE to do source validation
    on the interface

    Default value is 0. Note that some distributions enable it
    in startup scripts.

+ Reply to Thread