Problem with IP FORWARDING

Problem with IP FORWARDING

Post by Toivo R?i » Wed, 20 May 1998 04:00:00



Hi.

I'm setting up a linux box as a firewall, but I cant get any packages
through it. eaven if I disabe all
security and try to make the box simply a router.

the network setup is:

INET ROUTER:           xxx.xxx.xxx.225
                                             |
                                             |xxx.xxx.xxx.224/28    DMZ
                                             |
FIREFALL                   xxx.xxx.xxx.226   this is the machine I am in
trouble with
                                     xxx.xxx.xxx.241
                                             |
                                             |     SNET     the network,
where internet servers are
                                             |
MASQURADE             xxx.xxx.xxx.254         that machine works fine
                                      192.168.1.1
                                               |
                                               | LAN   (workstations)
                                   ----------------------------

I complied kernel (tried 2.0.33 and 2.0.24) with IP_FORWARDING and
IP_FIREWALLS
both enalbled,  then  'ipfwadm -F  -p accept'.

another try was 2.0.33 only with IP_FIREWALLS and
ipfwadm -F -p deny
ipfwadm -F -b -a accept SNET/28 -D any/0
then machines in SNET chould be able to use INET, but they aren't.
firewall can reach inet, snet and lan can reach firewall, but not inet

and tried only with IP_FORWARDING and ..... there were some more
configurations...

The only way firewall machine forwards packages is  if  IP_FIREWALLS +
IP_MASQURADE
in kernel and

ipfwadm -F -p deny
ipfwadm -F -b -m -a accept -S SNET/28 -D any/0

The firewall machine uses TopLink (NE2000 comptible ethernet cards).
Linux is RedHat 5.0

Can anyone help?

lauri

 
 
 

Problem with IP FORWARDING

Post by Kevin Becke » Wed, 20 May 1998 04:00:00


I'm not real clear on your setup... your chart or whatever wasn't
formatted right in my newsreader.  Anyway, if you're trying to test by
just forwarding packets from your 192.168.x.x machines without
masquerading them then it won't work.  I believe most Internet routers
will simply drop those packets because they aren't valid addresses.

Also, you've only mentioned forwarding policies here.  You need to set
your ipfwadm policies to accept incoming packets too.  Otherwise your
responses from the net will be ignored.  To test a no security setup,
flush all your policies and then set the default to accept for -I and -O
and accept/masquerade for -F.  If that works then you can go back and
come up with a more secure setup.

 
 
 

Problem with IP FORWARDING

Post by Lauri Post » Wed, 20 May 1998 04:00:00



> I'm not real clear on your setup... your chart or whatever wasn't
> formatted right in my newsreader.  Anyway, if you're trying to test by

> just forwarding packets from your 192.168.x.x machines without

no, I'm not trying to do that 192.168.x.x network was simply drawn
togive complete picture of lan. that net is behind another masqurading
router, which is behind the 'buggy' machine.

inet <--'buggy router'--> legal ip lan <--masq router --< 192.168.x.x
lan

Quote:> masquerading them then it won't work.  I believe most Internet routers

> will simply drop those packets because they aren't valid addresses.

Sorry about chart. The machene, that I am in touble with, is
between193.40.96.224/28 and 193.40.96.240/28 (gateway to inet is
193.40.96.225).
The machine should be only firewall and not masqurade. But masqurading
is
the only forwarding that works. If box is  configured to be usual
router,
nothing goes through.

config that works:
ipfwadm -I -p accept
ipfwadm -O -p accept
ipfwadm -F -p deny
ipfwadm -F -m -b -a accept -S 193.40.96.240/28
(Masqurading in kernel is enabled)
193.40.96.240/28 can reach inet.

config that doesnt work:
ipfwadm -I -p accept
ipfwadm -O -p accept
ipfwadm -F -p accept
(Masqurading off, ip_forwarding on, firewalls on)
and:
ipfwadm -F -p deny
ipfwadm -F -b -a accept -S 193.40.96.240/28

also doesn't help - 193.40.96.240/28 cannot reach internet.

Quote:> Also, you've only mentioned forwarding policies here.  You need to set

> your ipfwadm policies to accept incoming packets too.  Otherwise your
> responses from the net will be ignored.  To test a no security setup,
> flush all your policies and then set the default to accept for -I and
> -O
> and accept/masquerade for -F.  If that works then you can go back and
> come up with a more secure setup.

 
 
 

1. Problems with Ip Forwarding

I have been playing with Linux 5.1 for little while now still new to it
I am having a great deal of trouble getting ip Masquerading turned on
I have compiled it in to the kernel, got my Second ethernet card configured,
but ip forwarding will not turn on.
Any Suggestions on how to do this...

Thanks

2. Howto use redhat rpm in other distributions?

3. Q: Problem with IP-FORWARDING-Rules

4. Kernel problems!

5. Problems with IP forwarding

6. Finding out all machine names on same subnet

7. getting software updates

8. Problem with IP Forwarding

9. Problems with IP Forwarding or Routing

10. Problem with IP forwarding (now you see it - now you don't)

11. Driver problems when IP-forwarding

12. Problem with IP forwarding between subnets