Routing between subinterfaces on piCore7

[mulletman87]

Hi all,

I have been fighting with this for a good 10 hours or so now and I would appreciate some help.

I want to route between two subnets but since the Pi only has a single NIC, I have created a subinterface and have the following IP addresses set using ifconfig:

Eth0:0 - 192.168.10.1 /24 (same range as my DSL router, which is on 192.168.10.2 /24)
Eth0: 10.0.0.177 /24 (this is the default GW for my client PCs)

1) I have create a static route on my DSL router that makes traffic destined for the 10.0.0.0 /24 range, next hop through 192.168.10.1 (for when the traffic comes back)
2) I have added a default route (on the Rpi) as follows "sudo route add default gw 192.168.10.2"
3) I have added the following IPtables rules (I am almost certain they are needed, they were when this project was running ubuntu on a pcduino):

Code: [Select]

sudo iptables --table nat --append POSTROUTING --out-interface eth0:0 -j MASQUERADE
sudo iptables --append FORWARD --in-interface eth0 -j ACCEPT
4) I have disabled ICMP redirects, ipv6 and made sure that ip_forwarding is set to 1 (on) by putting the following into /opt/bootsync.sh.

Code: [Select]

sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects"
sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects"
sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects"
sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects"
sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects"
sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects"
sudo sh -c "echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6"
sudo sh -c "echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6"
sudo sh -c "echo 1 > /proc/sys/net/ipv6/conf/eth0/disable_ipv6"
sudo sh -c "echo 1 > /proc/sys/net/ipv6/conf/lo/disable_ipv6"

The reason why i have done this is because I cannot find the /etc/sysctl.conf and while this isnt a biggie (since I just echo'd it as shown above), this might actually be the reason why it is not working because if the original config is loaded into the kernel (e.g. send_redirects = 1) and then it is changed to 0 afterwards (send_redirects = 0), it won't actually do anything (unless I reboot or reload the sysctl (used to use "sysctl -p" on ubuntu). If I reboot, I am back to square one so maybe this is the issue. I tried to solve this by putting the following into the /opt/.filetool.lst but it didn't seem to do anything (i.e. I saved that, echo'd all the new config, rebooted and then everything was back to what it was before)

Code: [Select]

proc/sys/net/ipv4/ip_forward
proc/sys/net/ipv4/conf/default/accept_redirects
proc/sys/net/ipv4/conf/all/accept_redirects
proc/sys/net/ipv4/conf/eth0/accept_redirects
proc/sys/net/ipv4/conf/default/send_redirects
proc/sys/net/ipv4/conf/all/send_redirects
proc/sys/net/ipv4/conf/eth0/send_redirects
proc/sys/net/ipv6/conf/default/disable_ipv6
proc/sys/net/ipv6/conf/all/disable_ipv6
proc/sys/net/ipv6/conf/eth0/disable_ipv6
proc/sys/net/ipv6/conf/lo/disable_ipv6
The results are as follows:

1) If I putty into my Rpi, I can ping all local interfaces, my DSL router (192.168.10.2 /24) and any internet address
2) I can ping 192.168.10.1 and 192.168.10.2 from any desktop PC on the 10.0.0.0 /24 range
3) I CANNOT ping any internet address/

Please can someone help me, I am seriously battling here and have really tried my best to overcome this issue.

P.S: I will keep studying the tinycorelinux OS, sorry that I am not 100% with it yet. Understanding how it all works is a HIGH priority for me and I will do it properly.

[curaga]

Using sysctl just does the same writing/echoes under the hood, it doesn't matter if you use the tool or do it yourself. Backing up /proc files is not possible, please remove those from your filetool.lst, having them there may prevent backup.

Your commands should be enough in theory, but I've only done similar with two physical interfaces, not with a virtual subinterface. Try logging things on your pi? (-j LOG instead of -j ACCEPT in the FORWARD rule)

[Paul_123]

if you want to add a 2nd NIC or wireless, bridging works great.

[mulletman87]

I will try the LOG option, thanks for that suggestion.

As for bridging, I don't think it will work for my specific requirements, really need internal routing between the subinterfaces.

Question, does IP tables (provided IP_forward is enabled) automatically allow inbound traffic that has a destination layer 3 address that is not directly connected to pass?

I am starting to think that my issue lies purely with either my iptables or with those ICMP redirects.

Is there a way to literally allow all for everything on pre/post/etc to allow everything (forwarding, etc.). Maybe I could try that and start trying to narrow down the root cause.

Thanks

[mulletman87]

Well, this is very weird.

I redid everything from scratch (for like the 20th time lol) but didn't add the following iptables rules:

Code: [Select]

sudo iptables --table nat --append POSTROUTING --out-interface eth0:0 -j MASQUERADE
sudo iptables --append FORWARD --in-interface eth0 -j ACCEPT
.. and it works out the box.

