# [Solved thanks to Hu and Mokia] Simple routing question.

## ispano

I recently set up a linux router running on an Mini-ITX Atom Board, took some time figuring out iptables and such, but everything works fine.

Well except for one thing. Prior to this I was using a Linksys router with DD-WRT, and a Motorolla SB6120 Cable Modem. As i'm sure some

of you know, the SB6120 has an ip of 192.168.100.1, which I was able to access thru the Linksys without issue. However, with my gentoo box

in between instead, that no longer works. I was just curious if I had to add a route or whatnot, currently trying to google the answer as well.

The Setup is like so:

Internet

|

SB6120 - Config IP of 192.168.100.1 <-- Cannot access this through the router.

|

eth0 - DHCP

Gentoo Box

eth1 - 192.168.0.1

|

LAN

Hopefully that makes some semblance of sense

Thanks for any advice you can provideLast edited by ispano on Sun Jul 18, 2010 8:34 pm; edited 1 time in total

----------

## dmpogo

What is your DHCP server ? One would think one wants to have you computer on the same subnet as intenal interface of your router - i.e on 192.168.100.something

----------

## ispano

Err, the modem itself has an IP of 192.168.100.1, this is used to view signal levels and the like, then that's connected to eth0 on my router, which has dhcp running to pull an ip from comcast. Then the router has a dhcp server running on eth1, which itself has an ip of 192.168.0.1, and gives out address from 192.168.0.100 to 192.168.0.150.

This is the same setup I had with DD-WRT on the Linksys, however, I was able to access the web interface on 192.168.100.1 with the linksys, not so with my current setup.

Maybe i'm missing a route, or maybe my iptables setup is blocking it, I don't really know. But trying to figure it out.

----------

## dmpogo

 *ispano wrote:*   

> Err, the modem itself has an IP of 192.168.100.1, this is used to view signal levels and the like, then that's connected to eth0 on my router, which has dhcp running to pull an ip from comcast. Then the router has a dhcp server running on eth1, which itself has an ip of 192.168.0.1, and gives out address from 192.168.0.100 to 192.168.0.150.
> 
> This is the same setup I had with DD-WRT on the Linksys, however, I was able to access the web interface on 192.168.100.1 with the linksys, not so with my current setup.
> 
> Maybe i'm missing a route, or maybe my iptables setup is blocking it, I don't really know. But trying to figure it out.

 

OK, got it,    can you access the 192.168.100.1 from your router ?   Could you also print the output of "route -n" ?

----------

## ispano

Yes I can, but since there's no gui(haven't tried webmin or anything), all I can use is links in which I can't change sections and such.

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1

192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1

75.70.160.0     0.0.0.0         255.255.248.0   U     0      0        0 eth0

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

0.0.0.0         75.70.160.1     0.0.0.0         UG    0      0        0 eth0

Edit: Ugh that looks like crap, lemme see if I can clean it up some

----------

## dmpogo

 *ispano wrote:*   

> Yes I can, but since there's no gui(haven't tried webmin or anything), all I can use is links in which I can't change sections and such.
> 
> Kernel IP routing table
> 
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> ...

 

Yep, what your eth0 IP, BTW ?

----------

## ispano

75.70.165.155

----------

## dmpogo

 *ispano wrote:*   

> 75.70.165.155

 

Where did that come from ?   Shouldn't it be one of 192.168.100.xxx  , since it is one the same subnet as the modem ?

Oh, sorry your modem is not a router  !  I am getting confused what 192.168.100.1 device is, how many interfaces your modem has ?Last edited by dmpogo on Sun Jul 18, 2010 3:20 am; edited 1 time in total

----------

## ispano

You know, the first time I dealt with cable here, I thought the same thing. The modem acts as a bridge pretty much, that ip is only to check signal levels and logs. The modem itself does not have a DHCP server or anything of the like, that's all done on comcasts end, and as a bridge, it well, bridges? if it was all on the same subnet already, I don't think i'd have this issue.

----------

## ispano

Ok, sorry for the Confusion, let's see if I can detail this a bit better.

