| Author |
Message |
kotter
Joined: 21 Jul 2008
Posts: 8
|
| Posted: Mon Jul 21, 2008 11:45 am Post subject: help, linode with Private IP act as gateway fail!! |
|
|
first linode:
iface eth0 inet static
address 207.192.*.*
netmask 255.255.255.0
gateway 207.192.72.1
iface eth1 inet static
address 192.168.133.*
netmask 255.255.128.0
echo 1 >/proc/sys/net/ipv4/ip_forward
cat /proc/sys/net/ipv4/ip_forward
result is 1
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.128.0/17 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.128.0/17 -j SNAT --to-source 207.192.*.*(first public ip)
secenod linode:
iface eth0 inet static
address 207.192.*.*
netmask 255.255.255.0
gateway 207.192.72.1
iface eth1 inet static
address 192.168.133.*
netmask 255.255.128.0
route add -net 192.168.128.0/17 gw 192.168.133.*(first private ip)
Below is the route table:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
207.192.73.0 * 255.255.255.0 U 0 0 0 eth0
192.168.128.0 192.168.133.* 255.255.128.0 UG 0 0 0 eth1
192.168.128.0 * 255.255.128.0 U 0 0 0 eth1
default gateway37.linod 0.0.0.0 UG 0 0 0 eth0
>>>>This explains that route and gateway is right
ping first-private-ip is ok
ping 207.192.72.1 -I eth1 is ok
traceroute 207.192.72.1 ok
traceroute -i eth0 207.192.72.1 ok
traceroute -i eth1 207.192.72.1 fail
>>>>This explains that Private IP act as gateway for another Private ip has fail!!
>>>>can anybody help me? |
|
| Back to top |
|
kotter
Joined: 21 Jul 2008
Posts: 8
|
| Posted: Mon Jul 21, 2008 11:58 am Post subject: iptables --list -t nat |
|
|
in first lindo
iptables --list -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
nat_in 0 -- anywhere anywhere
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
nat_out 0 -- anywhere anywhere
eth0_masq 0 -- anywhere anywhere
SNAT 0 -- 192.168.128.0/17 anywhere to:207.192.72.*(my ip)
MASQUERADE 0 -- 192.168.128.0/17 anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain eth0_masq (1 references)
target prot opt source destination
MASQUERADE 0 -- 192.168.128.0/17 anywhere policy match dir out pol none
Chain nat_in (1 references)
target prot opt source destination
DNAT 0 -- anywhere li36-35.members.linode.com policy match dir in pol none to:192.168.133.*
Chain nat_out (1 references)
target prot opt source destination
SNAT 0 -- 192.168.133.* anywhere policy match dir out pol none to:207.192.72.* |
|
| Back to top |
|
nabber00
Joined: 02 Dec 2007
Posts: 24
|
| Posted: Wed Jul 23, 2008 1:45 pm Post subject: |
|
|
It might help if you explain what you are trying to do with this configuration. And what does your failed traceroute actually output?
My guess is that right now traceroute just fails because it can't find a route in your routing table. When you specify -i eth1 that limits you to:
192.168.128.0 192.168.133.* 255.255.128.0 UG 0 0 0 eth1
192.168.128.0 * 255.255.128.0 U 0 0 0 eth1
Since your destination address is not in the 192.168 subnet it will fail. My guess is you want to specify a secondary default gateway using eth1 and your 192.168 gateway address. |
|
| Back to top |
|
kotter
Joined: 21 Jul 2008
Posts: 8
|
| Posted: Wed Jul 23, 2008 1:54 pm Post subject: |
|
|
| i have disable public ip on second lindo's eth0,defaulu gateway is first linode's private ip,but cant not ping ,traceroute is fail too. |
|
| Back to top |
|
nabber00
Joined: 02 Dec 2007
Posts: 24
|
| Posted: Wed Jul 23, 2008 3:20 pm Post subject: |
|
|
| Can you give us a routing table update then? |
|
| Back to top |
|
kotter
Joined: 21 Jul 2008
Posts: 8
|
| Posted: Wed Jul 23, 2008 3:26 pm Post subject: |
|
|
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.128.0 * 255.255.128.0 U 0 0 0 eth1
default 192.168.133.20 0.0.0.0 UG 0 0 0 eth1 |
|
| Back to top |
|
kotter
Joined: 21 Jul 2008
Posts: 8
|
| Posted: Wed Jul 23, 2008 3:27 pm Post subject: |
|
|
| I ssh to second lindo through first lindo. |
|
| Back to top |
|
kotter
Joined: 21 Jul 2008
Posts: 8
|
| Posted: Wed Jul 23, 2008 3:29 pm Post subject: |
|
|
i make it success very easy on my pc.that only need "apt get install ipmasq" ,
i study the iptables -L result careful? i believe my lindo's iptables'configure is correct.
i have ifconfig down eth0 ,only eth1 is up.
tcpdump record only dispay "arp who has..,reply to...",
is lindo's private network something about arp is disabled? |
|
| Back to top |
|
nabber00
Joined: 02 Dec 2007
Posts: 24
|
| Posted: Wed Jul 23, 2008 10:10 pm Post subject: |
|
|
I just use a one-liner when I do NAT, you might want to try just this to start:
iptables --table nat --append POSTROUTING -s 192.168.0.0/16 -o eth0 -j MASQUERADE
Also you should probably trying turning off all of your iptables NAT stuff and see if you can to a normal ping between linodes. If that doesn't work, NAT won't work for sure. |
|
| Back to top |
|
kotter
Joined: 21 Jul 2008
Posts: 8
|
| Posted: Fri Jul 25, 2008 9:38 am Post subject: |
|
|
i have give up.
this is a easy thing in a linux server,but in linode ,it can not.
i ensure there is something is disabled in lindo's private network. |
|
| Back to top |
|
bdonlan
Joined: 22 Jan 2008
Posts: 67
|
| Posted: Fri Jul 25, 2008 12:12 pm Post subject: |
|
|
For security reasons, all network interfaces (including the private net) are filtered to only be able to send packets on their own IP addresses.
If you want to masquerade through the private net, you will need to establish an IP-in-IP tunnel. Although I'm not sure why you'd want to. |
|
| Back to top |
|
kotter
Joined: 21 Jul 2008
Posts: 8
|
| Posted: Fri Jul 25, 2008 12:21 pm Post subject: |
|
|
bdonlan wrote: For security reasons, all network interfaces (including the private net) are filtered to only be able to send packets on their own IP addresses.
If you want to masquerade through the private net, you will need to establish an IP-in-IP tunnel. Although I'm not sure why you'd want to.
this is the reason,
but i have remove the second lindo form my account |
|
| Back to top |
|
| |
