Interface-specific firewall rules with interface aliases

Interface-specific firewall rules with interface aliases

Post by Albert K T H » Sun, 07 Sep 1997 04:00:00



It seems that ipfwadm and aliasing doesn't work very well together.
I've set up my masq box following the configuration given in the
IP-Masquerading mini HOWTO.  When doing a telnet through the masq box
I've got the following entries in the log:

    Sep  6 18:59:53 asgard kernel: IP fw-fwd deny eth0 TCP
    192.168.2.168:2210 143.89.40.159:23 L=44 S=0x10 I=6055 F=0x0040 T=63

Packets from 192.168.2.168 should have come from eth0:0 but it seems
that the kernel can't tell (after all eth0 and eth0:0 are the same
network card physically!).

The masq box is running pre-2.0.31-8.  Could anyone please give me a
clue?

--[ Albert K T Hui ]-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._

                                                           _|      _O_

 
 
 

Interface-specific firewall rules with interface aliases

Post by Jaska Kive » Sun, 07 Sep 1997 04:00:00



Quote:>    Sep  6 18:59:53 asgard kernel: IP fw-fwd deny eth0 TCP
>    192.168.2.168:2210 143.89.40.159:23 L=44 S=0x10 I=6055 F=0x0040 T=63

>Packets from 192.168.2.168 should have come from eth0:0 but it seems
>that the kernel can't tell (after all eth0 and eth0:0 are the same
>network card physically!).

This seems to be quite a common misunderstanding of the forwarding
firewall. The packets in the forwarding firewall are seen on the
interface they are forwarded TO, not the one they came FROM.
See, I have a setup with two ethernet cards, one for the intranet
(192.168.2.*) and one for the outside world (193.166.90.*). This
is how the packets coming from the intranet to the outside world
behave (stripped the irrelevant parts):

IP fw-in acc eth0 TCP 192.168.2.2:1595 130.230.10.20:23
IP fw-fwd acc/masq eth1 TCP 192.168.2.2:1595 130.230.10.20:23
IP fw-out acc eth1 TCP 193.166.90.184:64440 130.230.10.20:23

See, in from eth0, then fwd on eth1 and out to eth1.

Quote:>The masq box is running pre-2.0.31-8.  Could anyone please give me a
>clue?

Mine is 2.0.30

--

Insin??rinkatu 60 C 202 * http://www.cs.tut.fi/~jaska/ *  03-318 3711
33720 TAMPERE           * IRC: jaska                   *

 
 
 

Interface-specific firewall rules with interface aliases

Post by Albert K T H » Tue, 09 Sep 1997 04:00:00



> This seems to be quite a common misunderstanding of the forwarding
> firewall. The packets in the forwarding firewall are seen on the
> interface they are forwarded TO, not the one they came FROM.

Oh, I see!  So the semantic of -V/-W is different in input and
forwarding firewall.  Thanks!

--[ Albert K T Hui ]-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._

                                                           _|      _O_

 
 
 

1. Interface problem with multiple alias interfaces in same subnet

Hi,

I have a redhat 7.3 linux box (redhat kernel 2.4.18-10 compiled with my own
settings) which for reasons I will not list here has 6 consecutive ips in a
/28 range on one interface, they are setup like this (real ips
removed/changed)

eth0: 10.0.0.1 (Local Lan) (3com 3c980)

eth1: x.x.x.1 (3com 3c905b-tx)
eth1:0:x.x.x.2
eth1:1:x.x.x.3
eth1:2:x.x.x.4
eth1:3:x.x.x.5
eth1:4:x.x.x.6

The subnet mask on each interface is 255.255.255.240

The interfaces (and aliases) are configured on bootup, they were setup using
redhats network config tool.

I have noticed that the scripts set default route for each interface, so I
have lines in rc.local which removes the unnecessary duplicate default
routes.

First question does this all seem ok so far? It might seem a bit crazy to
want so many ips on the same box but I have my reasons, and they are
reasonable, I see no reason why this configuration should not work provided
all the daemons etc I want to run can be bound to specific ips/interfaces
which they can.

My problem is that single ip's (so far always aliases on eth1) randomly stop
working, for example if I try to ping a known good host using ping
<goodhost> -I x.x.x.3 ,. I get no response, I have used tcpdump to watch
what is happening and I think that on at least one occasion echo is sent,
and a reply is received, yet it seems the kernel does not parse the
responses, I see no errors in dmesg or anywhere else.

Getting the alias interfaces to work again usually requires downing them all
and bringing them back up again.

The alias interface which is the most troublesome seems to be the one which
is getting the most connections, the interface that I run sendmail on.

I usually have a extensive iptables firewall in place but I have run with
the system without this and the problem persists.

Is there a issue regarding multiple alias interfaces ? I have used shell
systems which have far more than I have (for irc bnc's), so I think it
should work.

Perhaps I should try a different network card?

Any suggestions appreciated, this seems rather strange and hard to debug to
me.

Andy

2. Need help getting modem to work

3. IP Alias & IPtables, redirecting outbound traffic out specific interfaces

4. Grub & VGA mode

5. ipchains rules for aliased interface?

6. Help with TTELNET

7. execute (adding/deleting firewall rules) via web interface

8. Need help with larg > 2gig file access.

9. Add a new logical interface on a physical interface with ioctl()

10. Bridging ethernet interface through wlan interface in linux

11. Sun serial Interface <-> Cisco router serial Interface

12. LCD/TV Interface - How to program interface?

13. Router dropping packets from eth interface to ppp interface