Re: IP FORWARDING IPTABLES
- From: madmax71 <madmax71@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 17 Jun 2007 00:02:58 +0200
Moe Trin ha scritto:
On Fri, 15 Jun 2007, in the Usenet newsgroup comp.security.firewalls, in article.
<4672c46f$0$4797$4fafbaef@xxxxxxxxxxxxxxxxxxx>, madmax71 wrote:
I have three NICs with WAN eth0 (10.10.10.253), LAN1
eth1(192.168.0.253), LAN2 eth2(10.100.3.253) default gateway
I'm guessing the network masks on the WAN and LAN2 are such that the
two do not overlap - anything narrower than 255.192.0.0 should be
satisfactory. Otherwise, there will be routing confusion.
router1 (provider1) = 10.10.10.1
router2 (provider2) = 10.10.10.2
I choose to configure my firewall to route packets in a different
manner depending on destination.
so I used ROUTE command to route packets this way
except that the '/sbin/route' command has nothing to do with the
firewall. See http://www.netfilter.org/documentation/HOWTO/ where you
will find seven informative HOWTOs
[TXT] NAT-HOWTO.txt 24-Dec-2006 16:06 25K
[TXT] netfilter-double-nat-HOWTO.txt 24-Dec-2006 16:06 9.4K
[TXT] netfilter-extensions-HOWTO.txt 24-Dec-2006 16:06 79K
[TXT] netfilter-hacking-HOWTO.txt 24-Dec-2006 16:06 84K
[TXT] netfilter-mirror-HOWTO.txt 24-Dec-2006 16:06 8.1K
[TXT] networking-concepts-HOWTO.txt 24-Dec-2006 16:06 28K
[TXT] packet-filtering-HOWTO.txt 24-Dec-2006 16:06 52K
and also look through the "The Linux Network Administrator's Guide,
Second Edition" which is often included with Linux distributions, but
can also be found at any LDP mirror such as http://tldp.org/guides.html.
Another document to look at is the "Adv-Routing-HOWTO" which also should
be on your Linux box in /usr/share/HOWTO/
-rw-rw-r-- 1 gferg ldp 297491 Sep 4 2003 Adv-Routing-HOWTO
route add -net <ip_address_destination_routed_using_way1> netmask
255.255.255.255 gw eth0
route add -net <ip_address_destination_routed_using_way2> netmask
255.255.255.255 gw eth1
"-net" implies that there is a network there, but the netmask of
255.255.255.255 is that of a host, not a net. Also, you normally
want to specify the IP of the gateway, in addition to the interface.
Thus, the command might be more accurate
route add -net 192.0.2.0 netmask 255.255.255.0 -gw 10.10.10.2 eth1
route add default 10.10.10.1
Note that the interface (eth1, eth2) does not have to be declared if
it is the last parameter in the command. Note also that the command
option you are showing "<ip_address_destination_routed_using_way1>"
may be a problem - we don't know, because we can't imagine what you
actually have there.
It seems to work, so I'm reaching destination IP_address1 AND
IP_address2 BUT if I ping destination IP or I traceroute it the only
one responding is the one on eth0 (default gateway card) route.
What version of traceroute? What mode? The standard LBL traceroute
defaults to using UDP packets, but has a "-I" option to use ICMP echos.
The "improved" version that comes with SuSE lacks the ICMP capability,
and uses the -I option to specify the interface. The microsoft wincrap
version (TRACERT.EXE) only uses ICMP echos because the idiots at
microsoft don't know any better.
Do you know that the second router (10.10.10.2) is not blocking ICMP
packets? "ping" has been abused by skript kiddiez and other wankers
so that a lot of people now block it. You could try using a TCP version
of traceroute (tcptraceroute, hping2, hping3) to see if that works,
or if the router is dropping ICMP type 11 as well.
?? where is the filtering stopping my PING packets , so they don't get
Another tool to look at is a packet sniffer - there are dozens available
ranging from the original LBL "tcpdump" up through the click-and-drool
tools like "wireshark" (formerly "ethereal").
- Prev by Date: Re: IP FORWARDING IPTABLES
- Next by Date: Secure Network Devices
- Previous by thread: Re: IP FORWARDING IPTABLES
- Next by thread: Question for RedForeman