HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   HOWTO-Related Questions (http://www.howtoforge.com/forums/forumdisplay.php?f=2)
-   -   Sub: cannot ping internal network (http://www.howtoforge.com/forums/showthread.php?t=30735)

tech.gsr 29th January 2009 07:48

Sub: cannot ping internal network
 
Hello
I am a new user to Linux but in the last couple of months gained some Idea about it,

I am trying to set up a small network in my office having 3 windows xp PCs, two fedora10 PCs

I have an adsl router with 4-port hub connecting to the internet,

one switch (say sw1) and one linux PC (say linux1) is connected directly to the router, the three win xp PCs are connected to switch sw1.

all the above is working fine, I am able to get connected to Internet In all the systems, and able to network among all the above four.

Now I want to make the linux1 as a proxy server for, hence I added another network card into it connected it to another switch sw2, which is connected to another linux pc (say linux2).

I have tried a hundred things, and googled an equal no. and finally posting it here.

In order to reduce confusion I have disabled DHCP in all machines, and given static ips instead
NetworkManager was not happy about it, hence to fix my static IP i disabled NetworkManager ('chkconfig NetworkManager off')

/--winxp3
/---winxp2
/---winxp1
sw1
/
internet---router--(eth0)linux1(eth1)--sw2--(eth0)linux2


the above is a schematic of my network, sw1 and sw2 are 8 port-switches

all is well except there is no visibility between the two linux systems linux1 and linux2,


this is the /etc/sysconfig/network-scripts/ifcfg-eth0, of linux1

DEVICE=eth0
BOOTPROTO=static
BROADCAST=192.168.1.255
HWADDR=00:e0:27:21:01:17
IPADDR=192.168.1.3
NETMASK=255.255.255.0
NETWORK=192.168.1.0
ONBOOT=yes
GATEWAY=192.168.1.1
TYPE=Ethernet
NM_CONTROLLED=no
USERCTL=no
PEERDNS=yes
MII_NOT_SUPPORTED=yes
DNS1=192.168.1.1 # where i found in /etc/resolv.conf


this is the -------/etc/sysconfig/network-scripts/ifcfg-eth1, of linux1-------

DEVICE=eth1
ONBOOT=yes
BOOTPROTO=static
HWADDR=00:1f:d0:32:29:a7
IPADDR=192.168.1.31
NETMASK=255.255.255.0
TYPE=Ethernet
USERCTL=no
PEERDNS=no
NETWORK=192.168.1.0
BROADCAST=192.168.1.255


------------this is the ifconfig of linux1--------------

eth0 Link encap:Ethernet HWaddr 00:E0:27:21:01:17
inet addr:192.168.1.3 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::2e0:27ff:fe21:117/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8021 errors:0 dropped:0 overruns:0 frame:0
TX packets:9165 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4855236 (4.6 MiB) TX bytes:1716932 (1.6 MiB)
Interrupt:16 Memory:fa000000-fa0000ff

eth1 Link encap:Ethernet HWaddr 00:1F:D0:32:29:A7
inet addr:192.168.1.31 Bcast:192.168.1.255 Mask:255.255.255.0

--------------- do------------------

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:95 errors:0 dropped:0 overruns:0 frame:0
TX packets:95 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:18290 (17.8 KiB) TX bytes:18290 (17.8 KiB)

--------- this is interface from linux1 ---------

auto lo
iface lo inet loopback
address 127.0.0.1
netmask 255.255.255.0

auto eth0
iface eth0 inet static
address 192.168.1.3
netmask 255.255.255.0
broadcast 192.168.1.255
gateway 192.168.1.1

auto eth1
iface eth1 inet static
address 192.168.1.31
netmask 255.255.255.0
broadcast 192.168.1.255

----------this is iptables -L from linux1--------

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

----------this is the /etc/sysconfig/network-scripts/ifcfg-eth0, of linux2-------

DEVICE=eth0
BOOTPROTO=static
BROADCAST=192.168.1.255
HWADDR=00:IF:D0:42:0D:90
IPADDR=192.168.1.7
NETMASK=255.255.255.0
NETWORK=192.168.1.0
ONBOOT=yes
GATEWAY=192.168.1.31
TYPE=Ethernet
NM_CONTROLLED=no
USERCTL=no
PEERDNS=yes
MII_NOT_SUPPORTED=yes
DNS1=192.168.1.1

