help, linode with Private IP act as gateway fail!!

first linode:

iface eth0 inet static

address 207.192..

netmask 255.255.255.0

gateway 207.192.72.1

iface eth1 inet static

address 192.168.133.*

netmask 255.255.128.0

echo 1 >/proc/sys/net/ipv4/ip_forward

cat /proc/sys/net/ipv4/ip_forward

result is 1

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.128.0/17 -j MASQUERADE

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.128.0/17 -j SNAT –to-source 207.192..(first public ip)

secenod linode:

iface eth0 inet static

address 207.192..

netmask 255.255.255.0

gateway 207.192.72.1

iface eth1 inet static

address 192.168.133.*

netmask 255.255.128.0

route add -net 192.168.128.0/17 gw 192.168.133.*(first private ip)

Below is the route table:

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface

207.192.73.0 * 255.255.255.0 U 0 0 0 eth0

192.168.128.0 192.168.133.* 255.255.128.0 UG 0 0 0 eth1

192.168.128.0 * 255.255.128.0 U 0 0 0 eth1

default gateway37.linod 0.0.0.0 UG 0 0 0 eth0

This explains that route and gateway is right

ping first-private-ip is ok

ping 207.192.72.1 -I eth1 is ok

traceroute 207.192.72.1 ok

traceroute -i eth0 207.192.72.1 ok

traceroute -i eth1 207.192.72.1 fail

This explains that Private IP act as gateway for another Private ip has fail!!

can anybody help me?

11 Replies

in first lindo

iptables –list -t nat

Chain PREROUTING (policy ACCEPT)

target prot opt source destination

nat_in 0 -- anywhere anywhere

Chain POSTROUTING (policy ACCEPT)

target prot opt source destination

nat_out 0 -- anywhere anywhere

eth0_masq 0 -- anywhere anywhere

SNAT 0 -- 192.168.128.0/17 anywhere to:207.192.72.*(my ip)

MASQUERADE 0 -- 192.168.128.0/17 anywhere

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

Chain eth0_masq (1 references)

target prot opt source destination

MASQUERADE 0 -- 192.168.128.0/17 anywhere policy match dir out pol none

Chain nat_in (1 references)

target prot opt source destination

DNAT 0 -- anywhere li36-35.members.linode.com policy match dir in pol none to:192.168.133.*

Chain nat_out (1 references)

target prot opt source destination

SNAT 0 -- 192.168.133.* anywhere policy match dir out pol none to:207.192.72.*

It might help if you explain what you are trying to do with this configuration. And what does your failed traceroute actually output?

My guess is that right now traceroute just fails because it can't find a route in your routing table. When you specify -i eth1 that limits you to:

192.168.128.0 192.168.133.* 255.255.128.0 UG 0 0 0 eth1

192.168.128.0 * 255.255.128.0 U 0 0 0 eth1

Since your destination address is not in the 192.168 subnet it will fail. My guess is you want to specify a secondary default gateway using eth1 and your 192.168 gateway address.

i have disable public ip on second lindo's eth0,defaulu gateway is first linode's private ip,but cant not ping ,traceroute is fail too.

Can you give us a routing table update then?

Destination Gateway Genmask Flags Metric Ref Use Iface

192.168.128.0 * 255.255.128.0 U 0 0 0 eth1

default 192.168.133.20 0.0.0.0 UG 0 0 0 eth1

I ssh to second lindo through first lindo.

i make it success very easy on my pc.that only need "apt get install ipmasq" ,

i study the iptables -L result careful? i believe my lindo's iptables'configure is correct.

i have ifconfig down eth0 ,only eth1 is up.

tcpdump record only dispay "arp who has..,reply to…",

is lindo's private network something about arp is disabled?

I just use a one-liner when I do NAT, you might want to try just this to start:

iptables –table nat --append POSTROUTING -s 192.168.0.0/16 -o eth0 -j MASQUERADE

Also you should probably trying turning off all of your iptables NAT stuff and see if you can to a normal ping between linodes. If that doesn't work, NAT won't work for sure.

i have give up.

this is a easy thing in a linux server,but in linode ,it can not.

i ensure there is something is disabled in lindo's private network.

For security reasons, all network interfaces (including the private net) are filtered to only be able to send packets on their own IP addresses.

If you want to masquerade through the private net, you will need to establish an IP-in-IP tunnel. Although I'm not sure why you'd want to.

@bdonlan:

For security reasons, all network interfaces (including the private net) are filtered to only be able to send packets on their own IP addresses.

If you want to masquerade through the private net, you will need to establish an IP-in-IP tunnel. Although I'm not sure why you'd want to.

this is the reason,

but i have remove the second lindo form my account

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct