Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > HOWTO-Related Questions

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 29th January 2009, 07:48
tech.gsr tech.gsr is offline
Junior Member
 
Join Date: Jan 2009
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default Sub: cannot ping internal network

Hello
I am a new user to Linux but in the last couple of months gained some Idea about it,

I am trying to set up a small network in my office having 3 windows xp PCs, two fedora10 PCs

I have an adsl router with 4-port hub connecting to the internet,

one switch (say sw1) and one linux PC (say linux1) is connected directly to the router, the three win xp PCs are connected to switch sw1.

all the above is working fine, I am able to get connected to Internet In all the systems, and able to network among all the above four.

Now I want to make the linux1 as a proxy server for, hence I added another network card into it connected it to another switch sw2, which is connected to another linux pc (say linux2).

I have tried a hundred things, and googled an equal no. and finally posting it here.

In order to reduce confusion I have disabled DHCP in all machines, and given static ips instead
NetworkManager was not happy about it, hence to fix my static IP i disabled NetworkManager ('chkconfig NetworkManager off')

/--winxp3
/---winxp2
/---winxp1
sw1
/
internet---router--(eth0)linux1(eth1)--sw2--(eth0)linux2


the above is a schematic of my network, sw1 and sw2 are 8 port-switches

all is well except there is no visibility between the two linux systems linux1 and linux2,


this is the /etc/sysconfig/network-scripts/ifcfg-eth0, of linux1

DEVICE=eth0
BOOTPROTO=static
BROADCAST=192.168.1.255
HWADDR=00:e0:27:21:01:17
IPADDR=192.168.1.3
NETMASK=255.255.255.0
NETWORK=192.168.1.0
ONBOOT=yes
GATEWAY=192.168.1.1
TYPE=Ethernet
NM_CONTROLLED=no
USERCTL=no
PEERDNS=yes
MII_NOT_SUPPORTED=yes
DNS1=192.168.1.1 # where i found in /etc/resolv.conf


this is the -------/etc/sysconfig/network-scripts/ifcfg-eth1, of linux1-------

DEVICE=eth1
ONBOOT=yes
BOOTPROTO=static
HWADDR=00:1f:d0:32:29:a7
IPADDR=192.168.1.31
NETMASK=255.255.255.0
TYPE=Ethernet
USERCTL=no
PEERDNS=no
NETWORK=192.168.1.0
BROADCAST=192.168.1.255


------------this is the ifconfig of linux1--------------

eth0 Link encap:Ethernet HWaddr 00:E0:27:21:01:17
inet addr:192.168.1.3 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::2e0:27ff:fe21:117/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8021 errors:0 dropped:0 overruns:0 frame:0
TX packets:9165 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4855236 (4.6 MiB) TX bytes:1716932 (1.6 MiB)
Interrupt:16 Memory:fa000000-fa0000ff

eth1 Link encap:Ethernet HWaddr 00:1F0:32:29:A7
inet addr:192.168.1.31 Bcast:192.168.1.255 Mask:255.255.255.0

--------------- do------------------

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:95 errors:0 dropped:0 overruns:0 frame:0
TX packets:95 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:18290 (17.8 KiB) TX bytes:18290 (17.8 KiB)

--------- this is interface from linux1 ---------

auto lo
iface lo inet loopback
address 127.0.0.1
netmask 255.255.255.0

auto eth0
iface eth0 inet static
address 192.168.1.3
netmask 255.255.255.0
broadcast 192.168.1.255
gateway 192.168.1.1

auto eth1
iface eth1 inet static
address 192.168.1.31
netmask 255.255.255.0
broadcast 192.168.1.255

----------this is iptables -L from linux1--------

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

----------this is the /etc/sysconfig/network-scripts/ifcfg-eth0, of linux2-------