-------this is interface from linux2--------

auto lo
iface lo inet loopback
address 127.0.0.1
netmask 255.255.255.0

auto eth0
iface eth0 inet static
address 192.168.1.7
netmask 255.255.255.0
broadcast 192.168.1.255
gateway 192.168.1.31

------this is the "nmap -sP 192.168.1.0-255" from linux1 I can see all the systems except linux2

Host 192.168.1.1 appears to be up.
MAC Address: xyz (Semindia Systems Private Limited)
Host localhost.server1 (192.168.1.3) appears to be up.
Host 192.168.1.9 appears to be up.
MAC Address: xyz (Giga-byte Technology Co.)
Host 192.168.1.12 appears to be up.
MAC Address: wyz (Giga-byte Technology Co.)
Host 192.168.1.55 appears to be up.
MAC Address: xyz (Giga-byte Technology Co.)
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.920 seconds



This is to inform you i have disabled Firewall through GUI "Administration----Firewall-----disabled"



i tried ping from linux1 to linux2 and vice versa with no success


setting up of this proxy server is key to me, once this works I want to setup a firewall in linux1 and transfer all winxp systems from sw1 to sw2.


I WOULD BE VERY GLAD IF SOMEONE CAN GUIDE ME WITH THIS.

Best Regards

G S Reddy

jeff_k 30th January 2009 03:07

Hi, you show that
iptables -L
on Linux1 is set up to allow all. But what about Linux 2? Is it set up in the same manner? It will need to allow the pings. Maybe it is already set up, I didn't see your output for iptables -L for Linux 2 (maybe I didn't look hard enough).

Here is a link that might help, it seems relevant:
http://www.cyberciti.biz/tips/linux-...icmp-ping.html

tech.gsr 30th January 2009 07:39

Quote:

Originally Posted by jeff_k (Post 166963)
Hi, you show that
iptables -L
on Linux1 is set up to allow all. But what about Linux 2? Is it set up in the same manner? It will need to allow the pings. Maybe it is already set up, I didn't see your output for iptables -L for Linux 2 (maybe I didn't look hard enough).

Here is a link that might help, it seems relevant:
http://www.cyberciti.biz/tips/linux-...icmp-ping.html

Hey Jeff, thanks for the link...
i tried with link, but still there is no success, but i have confident i will reach my goal with your help.....

----------now my Linux1 iptables -L is

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

and

--------my Linux2 iptables -L is

chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED, ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

chain OUTPUT (policy ACCEPT)
target prot opt source destination

let me know what could be the reason that i still cant see Linux 2 and vice versa, still host unreachable

waiting for your reply

jeff_k 30th January 2009 21:24

Hey tech.gsr, this is sort of a cop-out...
but rather than debugging this step by step, here's another thought.

I'd recommend, particularly for someone fairly new to linux, installing a gui firewall package (if you have a desktop linux setup, such as gnome or kde). In that case, I can guarantee you will be able to not only get the boxes to ping each other, but you will be able to enable and disable pings at the check of a box. My preference is firestarter, although it has not had any active development for awhile, it works fine for me. Here is a link to install it on fedora:

http://www.techotopia.com/index.php/...Linux_Firewall

Install it (on both linux boxes), and there is a checkbox for allowing/disallowing pings in the menus. You can also open up any ports you want, etc. Also, if you don't like using the package, you can use it to produce your iptables rules, and then you can set up a startup script for iptables, and not need the gui frontend. That way, you can see what is actually needed to enable pings.

Will a gui firewall frontend to iptables work for you? This is what firestarter is. It also has some nice features -- you can monitor all active connections to the box, etc.

If you are purposely avoiding a gnome/kde desktop, or a gui firewall interface, then back to the drawing board.
Cheers...

tech.gsr 2nd February 2009 05:57

Quote:

Originally Posted by jeff_k (Post 167123)
Hey tech.gsr, this is sort of a cop-out...
but rather than debugging this step by step, here's another thought.

I'd recommend, particularly for someone fairly new to linux, installing a gui firewall package (if you have a desktop linux setup, such as gnome or kde). In that case, I can guarantee you will be able to not only get the boxes to ping each other, but you will be able to enable and disable pings at the check of a box. My preference is firestarter, although it has not had any active development for awhile, it works fine for me. Here is a link to install it on fedora:

http://www.techotopia.com/index.php/...Linux_Firewall

Install it (on both linux boxes), and there is a checkbox for allowing/disallowing pings in the menus. You can also open up any ports you want, etc. Also, if you don't like using the package, you can use it to produce your iptables rules, and then you can set up a startup script for iptables, and not need the gui frontend. That way, you can see what is actually needed to enable pings.

