Re: routing

To: debian-user@lists.debian.org
Subject: Re: routing
From: "Jesús M. Navarro" <jesus.navarro@undominio.net>
Date: Thu, 4 Nov 2010 17:02:56 +0100
Message-id: <[🔎] 201011041702.56529.jesus.navarro@undominio.net>
In-reply-to: <[🔎] 4cd25c90.cc7e0e0a.0dfb.2ab7@mx.google.com>
References: <4cc82c7b.147c0e0a.2eba.18c6@mx.google.com> <201010291147.22818.jesus.navarro@undominio.net> <[🔎] 4cd25c90.cc7e0e0a.0dfb.2ab7@mx.google.com>

Hi, Sthu:

On Thursday 04 November 2010 08:11:04 Sthu Deus wrote:
> Thank You for Your time and answer, Jesús, again:
> > Let's try again:
> > 1) What are the exact iptables rules you are trying?
> > I'd suggest trying this and only this (just for testing; once it's
> > working you can tie up them as needed):
> >         /sbin/iptables -F
> >         /sbin/iptables -t nat -F
> >         /sbin/iptables -t mangle -F
> >
> >         /sbin/iptables -X
> >         /sbin/iptables -t nat -X
> >         /sbin/iptables -t mangle -X
> >
> >         /sbin/iptables -P INPUT ACCEPT
> >         /sbin/iptables -P OUTPUT ACCEPT
> >         /sbin/iptables -P FORWARD ACCEPT
> >
> >         echo "1" > /proc/sys/net/ipv4/ip_forward
> >
> > Now, let's test it:
> > 2) Can you ping 10.10.10.10 from host2?
>
> Well. As I have shown already - the reason was in masquerading - as
> Peter E. has suggested. And this is answers the question, why opening
> total access (all chains policies to ACCEPT) did not work in my case.

First you test, then you diagnose, then you make corrections, then you retest.  
That's the way to enlightenment (sounds kinda "The Sysadmin Zen", uh?)

I told:

> > > Now, my bet:
> > > Does whatever sit on the far end of your ppp link holding IP address
> > > 10.10.10.10 know how to return packets to 192.168.0.0/24?
> >
> > Sorry, I do not know.
>
> You'll need to know.  What does sit at 10.10.10.10?

That was my bet.  If whatever sat at 10.10.10.10 was not under your control 
and it was a public Internet device (like the other end of your ISP 
connection), as now it seems to, it wouldn't know about private networks as 
per RFC-1918.  So the answer to my question "Does whatever sit on the far end 
of your ppp link holding IP address 10.10.10.10 know how to return packets to 
192.168.0.0/24?" is "no, it doesn't".

Once this answer is reached, the (at least partial) solution follows: you will 
need to either instruct it about 192.168.0.0/24 (you usually do it by 
configuring an static route on the device) or hide it from its scope (which 
you usually do by adding masquerading at the proper place).

In other words: in "usual" internet connections, you have just one network in 
your local side; you router/cable modem/whatever will know about it and will 
act as needed (usually masquerading it).  But now, you have *two* hops on 
your local side; you Internet connection knows about the nearest to it (from 
its perspective), which is 20.20.20.20, but it doesn't know about the second 
hop, the one that goes from 20.20.20.20 to 192.168.0.0/24, so you need to 
manage that part yourself (depending on your environment by adding static 
routes or masquerading).

PS: Please pay attention that I'm just using my crystal ball here.  You didn't 
explicitly answered my questions, so I can't know it for certain, just 
speculating.

Cheers.

Reply to:

Follow-Ups:
- Re: routing
  - From: Sthu Deus <sthu.deus@gmail.com>

References:
- Re: routing
  - From: Sthu Deus <sthu.deus@gmail.com>

Prev by Date: Re: An experiment about file timestamp (was: Timestamps jump by one hour when switching timezone)
Next by Date: Re: An experiment about file timestamp
Previous by thread: Re: routing
Next by thread: Re: routing
Index(es):
- Date
- Thread