[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] another 3-interface firewall problem (two external, no DMZ)



Sorry for the routing test.

The output of the route command seems to be okay. Something like

Destination  Gateway         Genmask       Flags Metric Ref    Use   Iface
 w.x.y.z      0.0.0.0         255.255.255.0   U     0      0        0 ppp0
 external     0.0.0.0         255.255.255.252 U     0      0        0 eth0
 internal     0.0.0.0         255.255.255.0   U     0      0        0 eth1
 0.0.0.0      w.y.x.z+1       0.0.0.0         UG    0      0        0 ppp0
 gedenktage:/var/home/muenster #

At the moment, I run the expensive two interface solution. I will test the
IP-tables as soon as possible.

YoYo
    Peter

> Von: engelbert.gruber@xxxxxxxxx
> Datum: Tue, 6 Jan 2004 17:15:32 +0100 (CET)
> An: "Dr. Peter Münstermann" <peter@xxxxxxxxxxxxxxxxxxxxx>
> Cc: suse-security@xxxxxxxx
> Betreff: Re: [suse-security] another 3-interface firewall problem (two
> external, no DMZ)
> 
> On Tue, 6 Jan 2004, Dr. Peter M[ISO-8859-1] ünstermann wrote:
> 
>> Hi Again,
>> 
>>> 1) Is the routing ok ?
>> How can I check the routing ?
> 
> route -n
> 
>> The SuSEfirewall-Script generates more rules than G.W. bushisms.
> 
> sometimes i use ::
> 
> iptables -vnL | grep -v "^ *0 "
> 
> to see rules that have a hit count other 0.
> 
>>> 2) Are there any firewall log entries ?
>> Nothing critical for the 'dead' Interface. But I have to retry with logging
>> everything.
>> 
>>> 3) Are you sure you don't masq your webserver's reply packets with the wrong
>>> IP ? (I understand that you now have 2 external IPs)
>> I am completely unshure about everything!
>> I guess, everything should be clear by understanding the IP rules.
>> Is there a debugging tool for this ?
>> 
>> Thanks so far
>> 
>> Peter
>> 
>> ___________________________________________________________
>> 
>> Dr. Peter Münstermann
>> 
>> mobil: +49 (0)173/2309398
>> Schützenstr. 11             tel.: +49 (0)7531/919122
>> D-78462 Konstanz            fax.: +49 (0)7531/914370
>> ___________________________________________________________
>> 
>> 
>>> Von: Andreas Baetz <lac01@xxxxxx>
>>> Datum: Mon, 5 Jan 2004 09:01:10 +0100
>>> An: suse-security@xxxxxxxx
>>> Betreff: Re: [suse-security] another 3-interface firewall problem (two
>>> external, no DMZ)
>>> 
>>> You could check the following:
>>> 1) Is the routing ok ?
>>> 2) Are there any firewall log entries ?
>>> 3) Are you sure you don't masq your webserver's reply packets with the wrong
>>> IP ? (I understand that you now have 2 external IPs)
>>> 
>>> You could get more info by tcpdumping your interfaces.
>>> 
>>> Andreas
>>> 
>>> 
>>> On Sunday 04 January 2004 00:00, Dr. Peter M?nstermann wrote:
>>>> Hi,
>>>> 
>>>> I am running a small enterprise server under Suse 9.0.
>>>> The main tasks are: Masquerading an internal network, SMTP, POP3 and web
>>>> serving.
>>>> 
>>>> Everything works nice with two interfaces:
>>>> eth0: 1.2.3.4 netmask 255.255.255.192 (leased line with static IP)
>>>> eth1: 192.168.0.1 netmask 255.255.255.0 (internal network)
>>>> with default route 1.2.3.3
>>>> Web server is listening on 1.2.3.4, SMTP on both interfaces, POP3 only at
>>>> the internal interface
>>>> 
>>>> NOW: to keep traffic costs as low as possible, we like to route the main
>>>> traffic over a DSL flat rate.
>>>> Configuring the DSL stuff gives the aditional ppp0 interface (PPPoE with
>>>> eth2), masquerading works and I can see the web server at 1.2.3.4 due to
>>>> the additional entry:
>>>> iptables -A INPUT -i eth1 -s 192.168.0.0/24 -d 1.2.3.4 -j ACCEPT
>>>> 
>>>> BUT: The address 1.2.3.4 is not responding from the outside any more.
>>>> Both eth0 and ppp0 are configured as external interfaces in the
>>>> SuSEfirewall configuration.
>>>> 
>>>> I think, the problem can be seen as a sort of load balancing for the
>>>> leaving IP packets.
> 
> any martians in the log ?
> 
> what is the default route now ?
> 
> 
> -- 
> BINGO: high-performance breakthrough
> --- Engelbert Gruber -------+
> SSG Fintl,Gruber,Lassnig  /
> A6170 Zirl   Innweg 5b   /
> Tel. ++43-5238-93535 ---+
> 
> -- 
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
> 
> 


--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here