Will a gui firewall frontend to iptables work for you? This is what firestarter is. It also has some nice features -- you can monitor all active connections to the box, etc.

If you are purposely avoiding a gnome/kde desktop, or a gui firewall interface, then back to the drawing board.
Cheers...


Hey Jeff,

as your opinion i had installed firestarter in bith the PC's (Linux1 and Linux2), i already configured firestarter in both, but i am not sure whether i did correct.

in Linux2, when i say firestarter to start, the error encountered as " Failed to start the Firewall..... The device pan0 is not ready"

I think i did not set the proper device setting and reason why i am not able connect my Linux2, as i am first time using Firestarter.

jeff_k 2nd February 2009 21:26

tech.gsr, on Linux2, you can check the output of the command:
ifconfig
that should tell you what interfaces you have on Linux2.
You only need to configure firestarter for eth0, it sounds like you are also configuring it for a bluetooth device. There is a wizard in firestarter, did you use that to set up Linux2?
Also, if I understand your setup correctly, you do not need to set up IP forwarding or NAT on Linux2. The more complicated setup is on Linux1; is it set up OK now?

Is your plan to use Linux1 as your firewall/router and move your Win XP boxes to the subnet connected to eth1? Firestarter should work fine for this, it is how I have my home network configured.

tech.gsr 3rd February 2009 11:49

cannot ping internal network
 
Quote:

Originally Posted by jeff_k (Post 167457)
tech.gsr, on Linux2, you can check the output of the command:
ifconfig
that should tell you what interfaces you have on Linux2.
You only need to configure firestarter for eth0, it sounds like you are also configuring it for a bluetooth device. There is a wizard in firestarter, did you use that to set up Linux2?
Also, if I understand your setup correctly, you do not need to set up IP forwarding or NAT on Linux2. The more complicated setup is on Linux1; is it set up OK now?

Is your plan to use Linux1 as your firewall/router and move your Win XP boxes to the subnet connected to eth1? Firestarter should work fine for this, it is how I have my home network configured.



Hey Jeff,

-------------------------------------
internet--->Router----> |eth0(DHCP)----Linux1----eth1 |--------> eth0 Linux2
--------------------------------------
For the external device (usually eth0):

* Enable dynamic IP configuration (DHCP)

The internal device (usually eth1):

* Disable dynamic IP configuration
* IP address: 192.168.2.3
* Netmask: 255.255.255.0

----------#ifconfig-------------

eth0 Link encap:Ethernet HWaddr 00:E0:27:21:01:17
inet addr:192.168.1.4 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::2e0:27ff:fe21:117/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7417 errors:0 dropped:0 overruns:0 frame:0
TX packets:9756 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5027831 (4.7 MiB) TX bytes:1574260 (1.5 MiB)
Interrupt:16 Memory:fa000000-fa0000ff

eth1 Link encap:Ethernet HWaddr 00:1F:D0:32:29:A7
inet addr:192.168.2.3 Bcast:192.168.2.3 Mask:255.255.255.255
inet6 addr: fe80::21f:d0ff:fe32:29a7/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:881 errors:0 dropped:0 overruns:0 frame:0
TX packets:38 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:99105 (96.7 KiB) TX bytes:6897 (6.7 KiB)
Interrupt:20

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:16 errors:0 dropped:0 overruns:0 frame:0
TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:976 (976.0 b) TX bytes:976 (976.0 b)

Now Configuring the clients------

If I configure Linux 2 eth0 as DHCP but unable to do, In Linux1 the, even if the status of "dhcpd" running in Linux1. in linux2 i use to get the error of " Determining IP information for eth0 is failed......

If I configure to static IP in Linux 2 the wired connection will establish, but there will be no netwroking, no internet, no ping for 192.168.1.1, 192.168.1.4 etc....

Can you tell me what will be the problem? either i did not configure properly Linux eth1 or is there any other prolem??

Even i started with Firestarter, there is nowhere configure any bluetooth device, but still pan0 is activated, and tried with link "http://www.techotopia.com/index.php/...Linux_Firewall" still no success, I am really apologise for less knowledge on networking, but i need to slove this issue......

Regards

slims.

jeff_k 3rd February 2009 21:20

tech.gsr, there are a few things to sort out...

