Re: Help with firewall/masquerading problem
From: Alex Meov (alex_me_ov_at_yahoo.com)
Date: Sat, 05 Jun 2004 15:15:17 -0400
On Mon, 31 May 2004 13:32:04 -0500, Clifford Kite wrote:
> Alex Meov <firstname.lastname@example.org> wrote:
>> My mini-network consists of a Linux firewall (Debian,
>> 2.4.22 kernel, masquerading with iptables) and the main
>> workstation (Linux/Windows). The firewall has 2 NICs:
>> one (eth0, 10.11.1.119) connected to the ISP's network through
>> a cable modem; another NIC (eth1, 192.168.0.1) is connected to
>> the workstation. The workstation has one NIC (192.168.0.2).
>> The firewall seems to be working, i.e. one cannot connect
>> to 192.168.0.2 or ping it from the outside. However, one CAN see
>> and ping 192.168.0.1 from the ISP's 10.11.X.X network. This,
>> understandably, makes the ISP unhappy (they did check that they
>> are pinging my box and not someone else's 192.168.0.1 by looking
>> at MAC addresses).
> I think the only way that a ping echo-request, sent from an ISP host
> on 10.11.0.0/16 (?), can elicit an echo-reply from 192.168.0.1 is for
> your Internet connection host to respond with the MAC address of eth1
> in an ARP reply to an ARP who-has 192.168.0.1 request by the ISP host.
Thank you!! That was a perfect diagnosis. Logging all traffic
on eth0 (external interface) for a few days found no mention
of 192.168.0.X except
ISP: arp who-has 192.168.0.1 tell ISP's.router.IP
my firewall: arp reply 192.168.0.1 is-at my:mac:address
I am now using arptables to block unwanted outgoing ARP packets
on eth0 and has heard from the ISP that the problem went away:
# arptables -L -v
Chain INPUT (policy ACCEPT 79779 packets, 2234K bytes)
Chain OUTPUT (policy DROP 10 packets, 280 bytes)
-j ACCEPT -i any -o eth1 , pcnt=290 -- bcnt=8120
-j ACCEPT -i any -o eth0 -s 10.0.0.0/8 , pcnt=329 -- bcnt=9212
> You can try this:
> /sbin/ifconfig eth0 -arp
> No guarantee, I'm not really certain this will work but certainly
> would like to know whether or not it does.
It did not provide an easy solution -- just running
"/sbin/ifconfig eth0 -arp" stopped all traffic to/from the ISP,
since when ISP's gateway information expired from my firewall's cache
it did not know where to send data. I started thinking of the
workarounds that do not require hard-coding ISP host's MAC, but then
found arptables and decided not to reinvent the wheel.
Again, thanks for the help!
-- Best regards, Alex