simple connection bridging

simple connection bridging

[Peter Boughton]

Hello.

I have a Linux machine sitting between two WinXP machines, and I'm
trying to figure out how to use iptables to allow the two WinXP
machines to communicate with each other as if directly connected (a
bridge?) whilst still allowing both machines to access the Linux one
directly.

ie:
1 = Linux ( eth3 192.168.1.1 , eth0 192.168.0.1 )
2 = WinXP notebook ( 192.168.1.2 )
3 = WinXP desktop ( 192.168.0.3 )

So both 2 and 3 can currently connect to 1, but 2 cannot connect to 3,
nor vica versa.


Is anyone here able to provide a simple example of how to do this?


Thanks,

Peter

Re: simple connection bridging

[Jan Engelhardt]

On Saturday 2008-04-12 23:39, Peter Boughton wrote:

>Hello.
>
>I have a Linux machine sitting between two WinXP machines, and I'm
>trying to figure out how to use iptables to allow the two WinXP
>machines to communicate with each other as if directly connected (a
>bridge?) whilst still allowing both machines to access the Linux one
>directly.
>
>ie:
>1 = Linux ( eth3 192.168.1.1 , eth0 192.168.0.1 )
>2 = WinXP notebook ( 192.168.1.2 )
>3 = WinXP desktop ( 192.168.0.3 )

In that case you do not need a bridge, but routing routes.

Re: simple connection bridging

[Peter Boughton]

On Sun, Apr 13, 2008 at 2:30 AM, whiplash <whiplash@bofhland.org> wrote:
>  You don't need iptables at all.
>  Just enable packet forwarding on the linux box:
>
>  echo "1">/proc/sys/net/ipv4/ip_forward
>
>  and add appropriate routing rules on both Xp machines:
>
>  on 192.168.1.2
>  route add 192.168.0.0 mask 255.255.255.0 192.168.1.1
>
>  on 192.168.0.3
>  route add 192.168.1.0 mask 255.255.255.0 192.168.0.1
>
>  (I'm assuming both networks are /24)
>

Thanks! :)

Re: simple connection bridging

[Jan Engelhardt]

On Sunday 2008-04-13 13:10, Peter Boughton wrote:
>On Sun, Apr 13, 2008 at 2:30 AM, whiplash <whiplash@bofhland.org> wrote:
>>  You don't need iptables at all.
>>  Just enable packet forwarding on the linux box:
>>
>>  echo "1">/proc/sys/net/ipv4/ip_forward
>>
>>  and add appropriate routing rules on both Xp machines:
>>
>>  on 192.168.1.2
>>  route add 192.168.0.0 mask 255.255.255.0 192.168.1.1
>>
>>  on 192.168.0.3
>>  route add 192.168.1.0 mask 255.255.255.0 192.168.0.1
>>
>>  (I'm assuming both networks are /24)

No need. If you add the interface address, rules for the subnet
will automatically be added, in other words:

	ip addr add 192.168.1.2/24 dev eth0

will cause 192.168.1.0/24 to show up in `ip route` (preferred over `route`)
with a 'proto kernel', which says the kernel created this one automatically.

Re: simple connection bridging

[whiplash]

Jan Engelhardt ha scritto:

> No need. If you add the interface address, rules for the subnet
> will automatically be added, in other words:
> 
> 	ip addr add 192.168.1.2/24 dev eth0
> 
> will cause 192.168.1.0/24 to show up in `ip route` (preferred over `route`)
> with a 'proto kernel', which says the kernel created this one automatically.

Uhm, yes, this is correct.
But I was not talking about adding routing on linux box, but on *XP* boxes.

Re: simple connection bridging

[Jan Engelhardt]

On Monday 2008-04-14 09:52, whiplash wrote:
> Jan Engelhardt ha scritto:
>
>> No need. If you add the interface address, rules for the subnet
>> will automatically be added, in other words:
>> 
>>  ip addr add 192.168.1.2/24 dev eth0
>> 
>> will cause 192.168.1.0/24 to show up in `ip route` (preferred over `route`)
>> with a 'proto kernel', which says the kernel created this one automatically.
>
> Uhm, yes, this is correct.
> But I was not talking about adding routing on linux box, but on *XP* boxes.
>
Right, I already wondered about the strange trailing argument.
Then again, why not just use the default route [if it fits]?-
still needs no extra routes :)

Re: simple connection bridging

[whiplash]

Jan Engelhardt ha scritto:

>>> No need. If you add the interface address, rules for the subnet
>>> will automatically be added, in other words:
>>>
>>>  ip addr add 192.168.1.2/24 dev eth0
>>>
>>> will cause 192.168.1.0/24 to show up in `ip route` (preferred over `route`)
>>> with a 'proto kernel', which says the kernel created this one automatically.
>> Uhm, yes, this is correct.
>> But I was not talking about adding routing on linux box, but on *XP* boxes.
>>
> Right, I already wondered about the strange trailing argument.

