Re: ip forwarding woes

On Sat, Mar 08, 2008 at 03:37:54PM -0500, David Zelinsky wrote:
I'm trying to set up a firewall/gateway, and I can't seem to get
ip forwarding to work. I'm using linux kernel 2.6.23 with iptables
enabled. Here's what happens.

The firewall machine has two interfaces (both on private networks, for
testing purposes):

IF IP Netmask
eth0 192.168.0.1 255.255.255.0
eth1 10.0.0.1 255.255.255.0
can you do a ip r on the firewall machine on the machine at 192.168.0.2

on the 192.168.0.2 can yo also do a

ip r g 10.0.0.2

if that all looks okay, then try tcpdump firewall whilst doing
something like traceroute 10.0.0.2 from the 192.168.0.2 machine


This is the routing table:

Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1

I enable IP forwarding, with 'echo 1 >/proc/sys/net/ipv4/ip_forward'

I have the iptables_* modules loaded (* = forward,nat,mangle,raw).
There are no rules in any of the tables, but all have ACCEPT as the
default policy.

I have two other machines, one at 192.168.0.2 (connected to the same
hub as firewall's eth0) and one at 10.0.0.2 (connected via crossover
to firewall's eth1).

From the firewall, I can ping both the other hosts.
From either host, I can ping the firewall at both 192.160.0.1 and 10.0.0.1.

With this setup, I expect to be able to ping 10.0.0.2 from 192.168.0.2
(and vice versa), with packets routed through the firewall, but it
doesn't work.

What am I overlooking?

I did try putting explicit iptables rules in the FILTER chain of the
forward table, but it didn't make any difference.

Any suggestions would be much appreciated.

--
David Zelinsky


--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx



--
"We need to apply 21st-century information technology to the health care field. We need to have our medical records put on the I.T."

- George W. Bush
01/05/2005
Collinsville, IL

Attachment: signature.asc
Description: Digital signature

Relevant Pages

  • Re: Feedback solicited - best way to harden a mail/web server?
    ... Was the system protected by a properly configured firewall? ... it's not a bad "starting point" and it can generate an IPtables rule ... > nor is there a web or ftp server; aside from that I haven't tried to secure ... Before I'll install some nifty application ...
    (comp.os.linux.security)
  • RE: NATD server problem on 5.3 ?
    ... > Can it ping PCs on the LAN? ... > Can a win LAN PC ping the server? ... > Have you tested with firewall out of the way by having only single ... To unsubscribe, ...
    (freebsd-questions)
  • Re: EMERGENCY - need to secure my server against an ongoing SPAMMER
    ... computer with a broadband connection. ... that IP range will prevent that spammer from wasting your systems ... This approach eventually makes your firewall machine so busy it has ... A better approach is to use IPTables to deny ALL inbound attempts to ...
    (Fedora)
  • linux - iptable firewall DNS question
    ... When my firewall is active, i am unable to use name solving features from my ... iptables -P INPUT ACCEPT ... # $ipnet -> adresse ip de l'interface connectée à internet ... echo ACCES AU FIREWALL DEPUIS LOCAL ...
    (comp.security.firewalls)
  • Re: Configure iptables to not log certain hits
    ... if you want to block icmp (ping) [this one blocks ALL icmp, ... Required if your firewall is protecting a network, ... $IPTABLES -X # delete all user-defined chains ...
    (comp.os.linux.security)