[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] another 3-interface firewall problem (two external, no DMZ)



Hi Again,

> 1) Is the routing ok ?
How can I check the routing ?
The SuSEfirewall-Script generates more rules than G.W. bushisms.

> 2) Are there any firewall log entries ?
Nothing critical for the 'dead' Interface. But I have to retry with logging
everything.

> 3) Are you sure you don't masq your webserver's reply packets with the wrong
> IP ? (I understand that you now have 2 external IPs)
I am completely unshure about everything!
I guess, everything should be clear by understanding the IP rules.
Is there a debugging tool for this ?

Thanks so far

    Peter

___________________________________________________________

   Dr. Peter Münstermann
   
                              mobil: +49 (0)173/2309398
   Schützenstr. 11             tel.: +49 (0)7531/919122
   D-78462 Konstanz            fax.: +49 (0)7531/914370
___________________________________________________________


> Von: Andreas Baetz <lac01@xxxxxx>
> Datum: Mon, 5 Jan 2004 09:01:10 +0100
> An: suse-security@xxxxxxxx
> Betreff: Re: [suse-security] another 3-interface firewall problem (two
> external, no DMZ)
> 
> You could check the following:
> 1) Is the routing ok ?
> 2) Are there any firewall log entries ?
> 3) Are you sure you don't masq your webserver's reply packets with the wrong
> IP ? (I understand that you now have 2 external IPs)
> 
> You could get more info by tcpdumping your interfaces.
> 
> Andreas
> 
> 
> On Sunday 04 January 2004 00:00, Dr. Peter M?nstermann wrote:
>> Hi,
>> 
>> I am running a small enterprise server under Suse 9.0.
>> The main tasks are: Masquerading an internal network, SMTP, POP3 and web
>> serving.
>> 
>> Everything works nice with two interfaces:
>> eth0: 1.2.3.4 netmask 255.255.255.192 (leased line with static IP)
>> eth1: 192.168.0.1 netmask 255.255.255.0 (internal network)
>> with default route 1.2.3.3
>> Web server is listening on 1.2.3.4, SMTP on both interfaces, POP3 only at
>> the internal interface
>> 
>> NOW: to keep traffic costs as low as possible, we like to route the main
>> traffic over a DSL flat rate.
>> Configuring the DSL stuff gives the aditional ppp0 interface (PPPoE with
>> eth2), masquerading works and I can see the web server at 1.2.3.4 due to
>> the additional entry:
>> iptables -A INPUT -i eth1 -s 192.168.0.0/24 -d 1.2.3.4 -j ACCEPT
>> 
>> BUT: The address 1.2.3.4 is not responding from the outside any more.
>> Both eth0 and ppp0 are configured as external interfaces in the
>> SuSEfirewall configuration.
>> 
>> I think, the problem can be seen as a sort of load balancing for the
>> leaving IP packets.
>> 
>> Any hints, how to get the official external IP address working again ?
>> 
>> 
>> Best regards
>> Peter
> 
> 
> -- 
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
> 
> 


--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here