Yes, "mask" keyword does not definitively apply to route in Linux. :)

> Then again, why not just use the default route [if it fits]?-
> still needs no extra routes :)

Because I didn't know if the mentioned linux box was the default gateway 
for the two XP boxes...:)

Regards.

Re: simple connection bridging

[Grant Taylor]

On 04/14/08 06:01, whiplash wrote:
> Because I didn't know if the mentioned linux box was the default gateway 
> for the two XP boxes...:)

Regardless whether or not the Windows XP systems have routes to each 
others subnets or they use the default route, the Linux system has to be 
set up to allow IP Forwarding.  (I not recall having seen any thing 
indicating that the Linux box was indeed presently doing this.)

In other words, it is entirely possible for each XP system to get to the 
Linux system with out allowing routing between the two subnets / XP systems.



Grant. . . .

Re: simple connection bridging

[Peter Boughton]

> > Then again, why not just use the default route [if it fits]?-
> > still needs no extra routes :)
> >
>
>  Because I didn't know if the mentioned linux box was the default gateway
> for the two XP boxes...:)
It is for one, but not the other - can change that if necessary?


I've had to fiddle the IPs to try and get Internet Connection Sharing
(Windows requires 192.168.0.1 be the internet machine), so I've
currently got this:

 - main machine -
ip=192.168.1.2
gateway=192.168.0.1
route add 192.168.0.0 mask 255.255.255.0 192.168.1.10

- internet machine -
ip=192.168.0.1
gateway=192.168.0.10
route add 192.168.1.0 mask 255.255.255.0 192.168.0.10

 - linux machine -
eth0 = 192.168.0.10
eth1 = 192.168.1.10
packet filtering enabled

pinging, ssh, remote desktop all work, but I can't get internet from
the main machine, only the other two.


Aha! I changed the default gateway of my main machine to the linux one
and now I can get online with it again!

Not really sure what it means to change the gateway though - why that
allows it to work online when going direct to the other machine
doesn't?

Re: simple connection bridging

[Grant Taylor]

On 04/14/08 14:39, Peter Boughton wrote:
> It is for one, but not the other - can change that if necessary?

You don't have to have the Linux box be the default gateway for both XP 
boxen, but the one(s) that do not do so will have to have a route in 
place to the other subnet via the Linux box.

> I've had to fiddle the IPs to try and get Internet Connection Sharing 
> (Windows requires 192.168.0.1 be the internet machine), so I've 
> currently got this:

Ugh?  How big of a role is Internet Connection Sharing (a.k.a. ICS) 
playing in this network?  Are you aware of the problems that ICS will 
introduce in to this mix?

>  - main machine -
> ip=192.168.1.2
> gateway=192.168.0.1
> route add 192.168.0.0 mask 255.255.255.0 192.168.1.10

Um, this machine (as it is above) probably does not have internet access 
as it's default gateway (192.168.0.1) is not on its network (192.168.1.x).

> - internet machine -
> ip=192.168.0.1
> gateway=192.168.0.10
> route add 192.168.1.0 mask 255.255.255.0 192.168.0.10

So this is one of the XP boxen and it is the one that is connected to 
the internet?  I.e. the other XP box will have to pass through the Linux 
box to get to this box to go out to the internet?

>  - linux machine -
> eth0 = 192.168.0.10
> eth1 = 192.168.1.10
> packet filtering enabled

*nod*  Simple enough.

> pinging, ssh, remote desktop all work, but I can't get internet from
> the main machine, only the other two.

*nod*  (See my above note about the default gateway.)

> Aha! I changed the default gateway of my main machine to the linux 
> one and now I can get online with it again!

This is as I would expect.

> Not really sure what it means to change the gateway though - why that 
> allows it to work online when going direct to the other machine 
> doesn't?

I'm guessing by this statement that you are not overly familiar with 
subneting and routing.  In a nut shell, the netmask in combination with 
your IP address define what addresses are considered local and can be 
gotten to directly.  Any address that is not local has to be gotten 
through via a route or the special route better known as the default 
gateway.

So I'm guessing your set up is something like this:

                (I Net)
                   |
+---+   +---+   +-+-+
| M +---+ L +---+ I |
+---+   +---+   +---+

Where M is your main system, L is the Linux system, and I is the 
internet system.

(Presuming that the above is correct.)

Your main system will be able to talk to any systems with in the same 
subnet that it is on, namely L.  Likewise, L is able to talk to any 
systems with in the same subnets that it is on, namely M and I. 
Similarly I is able to talk to any systems with in the same subnets that 
it is on, namely L and the ISP.

For M to talk to any thing other than L it will need a default gateway 
(L) or at least a route to get to I.  Likewise L will need a default 
gateway (I) to get to the internet.  Similarly I will use the ISP as 
it's default gateway to get to the internet.

