Re: AW: [suse-security] Multiple Internal Networks not Routing
Robert, ETH1 Dump ------------------------------------------ tcpdump: listening on eth1 05:33:19.653787 192.168.65.228 > 10.62.56.8: icmp: echo request 05:33:24.707194 192.168.65.228 > 10.62.56.8: icmp: echo request 05:33:30.207866 192.168.65.228 > 10.62.56.8: icmp: echo request 05:33:35.708547 192.168.65.228 > 10.62.56.8: icmp: echo request 4 packets received by filter 0 packets dropped by kernel ETH2 Dump ------------------------------------------- tcpdump -pni eth2 icmp tcpdump: listening on eth2 05:33:19.654447 192.168.65.228 > 10.62.56.8: icmp: echo request 05:33:24.707232 192.168.65.228 > 10.62.56.8: icmp: echo request 05:33:30.207911 192.168.65.228 > 10.62.56.8: icmp: echo request 05:33:35.708586 192.168.65.228 > 10.62.56.8: icmp: echo request 4 packets received by filter 0 packets dropped by kernel 192.168.65.228 trying to ping 10.62.56.8 --------------------------------------------------- Pinging 10.62.56.8 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 10.62.56.8: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), IP-Forwarding ---------------------------------------- cat /proc/sys/net/ipv4/ip_forward <enter> 1 Thank You, Jason Dobbs . IT Manager Westin Casuarina Casino Las Vegas Rasp, Robert wrote:
Hello,
i had this problem by my self... i hate routing sometimes ;-) Is IP-Forwaring enabled (cat /proc/sys/net/ipv4/ip_forward) Try this: Open two Shell's and start "tcpdump -pni eth1 icmp" on one Shell and "tcpdump -pni eth2 icmp" on the other. Try the Ping again and watch the results...
CU Robert
-----Ursprüngliche Nachricht----- Von: Jason Dobbs [mailto:jdobbs@casuarinacasino.com] Gesendet: Dienstag, 6. April 2004 21:49 An: Rasp, Robert Betreff: Re: *****list-suse***** AW: [suse-security] Multiple Internal Networks not Routing
Robert,
I took the firewall script down and tried a ping from 192.168.65.228 to 10.62.56.8 and got the same results, request timed out.
Thank You, Jason Dobbs . IT Manager Westin Casuarina Casino Las Vegas
Rasp, Robert wrote:
Hello,
if i had this problem, i try it without firewall first.... Then you can be sure your routing is ok. It may be better to stay offline while the firewallscript isn't runnung :-)
CU Robert
-----Ursprüngliche Nachricht----- Von: Jason Dobbs [mailto:jdobbs@casuarinacasino.com] Gesendet: Dienstag, 6. April 2004 17:18 An: suse-security@suse.com Betreff: [suse-security] Multiple Internal Networks not Routing
Hi,
Hoping someone can point out my mistake here! I have SuSE 9.0 running with 3 NICS (eth0=internet, eth1=192.168.0.0/16, and eth2=10.62.56.0/24). Everything with the internet is working great. The problem is routing traffic between eth1 and eth2. I've set both networks as trusted, set FW_FORWARD, and enabled FW_ALLOW_CLASS_ROUTING. Nothing has seemed to work. Posted is also a copy of my /etc/sysconfig/SuSEfirewall2. I'd like to allow all traffic between these 2 networks.
Any ideas?
------------------------------------------------------------------- FW_QUICKMODE="no" FW_DEV_EXT="eth0" FW_DEV_INT="eth1 eth2" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.65.224/27 10.62.56.0/24 192.168.0.0/16,<mail server ip>/32 10.62.56.0/24,<mail server ip>/32" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="http https ssh" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="192.168.0.0/16 10.62.56.0/24" FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="yes" FW_SERVICE_SQUID="yes" FW_SERVICE_SAMBA="no" FW_FORWARD="192.168.0.0/16,10.62.56.0/24,tcp,1:65535 10.62.56.0/24,192.168.0.0/16,tcp,1:65535 \ 192.168.0.0/16,10.62.56.0/24,udp,1:65535 10.62.56.0/24,192.168.0.0/16,udp,1:65535 \ 192.168.0.0/16,10.62.56.0/24,icmp 10.62.56.0/24,192.168.0.0/16,icmp" FW_FORWARD_MASQ="0/0,192.168.65.227,tcp,5800 0/0,192.168.65.227,tcp,5900 \ 0/0,192.168.65.227,tcp,5632 0/0,192.168.65.227,udp,5632" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" # Jason Dobbs FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="yes" # Jason Dobbs FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="yes" FW_CUSTOMRULES="" FW_REJECT="no" FW_HTB_TUNE_DEV="" -----------------------------------------------------------------------------------
Hey, whats going on here, girls, are you whispering pribvately ? Can't follow the thread anymore ... ;-((( Going asleep then, Philipp PLS post to THE LIST Jason Dobbs schrieb:
Robert,
ETH1 Dump ------------------------------------------ tcpdump: listening on eth1 05:33:19.653787 192.168.65.228 > 10.62.56.8: icmp: echo request 05:33:24.707194 192.168.65.228 > 10.62.56.8: icmp: echo request 05:33:30.207866 192.168.65.228 > 10.62.56.8: icmp: echo request 05:33:35.708547 192.168.65.228 > 10.62.56.8: icmp: echo request
4 packets received by filter 0 packets dropped by kernel
ETH2 Dump ------------------------------------------- tcpdump -pni eth2 icmp tcpdump: listening on eth2 05:33:19.654447 192.168.65.228 > 10.62.56.8: icmp: echo request 05:33:24.707232 192.168.65.228 > 10.62.56.8: icmp: echo request 05:33:30.207911 192.168.65.228 > 10.62.56.8: icmp: echo request 05:33:35.708586 192.168.65.228 > 10.62.56.8: icmp: echo request
4 packets received by filter 0 packets dropped by kernel
192.168.65.228 trying to ping 10.62.56.8 --------------------------------------------------- Pinging 10.62.56.8 with 32 bytes of data:
Request timed out. Request timed out. Request timed out. Request timed out.