Comcast - The ISP and assholes mind you

 |

Motorola SB6120 - This has a coax connection for the connection to comcast and 1 Ethernet port, it basically bridges the two connections. It also has the 192.168.100.1 IP, used to check levels/etc

 |

Gentoo Router Box - eth0 connects to the ethernet port of the modem, while eth1 connects to the switch on my lan. eth0 is set to DHCP, and is pulling 75.70.165.155 at this time. eth1 is set statically to 192.168.0.1 and gives out ips from 192.168.0.100 - 192.168.0.150.  It also has an ip of 192.168.1.1 which I use for other purposes, and shouldn't matter here.

Think of the modem kind of like a wireless access point, where they have an IP for themselves, but traffic just passes through unobstructed, so the IP can be on a different subnet and not affect the functionality of the device.

Maybe that will help understand  :Surprised: 

----------

## dmpogo

Yep, I got it, need to think  :Smile: 

----------

## mokia

You need Iptables prerouting.

iptables -t nat -A PREROUTING -d [IP] -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.100.1:80

and you can access the modem from every computer from your subnet (except the router) by typing IP in the webbrowser 

IP cannot be a part of your subnet. 

For example:

subnet 192.168.1.0

IP 192.168.1.100 will not work 

IP 10.0.1.1 will work 

IP some public ip adress will work too

----------

## Hu

 *mokia wrote:*   

> You need Iptables prerouting.
> 
> iptables -t nat -A PREROUTING -d [IP] -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.100.1:80
> 
> and you can access the modem from every computer from your subnet (except the router) by typing IP in the webbrowser 
> ...

 This feels like a bad idea.  Home routers are often not set up to handle malicious users, and your rule does not appear to prevent someone on the outside from leveraging this rule to reflect their connection back to the router.

OP: what do you mean that you cannot connect from internal hosts to the router?  What is the error code from connect?  Is the connection reaching the router and then being refused, or is it not reaching the router at all?

----------

## mokia

It is not a router, it is a modem, and you can not edit enithing on the site.

It displays information about  the phisical layer of the connection. (not even details abaut your trafic.)

----------

## ispano

>.< Whee

Ok, My router is this: http://www.newegg.com/Product/Product.aspx?Item=N82E16813182233 running gentoo set up with iptables. I will admit i'm no master at iptables, something new im delving into.

The Modem is a Motorola SB6120, which like mokia says, has a page to view signal levels and logs, not much else. It has an IP of 192.168.100.1 to access said page. If i'm directly connected to the modem, it works fine. When I was using my Linksys WRT-310N with DD-WRT it allowed me to access this IP from inside the router, so working there as well. Now my current setup, has eth0 of the board listed above as the WAN, set to whatever IP comcast gives it, routing to eth1 which has two ips, 192.168.0.1 and 192.168.1.1 which I use for internal network file transfers(I can explain this if need be). However, I now cannot access 192.168.100.1 from inside the router, like I could with the linksys. I'm thinking it's an iptables setting I have that's blocking it, but again i'm unsure.

These are all the commands I have run for iptables:

# First we flush our current rules

iptables -F

iptables -t nat -F

# Setup default policies to handle unmatched traffic

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD DROP

# Copy and paste these examples ...

export WAN=eth0

export LAN=eth1

# Then we lock our services so they only work from the LAN

iptables -I INPUT 1 -i ${LAN} -j ACCEPT

iptables -I INPUT 1 -i lo -j ACCEPT

iptables -A INPUT -p UDP --dport bootps ! -i ${LAN} -j REJECT

iptables -A INPUT -p UDP --dport domain ! -i ${LAN} -j REJECT

# Allow access to our ssh/www server from the WAN

iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT

iptables -A INPUT -p TCP --dport www -i ${WAN} -j ACCEPT

# Drop TCP / UDP packets to privileged ports

iptables -A INPUT -p TCP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP

iptables -A INPUT -p UDP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP

# Finally we add the rules for NAT

iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.0.0 -j DROP

iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.0.0 -j ACCEPT

iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.0.0 -j ACCEPT

iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

# SSH Brute Force Protection

iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH

iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 180 --hitcount 5 --rttl --name SSH -j DROP