Which makes me believe that there is something wrong with my IP tables.

Please can you confirm that I did this part right:

1) tce-load -iw iproute2
2) sudo modprobe ip_tables (I ran this because when I added an iptables rule that targeted the NAT table it said that it didn't exist) - After this the table was there, not 100% sure?

Maybe my IP tables are a little broken, that would make so much damn sense why I was not having any luck hehe.

UPDATE: I just run the following rules and it adds absolutely nothing to iptables (ran sudo iptables -L)

sudo iptables -t nat -I PREROUTING -s 192.168.50.0/24 -p udp --dport 53 -j DNAT --to 208.67.222.222:53
sudo iptables -t nat -I PREROUTING -s 192.168.50.0/24 -p tcp --dport 53 -j DNAT --to 208.67.222.222:53

Please can someone help me troubleshoot this?

Thanks!

[Paul_123]

Sorry, I missed you were trying to route. 

I assume you made a typo, as iptables is in extension iptables.tcz, not iproute2.tcz

after you run commands......run lsmod to see of all of the modules are loaded.  Just running sudo iptables -L should result in being loaded.

Code: [Select]

Module                  Size  Used by    Tainted: G
iptable_filter          1260  0
ip_tables              11511  1 iptable_filter
x_tables               13634  2 iptable_filter,ip_tables

after running .   

sudo iptables -t nat -I PREROUTING -s 192.168.50.0/24 -p udp --dport 53 -j DNAT --to 208.67.222.222:53

you should see

Code: [Select]

Module                  Size  Used by    Tainted: G
xt_nat                  1692  1
xt_tcpudp               2124  1
iptable_nat             1787  1
nf_conntrack_ipv4      13381  1
nf_defrag_ipv4          1287  1 nf_conntrack_ipv4
nf_nat_ipv4             4887  1 iptable_nat
nf_nat                 12698  2 xt_nat,nf_nat_ipv4
nf_conntrack           78291  3 nf_conntrack_ipv4,nf_nat_ipv4,nf_nat
iptable_filter          1260  0
ip_tables              11511  2 iptable_nat,iptable_filter
x_tables               13634  4 xt_nat,xt_tcpudp,iptable_filter,ip_tables

to see the nat table, you need to do this.

Code: [Select]

sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       udp  --  192.168.0.0/24       anywhere             udp dpt:domain to:208.67.222.222:53

works just fine.

please run df, and post the output, so we can see what extensions you have loaded.

[mulletman87]

@Paul_123, thank you so much! Only read your response now, for some reason I didn't see the notification that a reply had been made, such a great guide, really appreciate it.

I will do this first thing tomorrow, in this order:

Add my static IP addresses and test

Code: [Select]

sudo ifconfig eth0:1 192.168.50.1 netmask 255.255.255.0 broadcast 192.168.50.255
sudo ifconfig eth0 10.0.0.88 netmask 255.255.255.0 broadcast 10.0.0.255
Make sure that forwarding and ICMP redirect is set correctly

Code: [Select]

sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects"
sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects"
sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects"
sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects"
sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects"
sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects"
sudo sh -c "echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6"
sudo sh -c "echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6"
sudo sh -c "echo 1 > /proc/sys/net/ipv6/conf/eth0/disable_ipv6"
sudo sh -c "echo 1 > /proc/sys/net/ipv6/conf/lo/disable_ipv6"
Install iptables and test if net still works

Code: [Select]

tce-load -iw iptables.tcz
lsmod (to check the modules loaded)---> TEST THEN

Code: [Select]

sudo /usr/local/sbin/basic-firewall---> TEST THEN

Code: [Select]

sudo iptables -L
sudo iptables -t nat -L
sudo iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
sudo iptables --append FORWARD --in-interface eth0:1 -j ACCEPT
sudo iptables -L
sudo iptables -t nat -L

If net is still working, redirect DNS

Code: [Select]

sudo iptables -t nat -I PREROUTING -s 192.168.50.0/24 -p udp --dport 53 -j DNAT --to 208.67.222.222:53
sudo iptables -t nat -I PREROUTING -s 192.168.50.0/24 -p tcp --dport 53 -j DNAT --to 208.67.222.222:53
Question, is it necessary to start the firewall after installing it (sudo /usr/local/sbin/basic-firewall) as the wiki states? Also, is it necessary to run sudo modprobe ip_tables? I actually didn't make a typo with "iproute2", that was actually a mistake that I made since I thought it contained iptables (might be the root cause of my issues lol)

Once I nail down setting the RPi as a router and having it redirect 53, I will lock things down a bit more and set up persistence, etc.

[curaga]

You're setting your own iptables rules, so the shipped ones in basic-firewall aren't needed (they might conflict). Modprobe isn't needed, it will be done automatically.