Right now, it appears that you have Linux1 running DHCP for clients on the eth0 interface. This means any boxes that are connected to a switch connected to eth0 that are set up to allow their IP address to be assigned by a DHCP server will get assigned an IP address. Right now, according to ifconfig, you do not have DHCP running on the eth1 interface. This is why Linux2 is not able to get an IP address. dhcpd in linux runs on the interface or interfaces that you define in the config file, and right now it is only set up to run on eth0 of Linux1. You should be able to have it run on eth1 as well as eth0, or you could set it up to only run on eth1, if it is not serving up IP addresses to clients on eth0.

I believe that you have Linux2 configured to get its IP address from a DHCP server. However, eth0 of Linux2 is connected to eth1 of Linux1, and this interface needs to be providing DHCP if you want Linux2 to get an IP address in this manner. The thing to consider is that networking is set up to work on only one interface at a time, until you set up routes to bridge the interfaces. If you are planning on having more than one machine connected to eth1 of Linux1, then set up dhcpd to serve eth1 for the 192.168.2.x subnet. When this is set up, when you run ifconfig on Linux1, you will see that the broadcast address will be 192.168.2.255, with a subnet mask of 255.255.255.0 (this means it can talk to any IP address in the 192.168.2.x subnet). Once your DHCP server is set up for that subnet, then Linux2 (or any other box connected to eth1) will be able to get an IP address assigned.

In the firestarter menus, I believe you should be able to check whether you want it to enable the DHCP server for a given address (I am not where I can confirm this at the moment). Also, in the menus, you have the ability to identify which interfaces you want it to manage, and you want to make sure that you do not enable "pan0" as one to manage, or else firestarter may not start (since it cannot configure the firewall rules for this interface properly).

I think that your configuration is a bit unusual; you could set up a small network to use a Linux box as the router and NAT (network address translation). You appear to be trying to do this twice (perhaps, I am not sure your exact goal). Here is my setup:
internet (cable modem)<-->eth1--Linux1--eth2<-->switch<-->multiple PCs

Linux1 is set up to provide NAT and DHCP services (among other things). I get a single IP address to the outside world from my ISP: to the internet, I appear as 1.2.3.4 (for example). My internal network is 192.168.0.x. Each PC has an IP address, assigned by Linux1 via eth2. Linux1 has an IP address on that subnet of 192.168.0.101.
If I try to ping a machine outside my network, for example if 192.168.0.102 tries to ping www.google.com, my NAT routes the ping request from eth2 to eth1 and outward, but it appears as if it is coming from 1.2.3.4. It does this because the firewall is performing a NAT of 192.168.0.102 to 1.2.3.4, and when (if) the ping comes back from google, then it will go to the eth1 interface toward 1.2.3.4, and the firewall will know to translate and route that back to 192.168.0.102.

In order for your ping to work, you will need to add routes for your various subnets, to make sure that you can actually traverse the path you are intending to traverse. You do this with the 'route add' command, but before going there, I go back to my previous question:
Is your plan to use Linux1 as your firewall/router and move your Win XP boxes to the subnet connected to eth1? That would become much simpler than what you have set up, because right now you have a router which is performing NAT, and you could get rid of that entirely and not have that extra layer in your network path to the internet.

jeff_k 5th February 2009 06:29

I checked, firestarter is only set up to configure as a DHCP server on one interface.

tech.gsr, my recommendation to try, it should solve your problems:
- dump your router.
- at least temporarily, if pan0 represents a removable bluetooth device, remove it or power it off, so that it does not interfere with firestarter configuration.
- connect network as follows:
---internet<--> eth0--Linux1--eth1<---->sw1<--->eth0--Linux2
you can also connect other PCs to sw1.

Configure firestarter on Linux1:
- eth0 is configured for ip address assigned with DHCP (assuming you get assigned an IP address dynamically from your ISP).
Configure firestarter for internet connection sharing on eth1, and also as a DHCP server. You can follow
this link: http://www.fs-security.com/docs/wizard.php
All of your devices connected to sw1 will get their IP address from Linux1, and access the internet through NAT through Linux1. Make sure you are careful to keep ports closed on eth0, since this is your firewall to the internet. Firestarter will allow you to control which (if any) ports are open on eth0.
Allow pings via the pulldown menu if you want.

Configure firestarter on Linux2:
-eth0 ip address is assigned via DHCP. Make sure to allow pings. Open any ports you want. You should be done... try to open a web browser and access the internet.

Cheers


All times are GMT +2. The time now is 19:04.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.