make 2nd NIC visible to rest of network

2

I have a plain vanilla wireless network where the router has a 192.168.xxx.xxx address.

Now, I physically hooked up a Windows machine that doesn't have wireless to one of the Linux machines in the existing network with an Ethernet cable (also, added a 'shareable' interface in Network Manager). It automatically received a 10.42.xxx.xxx address, and I can see a corresponding 10.42 network interface on the Linux machine, in addition to the 192.168 one.

As a result, I can access the internet from the Windows machine.

So far, so good, but I have no idea how to access the Windows machine other than from the computer it is physically connected to.

My ultimate goal is to be able to access the Windows machine from outside the network in a controlled way. I mean, I don't want it to be sitting out there in the open, but there must be a way to, say, SSH to it, right?

I do understand that this is a routing problem, but unfortunately, my understanding stops right there. I did try to set a 'static routing' rule through the wireless router's interface, but it doesn't seem to work.

It probably matters that the Linux machine in question has a static address on the 192.168 network.

vanhemt

Posted 2018-06-07T15:47:18.550

Reputation: 21

Please provide information about what static route you were trying to add, exactly. Also please provide the actual netmasks or prefix lengths that both interfaces use – there's no way to guess that from "192.168.xxx.xxx". Also please make sure that your iptables isn't already blocking the incoming traffic. – user1686 – 2018-06-08T04:40:42.617

What I have is 2-NIC Linux machine (L), Ethernet-connected Windows machine (W), stock wifi router (R), and another Linux machine (A). W: 10.42.0.84 + 255.255.255.0 + 10.42.0.1. L: 192.168.0.2. on wlan0 and 10.42.0.1 on eth0 Enabled routing on L via # echo 1 > /proc/sys/net/ipv4/ip_forward

R is at 192.168.0.1. I added this: Destination Network: 10.42.0.0 Subnet Mask: 255.255.255.0 Default Gateway: 192.168.0.2

  • pinging 10.42.0.84 fron A:

From 192.168.0.1: icmp_seq=2 Redirect Host(New nexthop: 192.168.0.2) ---nothing---

  • pinging A from W:

Destination host unreachable – vanhemt – 2018-06-08T07:27:06.457

For the sake of the experiment, got iptables out of the way. Also, I understand that I'll have to set the routing on W, as well, but I'm stuck at the other parts of the network. Please note my ultimate goal as stated above. – vanhemt – 2018-06-08T07:28:52.087

Routes look correct, I'd investigate whether L actually is 1) receiving and 2) forwarding the traffic. – user1686 – 2018-06-08T07:43:22.093

What would be the way to do that, please? – vanhemt – 2018-06-08T07:51:25.997

tcpdump, Wireshark. – user1686 – 2018-06-08T08:57:18.130

Thanks. From what I see, packets do get to L. I know, as I can ping its "other NIC" alright from A: *** PING 10.42.0.1 (10.42.0.1) 56(84) bytes of data. 64 bytes from 10.42.0.1: icmp_seq=1 ttl=64 time=2.42 ms. *** What fails, is traceroute to W, as it goes into an endless loop *** traceroute to 10.42.0.84 (10.42.0.84), 30 hops max, 60 byte packets 1 192.168.0.2 (192.168.0.2) 9.987 ms 10.119 ms 10.110 ms 2 192.168.0.2 (192.168.0.2) 10.448 ms 10.449 ms 10.397 ms. There is a route to 10.42.0.0/24 dev eth0 on L. – vanhemt – 2018-06-08T09:21:18.173

Just ran tcpdump on L's eth0. No activity when I'm pinging W from A. Just some background UDP exchange. But please note, W is somehow able to access the internet through the two NICs in the other direction. – vanhemt – 2018-06-08T09:46:10.680

Sounds to me like L still has a stateful (conntrack-based) firewall active... – user1686 – 2018-06-08T11:01:38.127

Is there a way to check that apart from the iptables command? Speaking of the latter, I have explicitly flushed all rules and enabled all policies. – vanhemt – 2018-06-08T13:55:21.877

Answers

3

Do away with the network sharing interface, and instead “bridge” the two interfaces together on the Linux machine.

This will be like taking the Windows machine and connecting it directly to the rest of the network. At this point, the Windows machine will get a 192.168.x.x address from your router and not a 10.42.x.x address from the Linux machine. Then you can port forward to the Windows machine the same way you would any other machine on your network.

What you currently have is a NAT interface that basically segregates the Windows machine from the rest of your network. While it is doable, it is much less desirable to operate this way and more difficult to do what you are asking.

Appleoddity

Posted 2018-06-07T15:47:18.550

Reputation: 9 360

Ah, but I was hoping to use the Linux machine to control traffic to/from the Windows one with iptables. We're talking WinXP here. So, the setup is intentional. – vanhemt – 2018-06-08T01:15:26.790

You trust your router to protect the rest of your machines, why not the XP machine? For the sake of simplicity you should be able to block inbound and outbound traffic on your router the same as IPTables. The fact that your machines are NAT’d behind your router makes them untouchable unless you deliberately forward a port. Your question stated you wanted to access the system from “outside the network.” I take that to mean from the internet. So even if you figure out your routing issues you’ll have to also figure out port forwarding twice. It’s just not optimal and not useful to do it your way. – Appleoddity – 2018-06-08T14:12:08.603

Well, I don't trust the router at all aside from the NAT feature. Since I'm forced to use an XP machine, I'm looking for a way to prevent it from becoming the weakest point of the setup. I was thinking, that could be done by keeping tabs on all of its traffic. You are right, indeed, that I need to be able to access that machine from the internet. If I can't figure out the routing issues, I'll have to switch to the router side of the equation. – vanhemt – 2018-06-08T14:30:26.553

@vanhempt, dude... Don't expose Windows XP to the wild. It's a bad idea, it's extremely exploitable at this point. If you have programs the you want to run from the Windows XP era why not use Ubuntu with wine? I'm sure there are other options, but metasploit shows lots and lots of vunerabilities for just about any port you open for XP. – Tim_Stewart – 2018-06-08T15:57:39.167

Asked: 2018-06-07T15:47:18.550

Viewed: 35 times

Active: 2018-06-07T17:10:25.690