internet sharing, DNS IP/hostname issue

txrx · 2015-08-30 13:23:37

Hi All,

this is my second attempt at internet sharing a device and i'm almost there.

I've followed https://wiki.archlinux.org/index.php/Internet_sharing to the letter and my setup is 90% there. The problem is that when i establish the dhcp connection, the IP and/or Hostname addresses are sometimes valid but the is not reachable across the entire network. These symptom exists elsewhere but i can't seem to find the answer i'm looking for.

Server
My device is connected to the internet with eth0(192.168.1.9) via my router(192.168.1.1). It has a second eth1(192.168.123.100) that is connected via crossover at eth1 to the client.

ifconfig

ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.9  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::d7:8ff:fe82:a7bf  prefixlen 64  scopeid 0x20<link>
        ether 02:d7:08:82:a7:bf  txqueuelen 1000  (Ethernet)
        RX packets 548229  bytes 295038117 (281.3 MiB)
        RX errors 0  dropped 12  overruns 0  frame 0
        TX packets 255462  bytes 38800965 (37.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 43

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.123.100  netmask 255.255.255.0  broadcast 0.0.0.0
        inet6 fe80::2e0:4cff:fe68:2e6  prefixlen 64  scopeid 0x20<link>
        ether 00:e0:4c:68:02:e6  txqueuelen 1000  (Ethernet)
        RX packets 2817  bytes 430372 (420.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2739  bytes 246529 (240.7 KiB)
        TX errors 0  dropped 7 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 1665  bytes 183308 (179.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1665  bytes 183308 (179.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

/etc/dhcpd.conf on server

 
option domain-name-servers 192.168.1.1;
option subnet-mask 255.255.255.0;
option routers 192.168.123.1;
subnet 192.168.123.0 netmask 255.255.255.0 {
  range 192.168.123.1 192.168.123.254;
}

iptables -nvL

Chain INPUT (policy ACCEPT 534K packets, 286M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   71 11924 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
   55  3596 ACCEPT     all  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 249K packets, 34M bytes)
 pkts bytes target     prot opt in     out     source               destination

Client.
Dhcpcd out of the box connection from it's eth0 to the server via the crossover. Connects to 192.168.123.1 happily and this can ping google. I want to avoid touching this client because it is nice and hotswappable at the moment.

I can ping and ssh the client hostname from the server(192.168.1.9) to the client via ip address 192,168.123.1 but i cannot reach it from anywhere on 192.168.1.1/24.

I cannot ping the hostname from the client to the server but i am able to ping the IP 192.168.1.9.

I'm not sure if this is a forwarding,DNS or dhcpd issue that i've created for myself. Ultimately, i want to be able to host a webpage from the client(192.168.123.1) to anywhere on 192.168.1.1 and 192.168.123.1 using hostnames and dhcp.

Clues?

tx

brebs · 2015-08-30 14:13:16

You need an iptables MASQUERADE rule on the server, to let the client get to the Internet via the server, for starters.

And a "default" route on the client, for the client to route its Internet traffic *via* the server.

txrx · 2015-08-31 12:58:41

Hi Brebs, thanks for the reply.

You need an iptables MASQUERADE rule on the server, to let the client get to the Internet via the server, for starters.

By this do you mean....

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

because i already have this set.

Also,

And a "default" route on the client, for the client to route its Internet traffic *via* the server.

Is there a simple way to do this without touching the client? I would prefer not to need to alter the client if possible.

brebs · 2015-08-31 13:56:29

Looks like your DHCP "routers" line should be:

option routers 192.168.123.100;

That being the IP address of your Internet-providing server, which is on the same subnet as the client.

txrx · 2015-08-31 14:38:47

Thanks Brebs,

option routers 192.168.123.100;

That seems to have not helped. After changing and resetting services, I'm not sure what that has changed but i'm not sure what to test to notice the difference. excuse my confusion.

Also, can anyone explain this?
When i try to ping the client from my mac over at 192.168.1.18, i get this....

$ ping 192.168.123.1
PING 192.168.123.1 (192.168.123.1): 56 data bytes
36 bytes from lns20.mel4.on.ii.net (150.***.***.44): Communication prohibited by filter
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 a22f   0 0000  3e  01 dd15 192.168.1.18  192.168.123.1

but as the client, i can ping from 192.168.123.1 to 192.168.1.18 no problems.

New problem

What's even more confusing is when i ssh from the server to the client using

root@server# ssh user@clienthostname

It asks for a password, accepts it as all ok and passes me back to

root@server#

whereas if i...

root@server# ssh user@192.168.123.1

I get access to my client no problems. ????

brebs · 2015-08-31 15:22:07

Your mac needs to know that the route to 192.168.123.0/24 is via 192.168.123.100

-Syu · 2015-09-02 11:45:44

brebs wrote:

Your mac needs to know that the route to 192.168.123.0/24 is via 192.168.123.100

If I understand correctly, we're masquerading here, so instead of messing with static routes, all we need on 192.168.1.9 are some NAT rules. In addition to what the mentioned guide says, you need to add an iptables rule for every service on 192.168.123.1 that you wish to reach from outside. That, and you might want to add a static DHCP entry for 192.168.123.1 to make sure those NAT rules keep working. Try this:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to 192.168.123.1
iptables -A FORWARD -d 192.168.123.1 -p tcp --dport 22 -j ACCEPT

See also the nice guide on statefull firewalling.

Then, you can test inboud traffic with

ssh user@192.168.123.1

As for your new problem, could you double check that 192.168.123.100 uses it's own DHCP server to resolve 192.168.123.1's hostname? Also, do you have any SSH keys on 192.168.123.100 configured to be used for outgoing SSH sessions (be it for 192.168.123.1 or other hosts)? If correcting any resolving issues doesn't help, could you post the output of the following?

ssh -vv user@192.168.123.1

Arch Linux

#1 2015-08-30 13:23:37

internet sharing, DNS IP/hostname issue

#2 2015-08-30 14:13:16

Re: internet sharing, DNS IP/hostname issue

#3 2015-08-31 12:58:41

Re: internet sharing, DNS IP/hostname issue

#4 2015-08-31 13:56:29

Re: internet sharing, DNS IP/hostname issue

#5 2015-08-31 14:38:47

Re: internet sharing, DNS IP/hostname issue

#6 2015-08-31 15:22:07

Re: internet sharing, DNS IP/hostname issue

#7 2015-09-02 11:45:44

Re: internet sharing, DNS IP/hostname issue

Board footer