Routing problem (I think)

Tom Dunne

Hi All,

this is related to a thread I had in the Unix forum regarding a proxy server I have set up

Briefly, I have a Linux machine in a DMZ. It has two network cards, one public (dynamic, for incoming connections) and one private (static, to connect to the local internal network). It basically passes incoming connections from the outside world to an App server and vice versa. It's a reverse proxy.

Incoming connections are now working fine (I can see them in the Apache logs), however going from the Linux box to a server on the internal network is not working.

Routing table as follows:

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.3.0 0.0.0.0 255.255.255.252 U 0 0 0 eth1
87.X.X.X 0.0.0.0 255.255.255.248 U 0 0 0 eth0
0.0.0.0 87.X.X.Y 0.0.0.0 UG 0 0 0 eth0
0.0.0.0 192.168.3.1 0.0.0.0 UG 0 0 0 eth1

The 192.168.3.1 (eth1) is the default gateway to the internal network, via a hardware firewall. I can ping the internal network router (192.168.139.1) plus one or two other internal IP addresses (i.e. 192.168.139.X), but I can't ping the one that I want - 192.168.139.12.

So I think I need to add a route either to 192.168.139.0 or 192.168.139.12 via 192.168.3.1 - or do I? If not, what do I need to do?

As a side note, when I do a tracert 192.168.139.12, the first address it lists is the external address (i.e. 87.X.X.X), which of course times out becase my ISP doesn't know where to find my database server.

rmacm

Try adding a route to the host you want. Command is something like this:

route add -host 192.168.3.12 gw 192.168.3.1

If I remember correctly, don't have a Linux box here right now to test it with and the only one I can get access to is two flights of stairs and a long corridor away so damned if I'm walking :P

Tom Dunne

rmacm wrote: »

Try adding a route to the host you want. Command is something like this:

route add -host 192.168.3.12 gw 192.168.3.1

I have tried every permutation of that command and not gotten it to work.

BTW, the gw is 192.168.3.1, but the server I am trying to connect to is 192.168.139.12.

I've used:

ip route add 192.168.139.12 gw 192.168.3.1

and

ip route add 192.168.139.0 gw 192.168.3.1

I've also tried the internal network's own default gateway (seeing as I can ping it no problem):

ip route add 192.168.139.12 gw 192.168.139.1

Plus, when I add in a netmask, I get an error telling me that "either the 'to' address invalid, or the netmask is garbage".

e.g. ip route add 192.168.139.12 netmask 255.255.255.0 gw 192.168.3.1

I'm way in over my head here.

ntlbell

Tom Dunne wrote: »

I have tried every permutation of that command and not gotten it to work.

BTW, the gw is 192.168.3.1, but the server I am trying to connect to is 192.168.139.12.

I've used:

ip route add 192.168.139.12 gw 192.168.3.1

and

ip route add 192.168.139.0 gw 192.168.3.1

I've also tried the internal network's own default gateway (seeing as I can ping it no problem):

ip route add 192.168.139.12 gw 192.168.139.1

Plus, when I add in a netmask, I get an error telling me that "either the 'to' address invalid, or the netmask is garbage".

e.g. ip route add 192.168.139.12 netmask 255.255.255.0 gw 192.168.3.1

I'm way in over my head here.

If you can give me a user account on the box I'll sort it out.

rmacm

Tom Dunne wrote: »

<snip>

e.g. ip route add 192.168.139.12 netmask 255.255.255.0 gw 192.168.3.1

I'm way in over my head here.

Ok am I right in saying that you can pint 192.168.139.1 from your Linux box?

Can you ping 192.168.139.12 from the router at 192.168.139.1?

try this

route add -host 192.168.139.12 gw 192.168.139.1

The syntax you have for the route command looks wrong for a Linux box. man route for more information on using the command. I did something similar recently here at work. Had a setup like this.


<Linux Box>----<Switch>

---

<Router>

---

<Blade system>

Wanted to be able to ping the management address of the blade system so because the router and blade system were in the same rack the router knew how to get traffic to the blade (router is preconfigured to do this). So on the Linux box I did the following

route add -host 10.0.160.3 gw 10.0.158.27

The Linux box knew how to get to 10.0.158.27 anyway so once the packet got to there the router was able to take care of getting it to the blade. Which is similar enough to what you want to do.

Tom Dunne

ntlbell wrote: »

If you can give me a user account on the box I'll sort it out.

I would if I could.

It's behind a firewall, on a VLAN, with only port 443 open. Given the nature of this thread, I am sure you will understand if I am not quite able to set up incoming ssh access.

Thanks for the offer, though.

rmacm wrote: »

Ok am I right in saying that you can pint 192.168.139.1 from your Linux box?

Yes.

rmacm wrote: »

Can you ping 192.168.139.12 from the router at 192.168.139.1?

Not sure. I can't log into it (it's a Cisco 500 Unified unit, I don't have a login to it yet). However, 139.1 is the default gateway for 139.12 (and all the other nodes on the network), so I'd say it is most likely.

rmacm wrote: »

try this

route add -host 192.168.139.12 gw 192.168.139.1

It doesn't like the syntax. I'm on Ubuntu 9.04.

If I drop the -host bit, I get an error (SIOCADDRT: No such proces). If, however, I try it with gw 192.168.3.1, it works. Still can't ping 139.12, though.

rmacm wrote: »

The syntax you have for the route command looks wrong for a Linux box. man route for more information on using the command. I did something similar recently here at work. Had a setup like this.


<Linux Box>----<Switch>

---

<Router>

---

<Blade system>

Wanted to be able to ping the management address of the blade system so because the router and blade system were in the same rack the router knew how to get traffic to the blade (router is preconfigured to do this). So on the Linux box I did the following

route add -host 10.0.160.3 gw 10.0.158.27

The Linux box knew how to get to 10.0.158.27 anyway so once the packet got to there the router was able to take care of getting it to the blade. Which is similar enough to what you want to do.

The config I have is:

<Internet>----<DSL Modem>--<Cisco Unit>--<Linux in DMZ>---<Firewall>--<internal network>

So in theory what you are suggesting should work.

It's giving "Destination unreachable" and in the Apache logs it is giving "No route to host", so it certainly sounds like a routing problem.

Or does it?

rmacm

Tom Dunne wrote: »

so it certainly sounds like a routing problem.

Or does it?

Does to me anyway, home from work now so when I get in tomorrow I can check out the config on the machine I have there....not much else to be doing at the moment anyway.

Tom Dunne

All sorted.

Thanks to ntlbell for going above and beyond the call of duty in helping with this. And to rmacm also.

It looks like there were a number of problems, including mis-typed IP address, netmasks and a supposed idiot-proof network manager called WICD that in the end seemed to do more harm than good.