Despite
21-01-2005 08:39:16
or possibly both? let me tell you my story...
I wanted to give Debian a try on a server, because I'm tired of the version churn with Fedora. so I put Sarge on a machine whose only duty is to serve as a web proxy server. I get Sarge installed and updated, get squid and winbind installed, all that. now, the thing is, this machine is going to have 2 ethernet interfaces. 1 with a public IP address, through which all communication with the outside world will take place, and one with a private IP address, on which the web proxy and the ssh daemon will listen. everything was working fine with one interface. but then when it came time to put the other ethernet card in, well, that's when the fun started!
first thing I realize is that I don't know squat about how Debian sets up networking stuff. a little basic poking about leads me to /etc/network/interfaces, which at first glance seems so simple that even I couldn't screw it up. so I put in another stanza there for the new card; I just cut and pasted the one for eth0, and then changed the name to eth1 and all the IP info to what it should be for the new card. first mistake! on reboot, for some reason, it hangs at "starting MTA" for a few seconds, but then goes on and continues to boot. everything seems cool, until I try to ssh to the private address from my workstation with a public address. doesn't work, just times out. however, I can ssh in there just fine from a machine on the same private subnet.
okay, it's a routing issue. so, I do a `route`, and again there's an odd few second long pause, and when it finally comes back, I see that there are 2 default gateways. yeah, that's probably not right. so I go back and look in /etc/network/interfaces, and take out the "gateway" line on the second interface. after a reboot, that annoying pause at "starting MTA" is gone (looks promising), and a `route` shows the gateway I specified. unfortunately, I still can't ssh to the private address on the box from my public addressed box.
it is at this point that I have the disheartening realization that maybe I don't know as much about networking as I like to believe. my theory here is that while the ssh daemon is listening on the private addressed interface, since the default gateway I've set is the one for the publicly addressed interface, it's trying to reply back to my ssh initiation packets on the *wrong* interface (well, I mean that it's probably replying on the correct interface, but it's trying to send to the wrong gateway from that interface, which will go precisely nowhere). I have yet to verify this with tcpdump but I will do so soon. however, the fact that adding in a static route for my workstation (which has a public address) through the correct gateway for the private network makes ssh magically work supports this theory. anyway as I said I realize that I've never had to really futz with this stuff before, so I actually had to... read the manual! which it turns out is absolutely no help. the online docs, btw, are positively ancient.
at any rate, it seems to me what I need here is just a way to tell the kernel that the gateway for eth0 is X, AND the gateway for eth1 is Y. but I have no idea how to do this. well, that's not entirely true; I could "fake it" by adding routes in for all of my internal subnets, but that's incredibly kludgy and ugly. surely there's a more elegant way of fixing this? but if so, I haven't found it, and none of the people I've asked know off the tops of their heads, either.
the odd thing is, I've done this same setup (proxy servers with 1 private and 1 public interface) many times before using RedHat and Fedora, and in all of those cases, it "just works", without any hoop-jumping at all. and in fact, on those RH and Fedora based proxies, the routing table looks exactly like it does on this Debian box. it just doesn't work on Debian, for whatever reason. can one of you Debian gurus tell me what it is that I am missing?
*edit*
I guess I should mention that there's no NATing involved. sorry I didn't make that clear.
I wanted to give Debian a try on a server, because I'm tired of the version churn with Fedora. so I put Sarge on a machine whose only duty is to serve as a web proxy server. I get Sarge installed and updated, get squid and winbind installed, all that. now, the thing is, this machine is going to have 2 ethernet interfaces. 1 with a public IP address, through which all communication with the outside world will take place, and one with a private IP address, on which the web proxy and the ssh daemon will listen. everything was working fine with one interface. but then when it came time to put the other ethernet card in, well, that's when the fun started!
first thing I realize is that I don't know squat about how Debian sets up networking stuff. a little basic poking about leads me to /etc/network/interfaces, which at first glance seems so simple that even I couldn't screw it up. so I put in another stanza there for the new card; I just cut and pasted the one for eth0, and then changed the name to eth1 and all the IP info to what it should be for the new card. first mistake! on reboot, for some reason, it hangs at "starting MTA" for a few seconds, but then goes on and continues to boot. everything seems cool, until I try to ssh to the private address from my workstation with a public address. doesn't work, just times out. however, I can ssh in there just fine from a machine on the same private subnet.
okay, it's a routing issue. so, I do a `route`, and again there's an odd few second long pause, and when it finally comes back, I see that there are 2 default gateways. yeah, that's probably not right. so I go back and look in /etc/network/interfaces, and take out the "gateway" line on the second interface. after a reboot, that annoying pause at "starting MTA" is gone (looks promising), and a `route` shows the gateway I specified. unfortunately, I still can't ssh to the private address on the box from my public addressed box.
it is at this point that I have the disheartening realization that maybe I don't know as much about networking as I like to believe. my theory here is that while the ssh daemon is listening on the private addressed interface, since the default gateway I've set is the one for the publicly addressed interface, it's trying to reply back to my ssh initiation packets on the *wrong* interface (well, I mean that it's probably replying on the correct interface, but it's trying to send to the wrong gateway from that interface, which will go precisely nowhere). I have yet to verify this with tcpdump but I will do so soon. however, the fact that adding in a static route for my workstation (which has a public address) through the correct gateway for the private network makes ssh magically work supports this theory. anyway as I said I realize that I've never had to really futz with this stuff before, so I actually had to... read the manual! which it turns out is absolutely no help. the online docs, btw, are positively ancient.
at any rate, it seems to me what I need here is just a way to tell the kernel that the gateway for eth0 is X, AND the gateway for eth1 is Y. but I have no idea how to do this. well, that's not entirely true; I could "fake it" by adding routes in for all of my internal subnets, but that's incredibly kludgy and ugly. surely there's a more elegant way of fixing this? but if so, I haven't found it, and none of the people I've asked know off the tops of their heads, either.
the odd thing is, I've done this same setup (proxy servers with 1 private and 1 public interface) many times before using RedHat and Fedora, and in all of those cases, it "just works", without any hoop-jumping at all. and in fact, on those RH and Fedora based proxies, the routing table looks exactly like it does on this Debian box. it just doesn't work on Debian, for whatever reason. can one of you Debian gurus tell me what it is that I am missing?
*edit*
I guess I should mention that there's no NATing involved. sorry I didn't make that clear.