DEVICE=eth0
BOOTPROTO=static
BROADCAST=192.168.1.255
HWADDR=00:IF0:42:0D:90
IPADDR=192.168.1.7
NETMASK=255.255.255.0
NETWORK=192.168.1.0
ONBOOT=yes
GATEWAY=192.168.1.31
TYPE=Ethernet
NM_CONTROLLED=no
USERCTL=no
PEERDNS=yes
MII_NOT_SUPPORTED=yes
DNS1=192.168.1.1

-------this is interface from linux2--------

auto lo
iface lo inet loopback
address 127.0.0.1
netmask 255.255.255.0

auto eth0
iface eth0 inet static
address 192.168.1.7
netmask 255.255.255.0
broadcast 192.168.1.255
gateway 192.168.1.31

------this is the "nmap -sP 192.168.1.0-255" from linux1 I can see all the systems except linux2

Host 192.168.1.1 appears to be up.
MAC Address: xyz (Semindia Systems Private Limited)
Host localhost.server1 (192.168.1.3) appears to be up.
Host 192.168.1.9 appears to be up.
MAC Address: xyz (Giga-byte Technology Co.)
Host 192.168.1.12 appears to be up.
MAC Address: wyz (Giga-byte Technology Co.)
Host 192.168.1.55 appears to be up.
MAC Address: xyz (Giga-byte Technology Co.)
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.920 seconds



This is to inform you i have disabled Firewall through GUI "Administration----Firewall-----disabled"



i tried ping from linux1 to linux2 and vice versa with no success


setting up of this proxy server is key to me, once this works I want to setup a firewall in linux1 and transfer all winxp systems from sw1 to sw2.


I WOULD BE VERY GLAD IF SOMEONE CAN GUIDE ME WITH THIS.

Best Regards

G S Reddy
Reply With Quote
Sponsored Links
  #2  
Old 30th January 2009, 03:07
jeff_k jeff_k is offline
Junior Member
 
Join Date: Jan 2009
Location: San Diego, CA USA
Posts: 6
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Hi, you show that
iptables -L
on Linux1 is set up to allow all. But what about Linux 2? Is it set up in the same manner? It will need to allow the pings. Maybe it is already set up, I didn't see your output for iptables -L for Linux 2 (maybe I didn't look hard enough).

Here is a link that might help, it seems relevant:
http://www.cyberciti.biz/tips/linux-...icmp-ping.html
Reply With Quote
  #3  
Old 30th January 2009, 07:39
tech.gsr tech.gsr is offline
Junior Member
 
Join Date: Jan 2009
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by jeff_k View Post
Hi, you show that
iptables -L
on Linux1 is set up to allow all. But what about Linux 2? Is it set up in the same manner? It will need to allow the pings. Maybe it is already set up, I didn't see your output for iptables -L for Linux 2 (maybe I didn't look hard enough).

Here is a link that might help, it seems relevant:
http://www.cyberciti.biz/tips/linux-...icmp-ping.html
Hey Jeff, thanks for the link...
i tried with link, but still there is no success, but i have confident i will reach my goal with your help.....

----------now my Linux1 iptables -L is

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

and

--------my Linux2 iptables -L is

chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED, ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

chain OUTPUT (policy ACCEPT)
target prot opt source destination

let me know what could be the reason that i still cant see Linux 2 and vice versa, still host unreachable

waiting for your reply
Reply With Quote
  #4  
Old 30th January 2009, 21:24
jeff_k jeff_k is offline
Junior Member
 
Join Date: Jan 2009
Location: San Diego, CA USA
Posts: 6
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Hey tech.gsr, this is sort of a cop-out...
but rather than debugging this step by step, here's another thought.

I'd recommend, particularly for someone fairly new to linux, installing a gui firewall package (if you have a desktop linux setup, such as gnome or kde). In that case, I can guarantee you will be able to not only get the boxes to ping each other, but you will be able to enable and disable pings at the check of a box. My preference is firestarter, although it has not had any active development for awhile, it works fine for me. Here is a link to install it on fedora:

http://www.techotopia.com/index.php/...Linux_Firewall

Install it (on both linux boxes), and there is a checkbox for allowing/disallowing pings in the menus. You can also open up any ports you want, etc. Also, if you don't like using the package, you can use it to produce your iptables rules, and then you can set up a startup script for iptables, and not need the gui frontend. That way, you can see what is actually needed to enable pings.