# Port Forwarding

#  uTorrent

iptables -t nat -A PREROUTING -p tcp --dport 49240 -i ${WAN} -j DNAT --to 192.168.0.12

iptables -t nat -A PREROUTING -p udp --dport 49240 -i ${WAN} -j DNAT --to 192.168.0.12

#  VNC

iptables -t nat -A PREROUTING -p tcp --dport 5900 -i ${WAN} -j DNAT --to 192.168.0.12

# This is so when we boot we don't have to run the rules by hand

/etc/init.d/iptables save

You can probably tell, most of this is from the Gentoo Home Router Guide.

Sorry to bother you all! But thanks for the help.

Oh right, I tried that command with a few different ips, mokia. Didn't work for me, but I do appreciate the help.

----------

## gentoo_ram

On the Linux box try:

```
route add -host 192.168.100.1 eth0
```

----------

## ispano

No good, would it help to toss a second IP onto the WAN interface? Something on the same subnet as the modem? Like 192.168.100.100 for example.

----------

## dmpogo

I did not play with iptables for a while,   but I remember them having 'verbose' or 'debug' mode, where it will log all the actions, so that you can see if it drops any packages destined to 192.168.1.100

----------

## mokia

Wath have you inserted, and did it showed up in iptables-save output in the nat table?

like this:

```

host mokia # iptables-save

# Generated by iptables-save v1.4.6 on Sun Jul 18 20:08:36 2010

*nat

:PREROUTING ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A PREROUTING -i eth0 -p tcp -m tcp --dport xxxx -j DNAT --to-destination 127.0.0.1:80 

-A PREROUTING -d 10.0.1.100/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.100.1:80   <-this line

-A POSTROUTING -o eth0 -j MASQUERADE 

-A POSTROUTING -j MASQUERADE 

COMMIT

```

----------

## ispano

This is before using the command:

# Generated by iptables-save v1.4.6 on Sun Jul 18 07:03:12 2010

*nat

:PREROUTING ACCEPT [10329:876380]

:POSTROUTING ACCEPT [8249:956756]

:OUTPUT ACCEPT [74:11634]

-A PREROUTING -i eth0 -p tcp -m tcp --dport 49240 -j DNAT --to-destination 192.1                         68.0.12

-A PREROUTING -i eth0 -p udp -m udp --dport 49240 -j DNAT --to-destination 192.1                         68.0.12

-A PREROUTING -i eth0 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 192.16                         8.0.12

-A POSTROUTING -o eth0 -j MASQUERADE

COMMIT

# Completed on Sun Jul 18 07:03:12 2010

# Generated by iptables-save v1.4.6 on Sun Jul 18 07:03:12 2010

*mangle

:PREROUTING ACCEPT [161595311:112689267679]

:INPUT ACCEPT [1257335:303683850]

:FORWARD ACCEPT [160283041:112376610940]

:OUTPUT ACCEPT [794822:130549793]

:POSTROUTING ACCEPT [161102470:112508807474]

COMMIT

# Completed on Sun Jul 18 07:03:12 2010

# Generated by iptables-save v1.4.6 on Sun Jul 18 07:03:12 2010

*filter

:INPUT ACCEPT [326:42359]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [1999:139715]

-A INPUT -i lo -j ACCEPT

-A INPUT -i eth1 -j ACCEPT

-A INPUT ! -i eth1 -p udp -m udp --dport 67 -j REJECT --reject-with icmp-port-un                         reachable

-A INPUT ! -i eth1 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-un                         reachable

-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT

-A INPUT ! -i eth1 -p tcp -m tcp --dport 0:1023 -j DROP

-A INPUT ! -i eth1 -p udp -m udp --dport 0:1023 -j DROP

-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set -                         -name SSH --rsource

-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --updat                         e --seconds 180 --hitcount 5 --rttl --name SSH --rsource -j DROP

