iptables port forwarding fails when adding third NIC (r8169) Kernel: 2.6.17-1.2174_fC5
- From: "Paul" <risenhoover@xxxxxxxxx>
- Date: 19 Jan 2007 20:21:58 -0800
Greeting,
I am experiencing a problem that defies all logic, and I'm hoping you
all can, perhaps, shed some light on the issue.
BACKGROUND:
I have a fairly standard data center setup: I have a FC5 Linux box
running iptables that acts as my firewall (responding to multiple IP
addresses) that masquerades for a number of services on multiple
machines in the private network. It also accepts local HTTP traffic
which an instance of Apache (running on the firewall) responds to and
then load balances by forwarding on to multiple servers in the private
network.
The internal interface is eth0 (marked as LAN1 on the box) and the
external is eth1 (marked as LAN2), and it works -- it's in production
now and everything is peachy.
THE PROBLEM:
I want to add a dmz. I purchased a network card (r8169), brought the
server down, installed the card, and started it back up. When it
booted, the r8169 claimed itself to be eth0, the LAN1 port claimed
eth1, and the LAN2 port claimed eth2.
No problem. I changed the cabling to accomodate. I plugged the LAN1
(eth2) into my dmz. I verified connectivity. I can ping my machines
in my dmz. I can ping my machines in my private network. I can ping
my upstream router. I can login to a machine on my dmz and access the
Internet (so I know my masquerading rules are correct, and the firewall
is routing properly).
HOWEVER, as soon as I added the r8169, all my INCOMING iptables
forwarding rules stopped working. I can still hit my web site (which
is being handled by a local process on the firewall), but I cannot hit
ANY services which are handled by the iptables FORWARD rule.
Keep in mind that I did not change any firewall rules. All I did was
put in a third NIC and changed the cabling. Like I said, I verified
connectivity by pinging several machines from each interface. But, all
my FORWARD rules ceased.
Additionally, my firewall is set up to log all dropped packets, and
although some packets are dropped, they are NOT the services I am
trying to access (they were legitimately dropped).
I cannot access ANY service that requires a port-forward.
I bring the server down, take out the card, start the server, put the
cabling back into it's original position, and everything works great
(sans dmz).
uname -a reports:
Linux xxx.com 2.6.17-1.2174_FC5 #1 Tue Aug 8 15:30:55 EDT 2006 i686
i686 i386 GNU/Linux
Any thoughts? Anyone?
Paul
.
- Follow-Ups:
- Prev by Date: Re: How unsecure is NFS?
- Next by Date: Re: Dropping connections immediately
- Previous by thread: Running rexec on Windows XP to connect to Linux
- Next by thread: Re: iptables port forwarding fails when adding third NIC (r8169) Kernel: 2.6.17-1.2174_fC5
- Index(es):
Relevant Pages
|
