Re: [suse-security] Multiple Internal Networks not Routing
Jason, Ok, we are one step further ! To clarify: (this has been defined like that, there is no obvious technical reason for that, ok there are some reasons, but that would lead us too far) there are classes of IP-networks: A-class : mask /8 B-class : mask /16 C-class : mask /24 which some special adresses reserved for "private use", which means, these are "unrouteable" adresses in terms of internet routes, that's the reason for NAT, for instance. OK, 10.a.b.c "normally" has to have a /8 mask (type A class) you can divide this huge network of 16*16*16 hosts in smaller nets using a /16 or a /24 mask for instance. 172.16.m.n "normally" has to have a /16 mask (type B class) but the same concept of breaking it down into parts applies as above, you are free to do so. 192.168.x.y "normally" has to have a /24 mask (type C class) which implies that you choose the "x" and then this part of the network address is fix for your setup. The advantage of having a 10.a.b.c/8 network instead of a 192.168.x.y/24 is that you can have more hosts belonging to the *same" network without the need to route. In your case, if you are still free to choose your network adresses and don't have more than 254 hosts, I would strongly recommend that you go for something like 192.168.1.x/24 on eth1 and 192.168.2.y/24 on eth2 or if you have more hosts, go for 172.16.1.x/16 on eth1 if there is the majority of your hosts and take 192.168.2.x/24 for eth2. Next question: what are the routing entries of your Windows PCs? They have to know about the other net as well ! Post a route print example output of both networks back here. Regards, Philipp Jason Dobbs schrieb:
Ok here is the tracert data:
From a windows PC (192.168.65.228) to a windows PC (10.62.56.8) ----------------------------------------------------------------- 1 <1 ms <1 ms <1 ms 192.168.66.252 2 * * * Request timed out. 3 * * * Request timed out. 4 * * * Request timed out. 5 * * * Request timed out.
/var/log/messages ----------------------------------------------------------------- Apr 6 04:22:47 terminator kernel: SuSE-FW-TRACEROUTE-ATTEMPT IN= OUT=eth1 SRC=192.168.66.252 DST=192.168.65.228 LEN=120 TOS=0x00 PREC=0xC0 TTL=64 ID=1245 PROTO=ICMP TYPE=11 CODE=0 [SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=1530 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=24065 ] Apr 6 04:22:47 terminator kernel: SuSE-FW-TRACEROUTE-ATTEMPT IN= OUT=eth1 SRC=192.168.66.252 DST=192.168.65.228 LEN=120 TOS=0x00 PREC=0xC0 TTL=64 ID=1246 PROTO=ICMP TYPE=11 CODE=0 [SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=1531 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=24321 ] Apr 6 04:22:47 terminator kernel: SuSE-FW-TRACEROUTE-ATTEMPT IN= OUT=eth1 SRC=192.168.66.252 DST=192.168.65.228 LEN=120 TOS=0x00 PREC=0xC0 TTL=64 ID=1247 PROTO=ICMP TYPE=11 CODE=0 [SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=1532 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=24577 ] Apr 6 04:22:48 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=1534 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=24833 Apr 6 04:22:52 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=1577 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=25089 Apr 6 04:22:56 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=1579 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=25345 Apr 6 04:23:01 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=2 ID=1581 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=25601 Apr 6 04:23:05 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=2 ID=1589 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=25857 Apr 6 04:23:10 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=2 ID=1591 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26113 Apr 6 04:23:14 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=3 ID=1593 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26369 Apr 6 04:23:19 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=3 ID=1597 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26625 Apr 6 04:23:23 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=3 ID=1599 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26881 Apr 6 04:23:28 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=4 ID=1601 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27137 Apr 6 04:23:32 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=4 ID=1605 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27393 Apr 6 04:23:37 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=4 ID=1607 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27649 Apr 6 04:23:41 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=5 ID=1609 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27905
192.168.66.252 is the gateway for the 192.168.0.0/16 network. 10.62.56.252 is the gateway for the 10.62.56.0/24 network.
as far as your note on /16 and /24 ... maybe I have them backwards! I though 192.168.0.0 was /16 and 10.62.56.0 was /24!!!!!! <-- Please clearify this!
Thank You, Jason Dobbs . IT Manager Westin Casuarina Casino Las Vegas
Philipp Rusch wrote:
Hello Jason, OK, I see ... what about my note about /16 and /24 masks ? do you *have* to do it like that ?