Now, word to the wise about Internet Connection Sharing (a.k.a. ICS). 
ICS runs on the system that shares its (usually internet) connection. 
This system has to be fully functional and in charge of the networks 
that it is sharing its connection to.

Any system that is a client of ICS will very likely have to be 
configured as a DHCP client, or ICS *MAY* not share its connection to it 
properly.

Also, if you want, you can tweak the registry of the ICS system to 
change the network config that it hands out to clients.



Grant. . . .

Re: simple connection bridging

[Peter Boughton]

Thanks Grant.


>  Ugh?  How big of a role is Internet Connection Sharing (a.k.a. ICS) playing
> in this network?  Are you aware of the problems that ICS will introduce in
> to this mix?

As little as I can get away with - I know it's a problematic entity,
but (afaik) it's the only way to share the connection. (It's a 3G
connection, and appears as dialup)


>  I'm guessing by this statement that you are not overly familiar with
> subneting and routing.

Yeah, I have a vague grasp of concepts, but with lots of holes, and
not much practical knowedge.

Your explanations are helping me to make sense of it though, so thanks. :)


>  So I'm guessing your set up is something like this:
>
>                (I Net)
>                   |
>  +---+   +---+   +-+-+
>  | M +---+ L +---+ I |
>  +---+   +---+   +---+

Yep, that's correct.
I've got an image that shows the same with pretty pictures here:
http://hybridchill.com/misc/network_setup_small.png




>  Now, word to the wise about Internet Connection Sharing (a.k.a. ICS). ICS
> runs on the system that shares its (usually internet) connection. This
> system has to be fully functional and in charge of the networks that it is
> sharing its connection to.
>
>  Any system that is a client of ICS will very likely have to be configured
> as a DHCP client, or ICS *MAY* not share its connection to it properly.

So far it appears that I've got it working with static IPs. Someone
has said DHCP is possibly a better way on the Puppy Linux forum, but
given that it's working at the moment I'm okay with leaving it on
static, unless there's any specific advantages to doing otherwise?


Thanks,

Peter

Re: simple connection bridging

[Grant Taylor]

On 4/14/2008 5:26 PM, Peter Boughton wrote:
> Thanks Grant.

You are welcome.

> As little as I can get away with - I know it's a problematic entity, 
> but (afaik) it's the only way to share the connection. (It's a 3G 
> connection, and appears as dialup)

Ah, there is the missing piece of the puzzle.  I can see how you are 
tied to where you can get the card to work.

> Yeah, I have a vague grasp of concepts, but with lots of holes, and 
> not much practical knowedge.

That's ok.  Knowing what you do and don't know and trying to learn more 
is a lot better than incorrectly thinking that you know it all.

> Your explanations are helping me to make sense of it though, so 
> thanks. :)

You are welcome.

> Yep, that's correct. I've got an image that shows the same with 
> pretty pictures here: 
> http://hybridchill.com/misc/network_setup_small.png

*nod*

Do you have any plans to remove Midnight (I) from the network down the 
road?  In other words is Midnight (I) just in the picture long enough 
for you to move the 3G internet connection to Photon (L)?

> So far it appears that I've got it working with static IPs. Someone 
> has said DHCP is possibly a better way on the Puppy Linux forum, but 
> given that it's working at the moment I'm okay with leaving it on 
> static, unless there's any specific advantages to doing otherwise?

I'm glad that you got ICS working.  The last time I messed with ICS 
(Windows 98) I had to have the clients DHCP.

Honestly, the static will work out better.  Midnight (I) will have to 
route through Photon (L) to be able to get to Silver (M).  I'm not aware 
of any way to dynamically augment the routing table on Midnight (I) with 
out doing some *VERY* *NASTY* scripting / hacking.  With Photon (L) 
having a static IP, you can put a persistent static route on Midnight 
(I) to be able to get to the network that Silver (M) is on via Photon 
(L).  I.e.:

route -p ADD 192.168.1.0 MASK 255.255.255.0 192.168.0.10 METRIC 1

Will add your persistent route on Midnight (I).

> Thanks,

You are welcome.



Grant. . . .

Re: simple connection bridging

[Peter Boughton]

>  Do you have any plans to remove Midnight (I) from the network down the
> road?  In other words is Midnight (I) just in the picture long enough for
> you to move the 3G internet connection to Photon (L)?

Yep, hopefully in six-eight months time I'll be moving into my own
place, so can get a regular phoneline and cut 3G out of the picture.
At that point I can take Midnight (I) out of the picture... keep it as
a backup machine or perhaps a place to experiment/fiddle with things
(I'd love to learn how to do stuff with X/window managers, so I can
create my own interface, but don't have time/spare machine at the
moment)



>   Honestly, the static will work out better.

Thanks for confirming that :)