[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] another 3-interface firewall problem (two external, no DMZ)



On Tue, 6 Jan 2004, Dr. Peter M[ISO-8859-1] ünstermann wrote:

> Hi Again,
>
> > 1) Is the routing ok ?
> How can I check the routing ?

route -n

> The SuSEfirewall-Script generates more rules than G.W. bushisms.

sometimes i use ::

  iptables -vnL | grep -v "^ *0 "

to see rules that have a hit count other 0.

> > 2) Are there any firewall log entries ?
> Nothing critical for the 'dead' Interface. But I have to retry with logging
> everything.
>
> > 3) Are you sure you don't masq your webserver's reply packets with the wrong
> > IP ? (I understand that you now have 2 external IPs)
> I am completely unshure about everything!
> I guess, everything should be clear by understanding the IP rules.
> Is there a debugging tool for this ?
>
> Thanks so far
>
>     Peter
>
> ___________________________________________________________
>
>    Dr. Peter Münstermann
>
>                               mobil: +49 (0)173/2309398
>    Schützenstr. 11             tel.: +49 (0)7531/919122
>    D-78462 Konstanz            fax.: +49 (0)7531/914370
> ___________________________________________________________
>
>
> > Von: Andreas Baetz <lac01@xxxxxx>
> > Datum: Mon, 5 Jan 2004 09:01:10 +0100
> > An: suse-security@xxxxxxxx
> > Betreff: Re: [suse-security] another 3-interface firewall problem (two
> > external, no DMZ)
> >
> > You could check the following:
> > 1) Is the routing ok ?
> > 2) Are there any firewall log entries ?
> > 3) Are you sure you don't masq your webserver's reply packets with the wrong
> > IP ? (I understand that you now have 2 external IPs)
> >
> > You could get more info by tcpdumping your interfaces.
> >
> > Andreas
> >
> >
> > On Sunday 04 January 2004 00:00, Dr. Peter M?nstermann wrote:
> >> Hi,
> >>
> >> I am running a small enterprise server under Suse 9.0.
> >> The main tasks are: Masquerading an internal network, SMTP, POP3 and web
> >> serving.
> >>
> >> Everything works nice with two interfaces:
> >> eth0: 1.2.3.4 netmask 255.255.255.192 (leased line with static IP)
> >> eth1: 192.168.0.1 netmask 255.255.255.0 (internal network)
> >> with default route 1.2.3.3
> >> Web server is listening on 1.2.3.4, SMTP on both interfaces, POP3 only at
> >> the internal interface
> >>
> >> NOW: to keep traffic costs as low as possible, we like to route the main
> >> traffic over a DSL flat rate.
> >> Configuring the DSL stuff gives the aditional ppp0 interface (PPPoE with
> >> eth2), masquerading works and I can see the web server at 1.2.3.4 due to
> >> the additional entry:
> >> iptables -A INPUT -i eth1 -s 192.168.0.0/24 -d 1.2.3.4 -j ACCEPT
> >>
> >> BUT: The address 1.2.3.4 is not responding from the outside any more.
> >> Both eth0 and ppp0 are configured as external interfaces in the
> >> SuSEfirewall configuration.
> >>
> >> I think, the problem can be seen as a sort of load balancing for the
> >> leaving IP packets.

any martians in the log ?

what is the default route now ?


-- 
 BINGO: high-performance breakthrough
 --- Engelbert Gruber -------+
  SSG Fintl,Gruber,Lassnig  /
  A6170 Zirl   Innweg 5b   /
  Tel. ++43-5238-93535 ---+

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here