Board index Linux Networking

Problem DSL Router <-> Firewall Router <-> Clients

Problem DSL Router <-> Firewall Router <-> Clients

Post by Thomas Olschewsk » Thu, 04 Aug 2005 07:47:16



Hello,

I would like to setup the following network configuration.

DSL Router <-> Firewall Router <-> Clients

I use static IPs, DHCP is disabled everywhere.

DSL Router
----------
- IP: 192.168.1.2
- does all NAT stuff, integrated DNS Server
- Route for network 192.168.0.0 set to 192.168.1.1

Firewall Router
---------------
- Linux machine with iptables firewall
- NIC connected with DSL Router: 192.168.1.1
- NIC connected with Clients   : 192.168.0.20

Clients
-------
All in 192.168.0.0 network
Default Gateway: 192.168.0.20
DNS entry: 192.168.1.2 and other

I can't establish a connection, for instance for http. Currently the
firewall has no rules which drop packets, so this should not cause the
error:

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW

I logged traffic with tcpdump at eth0 and eth1 in the firewall router.
Perhaps somebody can find out the problem. Traffic was logged while trying
to access an url www.spiegel.de.

eth0:
21:56:13.217316 192.168.1.2.53 > 192.168.0.2.1026: 2702 4/0/0 CNAME[|domain]
21:56:13.225296 192.168.0.2.1161 > 213.200.97.168.80: S
3917602455:3917602455(0) win 16384 <mss 1432,nop,nop,sackOK> (DF)
21:56:17.225336 192.168.0.2.1161 > 213.200.97.168.80: S
3917602455:3917602455(0) win 16384 <mss 1432,nop,nop,sackOK> (DF)
21:56:19.205192 arp who-has 192.168.0.2 tell 192.168.0.20
21:56:19.225350 192.168.0.2.1163 > 195.71.11.67.80: S
3263991039:3263991039(0) win 16384 <mss 1432,nop,nop,sackOK> (DF)
21:56:19.355293 arp reply 192.168.0.2 is-at <mac>
21:56:21.355341 192.168.0.2.1163 > 195.71.11.67.80: S
3263991039:3263991039(0) win 16384 <mss 1432,nop,nop,sackOK> (DF)
21:56:22.245295 192.168.0.2.1161 > 213.200.97.168.80: S
3917602455:3917602455(0) win 16384 <mss 1432,nop,nop,sackOK> (DF)
21:56:27.245343 192.168.0.2.1163 > 195.71.11.67.80: S
3263991039:3263991039(0) win 16384 <mss 1432,nop,nop,sackOK> (DF)
21:56:35.245363 192.168.0.2.1165 > 213.200.97.166.80: S
3719467109:3719467109(0) win 16384 <mss 1432,nop,nop,sackOK> (DF)
21:56:38.245367 192.168.0.2.1165 > 213.200.97.166.80: S
3719467109:3719467109(0) win 16384 <mss 1432,nop,nop,sackOK> (DF)

eth1:
21:55:18.658322 192.168.1.2.53 > 192.168.0.2.1026: 63104 4/0/0
CNAME[|domain]
21:55:24.585228 arp who-has 192.168.1.2 tell 192.168.1.1
21:55:24.585590 arp reply 192.168.1.2 is-at <mac>

Do I have a mtu problem? I integrated this line for iptables:
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
No success.

I also tried to vary the mtu of the firewall NICs 1500 / 1472 / 1432: no
success.

What else could be the reason?

Thomas

 
 
 
Top

1. <><><> MOUNTING EXTENDED PARTITION <><><>

I have a 10 GB UDMA IDE drive formatted with Windows.  The first partition
is FAT32, and the second is NTFS.  I can successfully mount the first, but
not the second.  Any ideas?

Suse 7.2 on i86
the drive is mounted on /dev/hdc, and I CAN see hda1, but not hda2

2. MouseSyetems PS/2 Middle Button

3. Wanted: <><><> Unix Specialist <><><>

4. Debian libc5 to libc6 (bo->hamm) Mini-HOWTO

5. LILO help <><><><><><>

6. DOES LILO KILL DOS?

7. Samba problem: WinXP <-> ADSL <-> Internet <-> Cable <-> Linux

8. Cannot install modutils - error at insmod drv_hello.o

9. <Alt>+<key> = <Esc><key> ?

10. *{<><>}*Linux*Screen*Difficulties*{<><>}*

11. << <<anyone using dyn-html?>> >>

12. (<><>)*Linux*Screen*Difficulties*(<><>)

13. SunSparc <--> modem <--> 486DLC <--> RS232/SLIP <--> 386sx


All times are UTC
Board index