-A FORWARD -d 192.168.0.0/16 -i eth1 -j DROP

-A FORWARD -s 192.168.0.0/16 -i eth1 -j ACCEPT

-A FORWARD -d 192.168.0.0/16 -i eth0 -j ACCEPT

COMMIT

# Completed on Sun Jul 18 07:03:12 2010

This is after:

# Generated by iptables-save v1.4.6 on Sun Jul 18 07:05:14 2010

*nat

:PREROUTING ACCEPT [3:154]

:POSTROUTING ACCEPT [4:439]

:OUTPUT ACCEPT [0:0]

-A PREROUTING -i eth0 -p tcp -m tcp --dport 49240 -j DNAT --to-destination 192.168.0.12

-A PREROUTING -i eth0 -p udp -m udp --dport 49240 -j DNAT --to-destination 192.168.0.12

-A PREROUTING -i eth0 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 192.168.0.12

-A PREROUTING -d 10.0.1.1/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.100.1:80

-A POSTROUTING -o eth0 -j MASQUERADE

COMMIT

# Completed on Sun Jul 18 07:05:14 2010

# Generated by iptables-save v1.4.6 on Sun Jul 18 07:05:14 2010

*mangle

:PREROUTING ACCEPT [161731831:112783335588]

:INPUT ACCEPT [1257839:303738986]

:FORWARD ACCEPT [160419057:112470623713]

:OUTPUT ACCEPT [795058:130577011]

:POSTROUTING ACCEPT [161238373:112602550425]

COMMIT

# Completed on Sun Jul 18 07:05:14 2010

# Generated by iptables-save v1.4.6 on Sun Jul 18 07:05:14 2010

*filter

:INPUT ACCEPT [5:409]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [91:9729]

-A INPUT -i lo -j ACCEPT

-A INPUT -i eth1 -j ACCEPT

-A INPUT ! -i eth1 -p udp -m udp --dport 67 -j REJECT --reject-with icmp-port-unreachable

-A INPUT ! -i eth1 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable

-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT

-A INPUT ! -i eth1 -p tcp -m tcp --dport 0:1023 -j DROP

-A INPUT ! -i eth1 -p udp -m udp --dport 0:1023 -j DROP

-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource

-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 180 --hitcount 5 --rttl --name SSH --rsource -j DROP

-A FORWARD -d 192.168.0.0/16 -i eth1 -j DROP

-A FORWARD -s 192.168.0.0/16 -i eth1 -j ACCEPT

-A FORWARD -d 192.168.0.0/16 -i eth0 -j ACCEPT

COMMIT

# Completed on Sun Jul 18 07:05:14 2010

----------

## Hu

 *ispano wrote:*   

> 
> 
> # Generated by iptables-save v1.4.6 on Sun Jul 18 07:03:12 2010
> 
> *filter
> ...

 Perhaps you should not drop traffic that you want to work?  :Wink:   You said the modem is at a 192.168.x.x address, yet your first rule in the FORWARD chain is to drop any internal traffic going to 192.168.x.x addresses.

----------

## mokia

additional to previsorius rules insert:

iptables -A FORWARD -d 192.168.100.1/32 -i eth2 -j ACCEPT

Edit.

Looks lik i wasted too muth time with testing. XD

Edit again!

Sory not -A! and not eth2. The rule is:

iptables -I FORWARD -d 192.168.100.1/32 -i eth1 -j ACCEPT

----------

## ispano

 *Hu wrote:*   

>  *ispano wrote:*   
> 
> # Generated by iptables-save v1.4.6 on Sun Jul 18 07:03:12 2010
> 
> *filter
> ...

 

That was the one. Taking that out let's it get through fine. Just one question, is there a reason you'd normally use a rule like that? I haven't had alot of free time to tweak the settings and learn iptables more in depth, for the most part I just used what was in the Gentoo Home Router Guide. http://www.gentoo.org/doc/en/home-router-howto.xml

This is the part of the guide I got most of the chains from.