Will a gui firewall frontend to iptables work for you? This is what firestarter is. It also has some nice features -- you can monitor all active connections to the box, etc.

If you are purposely avoiding a gnome/kde desktop, or a gui firewall interface, then back to the drawing board.
Cheers...
Reply With Quote
  #5  
Old 2nd February 2009, 05:57
tech.gsr tech.gsr is offline
Junior Member
 
Join Date: Jan 2009
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by jeff_k View Post
Hey tech.gsr, this is sort of a cop-out...
but rather than debugging this step by step, here's another thought.

I'd recommend, particularly for someone fairly new to linux, installing a gui firewall package (if you have a desktop linux setup, such as gnome or kde). In that case, I can guarantee you will be able to not only get the boxes to ping each other, but you will be able to enable and disable pings at the check of a box. My preference is firestarter, although it has not had any active development for awhile, it works fine for me. Here is a link to install it on fedora:

http://www.techotopia.com/index.php/...Linux_Firewall

Install it (on both linux boxes), and there is a checkbox for allowing/disallowing pings in the menus. You can also open up any ports you want, etc. Also, if you don't like using the package, you can use it to produce your iptables rules, and then you can set up a startup script for iptables, and not need the gui frontend. That way, you can see what is actually needed to enable pings.

Will a gui firewall frontend to iptables work for you? This is what firestarter is. It also has some nice features -- you can monitor all active connections to the box, etc.

If you are purposely avoiding a gnome/kde desktop, or a gui firewall interface, then back to the drawing board.
Cheers...

Hey Jeff,

as your opinion i had installed firestarter in bith the PC's (Linux1 and Linux2), i already configured firestarter in both, but i am not sure whether i did correct.

in Linux2, when i say firestarter to start, the error encountered as " Failed to start the Firewall..... The device pan0 is not ready"

I think i did not set the proper device setting and reason why i am not able connect my Linux2, as i am first time using Firestarter.
Reply With Quote
  #6  
Old 2nd February 2009, 21:26
jeff_k jeff_k is offline
Junior Member
 
Join Date: Jan 2009
Location: San Diego, CA USA
Posts: 6
Thanks: 0
Thanked 0 Times in 0 Posts
Default

tech.gsr, on Linux2, you can check the output of the command:
ifconfig
that should tell you what interfaces you have on Linux2.
You only need to configure firestarter for eth0, it sounds like you are also configuring it for a bluetooth device. There is a wizard in firestarter, did you use that to set up Linux2?
Also, if I understand your setup correctly, you do not need to set up IP forwarding or NAT on Linux2. The more complicated setup is on Linux1; is it set up OK now?

Is your plan to use Linux1 as your firewall/router and move your Win XP boxes to the subnet connected to eth1? Firestarter should work fine for this, it is how I have my home network configured.
Reply With Quote
  #7  
Old 3rd February 2009, 11:49
tech.gsr tech.gsr is offline
Junior Member
 
Join Date: Jan 2009
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Smile cannot ping internal network

Quote:
Originally Posted by jeff_k View Post
tech.gsr, on Linux2, you can check the output of the command:
ifconfig
that should tell you what interfaces you have on Linux2.
You only need to configure firestarter for eth0, it sounds like you are also configuring it for a bluetooth device. There is a wizard in firestarter, did you use that to set up Linux2?
Also, if I understand your setup correctly, you do not need to set up IP forwarding or NAT on Linux2. The more complicated setup is on Linux1; is it set up OK now?

Is your plan to use Linux1 as your firewall/router and move your Win XP boxes to the subnet connected to eth1? Firestarter should work fine for this, it is how I have my home network configured.


