[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Router won't forward



Hi linsley,

you did check if the machine is a Router?

cat /proc/sys/net/ipv4/ip_forward

schould _not_ print 0.

You can set this with
/etc/sysconfig/sysctl:IP_FORWARD="yes"

Dirk


linsley schrieb:
I have a box configured as a firewall/router/server. The firewall box
will talk to the world, and vice versa. The internal zone can talk
to the firewall. But nothing seems to be going *through* the firewall.

Basic info:
SuSE 10.0

uname -a

Linux rose 2.6.13-15-default #1 Tue Sep 13 14:56:15 UTC 2005 i686 i686
i386 GNU/Linux

eth1 is the external zone interface:
# ifstatus eth1
    eth1
    eth1      configuration: eth-id-00:30:f1:2f:ef:8c
eth1 is up
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:30:f1:2f:ef:8c brd ff:ff:ff:ff:ff:ff
    inet 209.204.189.32/24 brd 209.204.189.255 scope global eth1
    inet 209.204.189.33/24 brd 209.204.189.255 scope global secondary
eth1:2
    inet 209.204.189.34/24 brd 209.204.189.255 scope global secondary
eth1:3
    inet 209.204.189.35/24 brd 209.204.189.255 scope global secondary
eth1:4
    inet 209.204.189.36/24 brd 209.204.189.255 scope global secondary
eth1:5
    inet6 fe80::230:f1ff:fe2f:ef8c/64 scope link
       valid_lft forever preferred_lft forever
    eth1      IP address: 209.204.189.32/24
    secondary eth1:2 IP address: 209.204.189.33/24
    secondary eth1:3 IP address: 209.204.189.34/24
    secondary eth1:4 IP address: 209.204.189.35/24
    secondary eth1:5 IP address: 209.204.189.36/24
Configured routes for interface eth1:
  default 209.204.189.1 - -
Active routes for interface eth1:
  209.204.189.0/24  proto kernel  scope link  src 209.204.189.32
  default via 209.204.189.1
0 of 1 configured routes for interface eth1 up


eth0 is the internal zone:
# ifstatus eth0
    eth0      device: VIA Technologies, Inc. VT6105 [Rhine-III] (rev 86)
    eth0      configuration: eth-id-00:40:f4:88:de:ae
eth0 is up
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:40:f4:88:de:ae brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.18/24 brd 192.168.2.255 scope global eth0
    inet6 fe80::240:f4ff:fe88:deae/64 scope link
       valid_lft forever preferred_lft forever
    eth0      IP address: 192.168.2.18/24
Configured routes for interface eth0:
  default 209.204.189.1 - -
  169.254.0.0 - 255.255.0.0 eth0
Active routes for interface eth0:
  192.168.2.0/24  proto kernel  scope link  src 192.168.2.18
  169.254.0.0/16  scope link
1 of 2 configured routes for interface eth0 up


Firewall is configured with SuseFirewall2 using YaST2:
External zone allowed services are
http https imap smtp ssh
Internal zone allowed services are
http https imap smtp ssh
Protect Firewall from Internal Zone is checked.
Accepted packets and not accepted packets are both set to Log All
I see packets from the internal zone being accepted with messages like
these:
Mar 19 08:33:58 rose kernel: SFW2-FWDint-ACC-MASQ IN=eth0 OUT=eth1
SRC=192.168.2.2 DST=209.204.189.1 LEN=60 TOS=0x00 PREC=0x00 TTL=126
ID=37282 PROTO=ICMP TYPE=8 CODE=0 ID=32768 SEQ=14848
However, no reply packets are logged, either accepted or not.


Help! What is configured wrong???





















TRIA IT-consulting GmbH Joseph-Wild-Straße 20 81829 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de

Registergericht München HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschäftsführer: Richard Hofbauer kaufm. Geschäftsleitung: Rosa Igl -------------------------------------------------------- Nachricht von: Dirk.Schreiner@xxxxxxx Nachricht an: linsley@xxxxxxxxx, suse-security@xxxxxxxx # Dateianhänge: 0
























--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here