linux routing issue

i have configured eth0 with static ip address 172.16.1.2/255.255.255.0 and set a dhcp server to listen on that network for requests, which it does (my computers on the 172.16.1.x network all receive their ip addresses with no problems).
eth1 is configured with a static ip address 192.168.1.2/255.255.255.0 and connects to a linksys router at 192.168.1.1.

The router box can connect to the internet, but boxes on the private network cannot. IP forwarding is on ( returns 1), so i am at wit's end. please help!

did you add a route to the router for the 172.16.1.x network? If not it does not know how to get back to your PCs

I configured each interface manually with "ifconfig". The commands I used were:
$ ifconfig eth1 192.168.1.2
$ ifconfig eth0 172.16.1.2

Then I used the
after which my routing table looked like:
Destination Gateway Genmask Flags Metric ... Iface
192.168.1.0 * 255.255.255.0 U 0 eth1
172.16.1.0 * 255.255.255.0 U 0 eth0
127.0.0.0 * 255.0.0.0 U 0 lo
default 192.168.1.1 0.0.0.0 UG 0 eth1

I hope that this helps. I enabled ipforwarding in the kernel, but I cannot seem to make the router route. On the clients I have set the default route's gateway to 172.16.1.2, if I try to set the gateway to 192.168.1.2 "route" returns a network unreachable error. this makes sense to me, as the clients should only need to be able to reach the 172.16.1.2 address, at which point the router should perform the forward to 192.168.1.2 and from there to 192.168.1.1.
So I am still at a loss. Thank you in advance for your help, though.

Nodine

I meant did you add a route in your linksys router to the 172.16.1.x network? you should have a static route saying send 172.16.1.x traffic to 192.168.1.2 (the linux interface)

I am in a situation where my isp is letting me put a server in the DMZ behind their firewall, and i am allowed only 1 private ip address: 192.168.1.2/24. I would eventually like to have 1 router box (the box i am working on configuring) 'feeding' 1 mail server and 2 webservers. To illustrate (via poorly done text graphics):

**************
**"Internet"**
**************
||
V
(ISP's Firewall, allowing me the private address 192.168.1.2)
||
V
***************************************************
**My Router, with eth1 configured as 192.168.1.2**
**ROUTER INTERNALS **
**eth0 configured as 172.16.1.2/24 **
***************************************************
||
V
************
**SWITCH**
************
||
V
****************
**X Web Servers**
****************

So there you have it, my entire scheme.
So far I can get the webservers on my end to ping 172.16.1.2 and the router's 'far side' interface @ 192.168.1.2, but i cannot ping the 192.168.1.1 address from the webservers. I CAN ping the 192.168.1.1 address from the router, though, so I know that the firewall machine does respond to pings.
The router has /proc/sys/net/ipv4/ip_forward set to "1" in the rc.local script, and this is working after each reboot. The router's routing table I believe is correct, with:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
172.16.1.0 * 255.255.255.0 U 0 0 0 eth0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth1

The webservers routing table looks like:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.16.1.0 * 255.255.255.0 U 0 0 0 eth0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 172.16.1.2 0.0.0.0 UG 0 0 0 eth0

So, what do you think? Any help at all would be greatly appreciated. I know that the webservers can ping the router's eth0 and eth1 addresses, but they cannot seem to 'get out' of the routing box. I am reading Tony Mancill's Linux Routers, but he does not seem to offer me a great deal of help in this area.
Thank you again for your help, I apologize in advance for whatever bone-headed thing I have done to mess what should probably be an easy configuration up.

So if at all possible, I need to masquerade behind my router as a single machine, (eventually using IPMASQ, I assume). My ISP will only allow me the one private address, which he will point all of the traffic bound for my domains at.
Am I going about this situation in the wrong way? IS there a better way to go about doing what I am trying to accomplish?

BINGO!!!! I think you got it. your ISP router at 192.168.1.1 does not have a route back to 172.16.1.X network, so when you ping it from 172.16.1.x it gets routed through the linux box to the 192.168.1.1 router, when it tries to reply it has no route back to 172.16.1.x and drops the packet. (i thought the 192.168.1.1 was your linksys sorry for that).

Doing masquerading (NAT/PAT) will fix that problem as all requests from your 172.16.1.x network will get an IP address of 192.168.1.2 when sending out so the 192.168.1.1 router will know to send back.

what you need to do since you cant add routes to your ISP router is just that masquerade the servers in your network for outgoing and the port forward SMTP and HTTP to the appropriate internal servers incoming so that the ISP router will never know that 172.16.1.x even exists.

i have gotten a little harther with just what you recommended: masquerading the servers behind my router.
The servers can reach the internet through the routers now, but the internet cannot reach back to ask them to serve pages.
I set up masquerading using the mandrake 9.1 gui's, and they worked. mandrake automatically uses the shoreline firewall to configure iptables rules, and after some messing around i discovered the 'firestarter' rpm, which provides a gui to configure shorewall. i added a rule that forwards port 80 traffic to oneof my webservers, but the internet still cannot reach the webserver. i know the webserver in question is serving pages if it receives requests, though, b/c when i use a machine on the same subnet to send a request the page is served back. Unfortunately, only machines on the subnet receive replies. So i think the problem lies in shorewall or in my routers name resolution.
after an entire afternoon of dealing with this, though, i still cannot seem to make any progress.

Is your linux box in DMZ already? If not, even 192.168.1.2 is not visible to the internet.

I am currently reworking the zones in the shoreline firewall that mandrake automatically configures when you enable connection sharing with it's gui. I was trying to make sense of the manual from shoreline.net (v1.3, btw) but then I realized that the zones are different from the defualt, so I think I am going to remove RPM and install from source per the instructions at the shoreline site.
This has turned out to be quite an adventure. I had no idea that it would be this difficult, but I am learning a LOT about networking.

As for 192.168.1.2 being visible, it is not (yet). Maybe by tomorrow morning, though...

Thanks for all of the help.