Hey Jeff,

-------------------------------------
internet--->Router----> |eth0(DHCP)----Linux1----eth1 |--------> eth0 Linux2
--------------------------------------
For the external device (usually eth0):

* Enable dynamic IP configuration (DHCP)

The internal device (usually eth1):

* Disable dynamic IP configuration
* IP address: 192.168.2.3
* Netmask: 255.255.255.0

----------#ifconfig-------------

eth0 Link encap:Ethernet HWaddr 00:E0:27:21:01:17
inet addr:192.168.1.4 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::2e0:27ff:fe21:117/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7417 errors:0 dropped:0 overruns:0 frame:0
TX packets:9756 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5027831 (4.7 MiB) TX bytes:1574260 (1.5 MiB)
Interrupt:16 Memory:fa000000-fa0000ff

eth1 Link encap:Ethernet HWaddr 00:1F0:32:29:A7
inet addr:192.168.2.3 Bcast:192.168.2.3 Mask:255.255.255.255
inet6 addr: fe80::21f:d0ff:fe32:29a7/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:881 errors:0 dropped:0 overruns:0 frame:0
TX packets:38 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:99105 (96.7 KiB) TX bytes:6897 (6.7 KiB)
Interrupt:20

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:16 errors:0 dropped:0 overruns:0 frame:0
TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:976 (976.0 b) TX bytes:976 (976.0 b)

Now Configuring the clients------

If I configure Linux 2 eth0 as DHCP but unable to do, In Linux1 the, even if the status of "dhcpd" running in Linux1. in linux2 i use to get the error of " Determining IP information for eth0 is failed......

If I configure to static IP in Linux 2 the wired connection will establish, but there will be no netwroking, no internet, no ping for 192.168.1.1, 192.168.1.4 etc....

Can you tell me what will be the problem? either i did not configure properly Linux eth1 or is there any other prolem??

Even i started with Firestarter, there is nowhere configure any bluetooth device, but still pan0 is activated, and tried with link "http://www.techotopia.com/index.php/...Linux_Firewall" still no success, I am really apologise for less knowledge on networking, but i need to slove this issue......

Regards

slims.

Last edited by tech.gsr; 3rd February 2009 at 11:56.
Reply With Quote
  #8  
Old 3rd February 2009, 21:20
jeff_k jeff_k is offline
Junior Member
 
Join Date: Jan 2009
Location: San Diego, CA USA
Posts: 6
Thanks: 0
Thanked 0 Times in 0 Posts
Default

tech.gsr, there are a few things to sort out...

Right now, it appears that you have Linux1 running DHCP for clients on the eth0 interface. This means any boxes that are connected to a switch connected to eth0 that are set up to allow their IP address to be assigned by a DHCP server will get assigned an IP address. Right now, according to ifconfig, you do not have DHCP running on the eth1 interface. This is why Linux2 is not able to get an IP address. dhcpd in linux runs on the interface or interfaces that you define in the config file, and right now it is only set up to run on eth0 of Linux1. You should be able to have it run on eth1 as well as eth0, or you could set it up to only run on eth1, if it is not serving up IP addresses to clients on eth0.

I believe that you have Linux2 configured to get its IP address from a DHCP server. However, eth0 of Linux2 is connected to eth1 of Linux1, and this interface needs to be providing DHCP if you want Linux2 to get an IP address in this manner. The thing to consider is that networking is set up to work on only one interface at a time, until you set up routes to bridge the interfaces. If you are planning on having more than one machine connected to eth1 of Linux1, then set up dhcpd to serve eth1 for the 192.168.2.x subnet. When this is set up, when you run ifconfig on Linux1, you will see that the broadcast address will be 192.168.2.255, with a subnet mask of 255.255.255.0 (this means it can talk to any IP address in the 192.168.2.x subnet). Once your DHCP server is set up for that subnet, then Linux2 (or any other box connected to eth1) will be able to get an IP address assigned.

