Sorry for the routing test. The output of the route command seems to be okay. Something like Destination Gateway Genmask Flags Metric Ref Use Iface w.x.y.z 0.0.0.0 255.255.255.0 U 0 0 0 ppp0 external 0.0.0.0 255.255.255.252 U 0 0 0 eth0 internal 0.0.0.0 255.255.255.0 U 0 0 0 eth1 0.0.0.0 w.y.x.z+1 0.0.0.0 UG 0 0 0 ppp0 gedenktage:/var/home/muenster # At the moment, I run the expensive two interface solution. I will test the IP-tables as soon as possible. YoYo Peter
Von: engelbert.gruber@ssg.co.at Datum: Tue, 6 Jan 2004 17:15:32 +0100 (CET) An: "Dr. Peter Münstermann"
Cc: suse-security@suse.com Betreff: Re: [suse-security] another 3-interface firewall problem (two external, no DMZ) On Tue, 6 Jan 2004, Dr. Peter M[ISO-8859-1] ünstermann wrote:
Hi Again,
1) Is the routing ok ? How can I check the routing ?
route -n
The SuSEfirewall-Script generates more rules than G.W. bushisms.
sometimes i use ::
iptables -vnL | grep -v "^ *0 "
to see rules that have a hit count other 0.
2) Are there any firewall log entries ? Nothing critical for the 'dead' Interface. But I have to retry with logging everything.
3) Are you sure you don't masq your webserver's reply packets with the wrong IP ? (I understand that you now have 2 external IPs) I am completely unshure about everything! I guess, everything should be clear by understanding the IP rules. Is there a debugging tool for this ?
Thanks so far
Peter
___________________________________________________________
Dr. Peter Münstermann
mobil: +49 (0)173/2309398 Schützenstr. 11 tel.: +49 (0)7531/919122 D-78462 Konstanz fax.: +49 (0)7531/914370 ___________________________________________________________
Von: Andreas Baetz
Datum: Mon, 5 Jan 2004 09:01:10 +0100 An: suse-security@suse.com Betreff: Re: [suse-security] another 3-interface firewall problem (two external, no DMZ) You could check the following: 1) Is the routing ok ? 2) Are there any firewall log entries ? 3) Are you sure you don't masq your webserver's reply packets with the wrong IP ? (I understand that you now have 2 external IPs)
You could get more info by tcpdumping your interfaces.
Andreas
On Sunday 04 January 2004 00:00, Dr. Peter M?nstermann wrote:
Hi,
I am running a small enterprise server under Suse 9.0. The main tasks are: Masquerading an internal network, SMTP, POP3 and web serving.
Everything works nice with two interfaces: eth0: 1.2.3.4 netmask 255.255.255.192 (leased line with static IP) eth1: 192.168.0.1 netmask 255.255.255.0 (internal network) with default route 1.2.3.3 Web server is listening on 1.2.3.4, SMTP on both interfaces, POP3 only at the internal interface
NOW: to keep traffic costs as low as possible, we like to route the main traffic over a DSL flat rate. Configuring the DSL stuff gives the aditional ppp0 interface (PPPoE with eth2), masquerading works and I can see the web server at 1.2.3.4 due to the additional entry: iptables -A INPUT -i eth1 -s 192.168.0.0/24 -d 1.2.3.4 -j ACCEPT
BUT: The address 1.2.3.4 is not responding from the outside any more. Both eth0 and ppp0 are configured as external interfaces in the SuSEfirewall configuration.
I think, the problem can be seen as a sort of load balancing for the leaving IP packets.
any martians in the log ?
what is the default route now ?
-- BINGO: high-performance breakthrough --- Engelbert Gruber -------+ SSG Fintl,Gruber,Lassnig / A6170 Zirl Innweg 5b / Tel. ++43-5238-93535 ---+
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here