0

I'm trying to setup proper ip forwarding within a DHCP subnet generated through a host with two different netowrk adapters.

My current situation is the following:

  1. First node with two networks adapters, the first one connected to a WAN, the second one responsible for generating a subnet through DHCP. Here the DHCP configuration (the host identified as master should be the gateway):

    subnet 10.142.0.0 netmask 255.255.255.0 {
interface                       enp0s31f6;
option routers                  10.142.0.1;
option subnet-mask              255.255.255.0;
option domain-search            "net.local";
option broadcast-address        10.142.0.255;
option domain-name-servers      8.8.8.8;
range 10.142.0.20       10.142.0.100;
}
host master{
hardware ethernet d4:5d:df:1a:26:40;
fixed-address 10.142.0.1;
}
host node01 {
hardware ethernet d4:5d:df:13:69:42;
fixed-address 10.142.0.2;
}
host node02{
hardware ethernet d4:5d:df:13:69:45;
fixed-address 10.142.0.3;
}

  2. Added iptables rules following the answer provided here

The nodes get the IP correctly and I can ssh to them. Ping to external hosts works fine, but when I try to resolve a host name I get name or service unknown error. Is it possibile that I have to set up IP tables rules even for DNS lookup?

Thank in advance!

EDIT: Trying to CURL a GOOGLE IP directly I got No route to host anyway curl http://216.58.205.131 curl: (7) Failed connect to 216.58.205.131:80; No route to host while if I ping it everything works as expected ping 216.58.205.131 PING 216.58.205.131 (216.58.205.131) 56(84) bytes of data. 64 bytes from 216.58.205.131: icmp_seq=1 ttl=54 time=23.7 ms 64 bytes from 216.58.205.131: icmp_seq=2 ttl=54 time=20.0 ms 64 bytes from 216.58.205.131: icmp_seq=3 ttl=54 time=19.9 ms

luke035
  • 111
  • 3
  • 1
    The `.local` domain name is a bit special. Are you using mDNS? Is [this question/answer](https://unix.stackexchange.com/questions/92441/whats-the-difference-between-local-home-and-lan) relevant to you? – Kusalananda Aug 10 '18 at 10:13
  • Hi @Kusalananda thanks for the answer! I'm not using mDNS but I've tried anyway to remove the ```domain-search``` but, unfortunately, the problem remains. I'm wondering if the problem can be due to the fact that the gateway IP is providedly statically by the DHCP server and not taken statically by the node itself – luke035 Aug 10 '18 at 10:20
  • If pinging 8.8.8.8 works from whereever you do the DNS lookup, then IP addresses or routing can't be the problem. Instead, debug the DNS lookup (check `resolv.conf`, use host/dig to contact the nameserver directly, etc.) – dirkt Aug 10 '18 at 12:02
  • Hi @dirkt pinging 8.8.8.8 works and ```/etc/resolve.conf``` shows 8.8.8.8 as domain server but lookup doesn't work. I also tried to resolve google ip and tried to curl the ip (```curl http://216.58.205.131```) in order to overcome the DNS resolution and I got ```Failed connect to 216.58.205.131:80; No route to host``` – luke035 Aug 10 '18 at 12:42
  • (1) Use `host` / `dig` to do a direct DNS lookup without the resolver, using 8.8.8.8 as NS. (2) Check `nsswitch.conf`. (3) If 8.8.8.8 works, but 216.58.205.131 doesn't, check routes with `ip route`, `ip route get 8.8.8.8`, `ip route get 216.58.205.131`; possibly on upstream routers as well. – dirkt Aug 10 '18 at 12:50
  • (1) digging specifing the NS (```dig google.it @8.8.8.8```) results in a ```no servers could be reached``` error (2) nsswitch.conf appears to be empty (3) IP route works for both IP passing through the gateway (10.142.0.1) ```ip route get 216.58.205.131 216.58.205.131 via 10.142.0.1 dev enp0s31f6 src 10.142.0.3```. Is it possibiles that firewalld is blocking connections with port 80? – luke035 Aug 10 '18 at 13:19

1 Answers1

1

After some digging in Google I managed to find the problem: firewalld (10.142.0.1) on the gateway was blocking requests ignoring the forward rule (probably there was another rule that was overcoming the forward rule).

Inserting the rule at the beginning made the trick iptables -I FORWARD -i <LAN_ETH> -o <WAN_ETH> -j ACCEPT

luke035
  • 111
  • 3