Ping statistics for 10.62.56.8: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
IP-Forwarding ---------------------------------------- cat /proc/sys/net/ipv4/ip_forward <enter> 1
Thank You, Jason Dobbs . IT Manager Westin Casuarina Casino Las Vegas
Rasp, Robert wrote:
Hello,
i had this problem by my self... i hate routing sometimes ;-) Is IP-Forwaring enabled (cat /proc/sys/net/ipv4/ip_forward) Try this: Open two Shell's and start "tcpdump -pni eth1 icmp" on one Shell and "tcpdump -pni eth2 icmp" on the other. Try the Ping again and watch the results...
CU Robert
-----Ursprüngliche Nachricht----- Von: Jason Dobbs [mailto:jdobbs@casuarinacasino.com] Gesendet: Dienstag, 6. April 2004 21:49 An: Rasp, Robert Betreff: Re: *****list-suse***** AW: [suse-security] Multiple Internal Networks not Routing
Robert,
I took the firewall script down and tried a ping from 192.168.65.228 to 10.62.56.8 and got the same results, request timed out.
Thank You, Jason Dobbs . IT Manager Westin Casuarina Casino Las Vegas
Rasp, Robert wrote:
Hello,
if i had this problem, i try it without firewall first.... Then you can be sure your routing is ok. It may be better to stay offline while the firewallscript isn't runnung :-)
CU Robert
-----Ursprüngliche Nachricht----- Von: Jason Dobbs [mailto:jdobbs@casuarinacasino.com] Gesendet: Dienstag, 6. April 2004 17:18 An: suse-security@suse.com Betreff: [suse-security] Multiple Internal Networks not Routing
Hi,
Hoping someone can point out my mistake here! I have SuSE 9.0 running with 3 NICS (eth0=internet, eth1=192.168.0.0/16, and eth2=10.62.56.0/24). Everything with the internet is working great. The problem is routing traffic between eth1 and eth2. I've set both networks as trusted, set FW_FORWARD, and enabled FW_ALLOW_CLASS_ROUTING. Nothing has seemed to work. Posted is also a copy of my /etc/sysconfig/SuSEfirewall2. I'd like to allow all traffic between these 2 networks.
Any ideas?
------------------------------------------------------------------- FW_QUICKMODE="no" FW_DEV_EXT="eth0" FW_DEV_INT="eth1 eth2" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.65.224/27 10.62.56.0/24 192.168.0.0/16,<mail server ip>/32 10.62.56.0/24,<mail server ip>/32" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="http https ssh" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="192.168.0.0/16 10.62.56.0/24" FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="yes" FW_SERVICE_SQUID="yes" FW_SERVICE_SAMBA="no" FW_FORWARD="192.168.0.0/16,10.62.56.0/24,tcp,1:65535 10.62.56.0/24,192.168.0.0/16,tcp,1:65535 \ 192.168.0.0/16,10.62.56.0/24,udp,1:65535 10.62.56.0/24,192.168.0.0/16,udp,1:65535 \ 192.168.0.0/16,10.62.56.0/24,icmp 10.62.56.0/24,192.168.0.0/16,icmp" FW_FORWARD_MASQ="0/0,192.168.65.227,tcp,5800 0/0,192.168.65.227,tcp,5900 \ 0/0,192.168.65.227,tcp,5632 0/0,192.168.65.227,udp,5632" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" # Jason Dobbs FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="yes" # Jason Dobbs FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="yes" FW_CUSTOMRULES="" FW_REJECT="no" FW_HTB_TUNE_DEV="" -----------------------------------------------------------------------------------
participants (2)
-
Jason Dobbs -
Philipp Rusch