Re: [suse-security] Multiple Internal Networks not Routing
Hello Jason, OK, I see ... what about my note about /16 and /24 masks ? do you *have* to do it like that ? When you leave both FW_MASQ_NETS="" (empty) and FW_FORWARD="" (empty) and do a traceroute from a host on eth1 to a host on eth2 or vice versa, what do you see in the firewall logs in /var/logs/messages ? Lets get this to work, Philipp Jason Dobbs schrieb:
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface <public ip> 0.0.0.0 255.255.255.128 U 0 0 0 eth0 10.62.56.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 192.168.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1 0.0.0.0 <public gw> 0.0.0.0 UG 0 0 0 eth0
ip forwarding is turned on in yast!
Thank You, Jason Dobbs . IT Manager Westin Casuarina Casino Las Vegas p. 702.836.5939 f. 270.913.7462 mailto: jdobbs@casuarinacasino.com
Philipp Rusch wrote:
Hi Jason what is your routing table looking like ? post route -nv back here are you routing at all ? (set ip_forward=yes in YAST)
other comments inline ...
Jason Dobbs schrieb:
--SNIP ---
FW_MASQ_NETS="192.168.65.224/27 10.62.56.0/24 192.168.0.0/16,<mail server ip>/32 10.62.56.0/24,<mail server ip>/32"
----------------------------------^ this ----------------------------------and this ^ is redundant, 192.168.65.224/27 is completely contained in 192.168.0.0./16 network, which means all 192.168."something" nets ... you know that normally 192.168.x.y net is a /24-type network and a 10.x.y.z has a /16 type mask ??
--SNIP--
FW_FORWARD="192.168.0.0/16,10.62.56.0/24,tcp,1:65535 10.62.56.0/24,192.168.0.0/16,tcp,1:65535 \ 192.168.0.0/16,10.62.56.0/24,udp,1:65535 10.62.56.0/24,192.168.0.0/16,udp,1:65535 \ 192.168.0.0/16,10.62.56.0/24,icmp 10.62.56.0/24,192.168.0.0/16,icmp" FW_FORWARD_MASQ="0/0,192.168.65.227,tcp,5800 0/0,192.168.65.227,tcp,5900 \ 0/0,192.168.65.227,tcp,5632 0/0,192.168.65.227,udp,5632"
what are you trying to do here ? If routing just doesn't work then forwarding doesn't help that much ...
I think something different is causing your troubles than missing entries here, seems you did to much of a work, it is normally quite simple, what you try to do :-)
Regards from Germany, Philipp
participants (1)
-
Philipp Rusch