In the firestarter menus, I believe you should be able to check whether you want it to enable the DHCP server for a given address (I am not where I can confirm this at the moment). Also, in the menus, you have the ability to identify which interfaces you want it to manage, and you want to make sure that you do not enable "pan0" as one to manage, or else firestarter may not start (since it cannot configure the firewall rules for this interface properly).

I think that your configuration is a bit unusual; you could set up a small network to use a Linux box as the router and NAT (network address translation). You appear to be trying to do this twice (perhaps, I am not sure your exact goal). Here is my setup:
internet (cable modem)<-->eth1--Linux1--eth2<-->switch<-->multiple PCs

Linux1 is set up to provide NAT and DHCP services (among other things). I get a single IP address to the outside world from my ISP: to the internet, I appear as 1.2.3.4 (for example). My internal network is 192.168.0.x. Each PC has an IP address, assigned by Linux1 via eth2. Linux1 has an IP address on that subnet of 192.168.0.101.
If I try to ping a machine outside my network, for example if 192.168.0.102 tries to ping www.google.com, my NAT routes the ping request from eth2 to eth1 and outward, but it appears as if it is coming from 1.2.3.4. It does this because the firewall is performing a NAT of 192.168.0.102 to 1.2.3.4, and when (if) the ping comes back from google, then it will go to the eth1 interface toward 1.2.3.4, and the firewall will know to translate and route that back to 192.168.0.102.

In order for your ping to work, you will need to add routes for your various subnets, to make sure that you can actually traverse the path you are intending to traverse. You do this with the 'route add' command, but before going there, I go back to my previous question:
Is your plan to use Linux1 as your firewall/router and move your Win XP boxes to the subnet connected to eth1? That would become much simpler than what you have set up, because right now you have a router which is performing NAT, and you could get rid of that entirely and not have that extra layer in your network path to the internet.
Reply With Quote
  #9  
Old 5th February 2009, 06:29
jeff_k jeff_k is offline
Junior Member
 
Join Date: Jan 2009
Location: San Diego, CA USA
Posts: 6
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default

I checked, firestarter is only set up to configure as a DHCP server on one interface.

tech.gsr, my recommendation to try, it should solve your problems:
- dump your router.
- at least temporarily, if pan0 represents a removable bluetooth device, remove it or power it off, so that it does not interfere with firestarter configuration.
- connect network as follows:
---internet<--> eth0--Linux1--eth1<---->sw1<--->eth0--Linux2
you can also connect other PCs to sw1.

Configure firestarter on Linux1:
- eth0 is configured for ip address assigned with DHCP (assuming you get assigned an IP address dynamically from your ISP).
Configure firestarter for internet connection sharing on eth1, and also as a DHCP server. You can follow
this link: http://www.fs-security.com/docs/wizard.php
All of your devices connected to sw1 will get their IP address from Linux1, and access the internet through NAT through Linux1. Make sure you are careful to keep ports closed on eth0, since this is your firewall to the internet. Firestarter will allow you to control which (if any) ports are open on eth0.
Allow pings via the pulldown menu if you want.

Configure firestarter on Linux2:
-eth0 ip address is assigned via DHCP. Make sure to allow pings. Open any ports you want. You should be done... try to open a web browser and access the internet.

Cheers
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Multiple Segment Router Setup - Not forwarding Packets jkane1517 Server Operation 4 3rd August 2010 19:48
URL's show router admin page from inside internal network jopa123 Installation/Configuration 12 1st August 2010 13:14
Postfix + DKIM - Error in log donb01 Server Operation 2 24th July 2008 17:59
postfix config & mailclients outside of the server's internal network gridorian Installation/Configuration 8 14th November 2007 10:17
Perfect Xen 3.0 setup for Debian gurneyzap HOWTO-Related Questions 4 26th March 2006 11:30


All times are GMT +2. The time now is 15:54.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.