Code Listing 5.2: Setting up iptables

First we flush our current rules

# iptables -F

# iptables -t nat -F

Setup default policies to handle unmatched traffic

# iptables -P INPUT ACCEPT

# iptables -P OUTPUT ACCEPT

# iptables -P FORWARD DROP

Copy and paste these examples ...

# export LAN=eth0

# export WAN=eth1

Then we lock our services so they only work from the LAN

# iptables -I INPUT 1 -i ${LAN} -j ACCEPT

# iptables -I INPUT 1 -i lo -j ACCEPT

# iptables -A INPUT -p UDP --dport bootps ! -i ${LAN} -j REJECT

# iptables -A INPUT -p UDP --dport domain ! -i ${LAN} -j REJECT

(Optional) Allow access to our ssh server from the WAN

# iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT

Drop TCP / UDP packets to privileged ports

# iptables -A INPUT -p TCP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP

# iptables -A INPUT -p UDP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP

Finally we add the rules for NAT

# iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.0.0 -j DROP

# iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.0.0 -j ACCEPT

# iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.0.0 -j ACCEPT

# iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

Tell the kernel that ip forwarding is OK

# echo 1 > /proc/sys/net/ipv4/ip_forward

# for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

This is so when we boot we don't have to run the rules by hand

# /etc/init.d/iptables save

# rc-update add iptables default

# nano /etc/sysctl.conf

Add/Uncomment the following lines:

net.ipv4.ip_forward = 1

net.ipv4.conf.default.rp_filter = 1

If you have a dynamic internet address you probably want to enable this:

net.ipv4.ip_dynaddr = 1

Thanks for the help. *bows*

----------

## mokia

You not deleted this rule, right?

-A FORWARD -d 192.168.0.0/16 -i eth1 -j DROP 

"is there a reason you'd normally use a rule like that?"

YES

----------

## ispano

I took it out to see if it was the reason I was having an issue. But until I know it's safe to completely remove it, I'll just disable it when I need access to the modem.

----------

## ispano

And seeing as the command you posted last bypasses the rule for that ip, I think I'll use that.

----------

## mokia

use this:

-I FORWARD -d 192.168.100.1/32 -i eth1 -j ACCEPT

It allows the modem connection. But dint open your hole internal network for crackers. 

Afther this rule 

iptables-save looks like this:

# Generated by iptables-save v1.4.6 on Sun Jul 18 07:03:12 2010

*filter

:FORWARD DROP [0:0]

-A FORWARD -d 192.168.100.1/32 -i eth1 -j ACCEPT  <-this must be on on top

-A FORWARD -d 192.168.0.0/16 -i eth1 -j DROP

-A FORWARD -s 192.168.0.0/16 -i eth1 -j ACCEPT

-A FORWARD -d 192.168.0.0/16 -i eth0 -j ACCEPT

COMMIT

# Completed on Sun Jul 18 07:03:12 2010

EDIT

Sorry for the forward

----------

## ispano

Yeah I did use it, and it works fine. Looked at it after temporarily disabling "-A FORWARD -d 192.168.0.0/16 -i eth1 -j DROP" and it clicked what it did, so I re-enabled "-A FORWARD -d 192.168.0.0/16 -i eth1 -j DROP" and used your command.

Looks like this now:

-A FORWARD -d 192.168.100.1/32 -i eth1 -j ACCEPT

-A FORWARD -d 192.168.0.0/16 -i eth1 -j DROP

-A FORWARD -s 192.168.0.0/16 -i eth1 -j ACCEPT

-A FORWARD -d 192.168.0.0/16 -i eth0 -j ACCEPT

COMMIT

# Completed on Sun Jul 18 08:37:37 2010

I learn something new everyday with Gentoo, always a good thing.

Thanks again.

----------

## Hu

Normally, you would use that rule.  Normally, it would work fine.  Unfortunately, someone had the bright idea of putting an RFC1918 reserved address on a device designed to be on the Internet side of your router.

----------

## mokia

I think this is the solution, for the RFC standard problem:

-I FORWARD -s 10.0.1.1/32 -i eth0 -j DROP

-I FORWARD -d 10.0.1.1/32 -i eth0 -j DROP

----------