When you leave both FW_MASQ_NETS="" (empty) and FW_FORWARD="" (empty) and do a traceroute from a host on eth1 to a host on eth2 or vice versa, what do you see in the firewall logs in /var/logs/messages ?
Lets get this to work, Philipp
Jason Dobbs schrieb:
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface <public ip> 0.0.0.0 255.255.255.128 U 0 0 0 eth0 10.62.56.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 192.168.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1 0.0.0.0 <public gw> 0.0.0.0 UG 0 0 0 eth0
ip forwarding is turned on in yast!
Thank You, Jason Dobbs . IT Manager Westin Casuarina Casino Las Vegas p. 702.836.5939 f. 270.913.7462 mailto: jdobbs@casuarinacasino.com
Philipp Rusch wrote:
Hi Jason what is your routing table looking like ? post route -nv back here are you routing at all ? (set ip_forward=yes in YAST)
other comments inline ...
Jason Dobbs schrieb:
--SNIP ---
FW_MASQ_NETS="192.168.65.224/27 10.62.56.0/24 192.168.0.0/16,<mail server ip>/32 10.62.56.0/24,<mail server ip>/32"
----------------------------------^ this ----------------------------------and this ^ is redundant, 192.168.65.224/27 is completely contained in 192.168.0.0./16 network, which means all 192.168."something" nets ... you know that normally 192.168.x.y net is a /24-type network and a 10.x.y.z has a /16 type mask ??
--SNIP--
FW_FORWARD="192.168.0.0/16,10.62.56.0/24,tcp,1:65535 10.62.56.0/24,192.168.0.0/16,tcp,1:65535 \ 192.168.0.0/16,10.62.56.0/24,udp,1:65535 10.62.56.0/24,192.168.0.0/16,udp,1:65535 \ 192.168.0.0/16,10.62.56.0/24,icmp 10.62.56.0/24,192.168.0.0/16,icmp" FW_FORWARD_MASQ="0/0,192.168.65.227,tcp,5800 0/0,192.168.65.227,tcp,5900 \ 0/0,192.168.65.227,tcp,5632 0/0,192.168.65.227,udp,5632"
what are you trying to do here ? If routing just doesn't work then forwarding doesn't help that much ...
I think something different is causing your troubles than missing entries here, seems you did to much of a work, it is normally quite simple, what you try to do :-)
Regards from Germany, Philipp
Hi, ups ;-)) Philipp Rusch schrieb:
Jason, Ok, we are one step further !
To clarify: (this has been defined like that, there is no obvious technical reason for that, ok there are some reasons, but that would lead us too far)
4 Bit CPU and serial communication ;-)
there are classes of IP-networks:
A-class : mask /8 B-class : mask /16 C-class : mask /24
D-Class /32 not to forget (Multicast) E-Class (but this is Experimental, SCNR)
which some special adresses reserved for "private use", which means, these are "unrouteable" adresses in terms of internet routes, that's the reason for NAT, for instance.
OK,
10.a.b.c "normally" has to have a /8 mask (type A class) you can divide this huge network of 16*16*16 hosts in smaller
(256 * 256 * 256) - 2 Now this is good explained:
nets using a /16 or a /24 mask for instance.
172.16.m.n "normally" has to have a /16 mask (type B class) but the same concept of breaking it down into parts applies as above, you are free to do so.
192.168.x.y "normally" has to have a /24 mask (type C class) which implies that you choose the "x" and then this part of the network address is fix for your setup.
The advantage of having a 10.a.b.c/8 network instead of a 192.168.x.y/24 is that you can have more hosts belonging to the *same" network without the need to route.
In your case, if you are still free to choose your network adresses and don't have more than 254 hosts, I would strongly recommend that you go for something like 192.168.1.x/24 on eth1 and 192.168.2.y/24 on eth2 or if you have more hosts, go for 172.16.1.x/16 on eth1 if there is the majority of your hosts and take 192.168.2.x/24 for eth2.
Next question: what are the routing entries of your Windows PCs? They have to know about the other net as well !
No, they have to know the Gateway and if the Default-Gw knows they have only to know the default-gw.
Post a route print example output of both networks back here.
And as seen, the Firewall is activated. First test Routing with deactivated Firewall. Then activate Firewall. (Remember the OSI - Layers ;-) Greetings Dirk TRIA IT-consulting GmbH Joseph-Wild-Stra?e 20 81829 Munchen Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de -------------------------------------------------------- working hard | for your success -------------------------------------------------------- Registergericht Munchen HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschaftsfuhrer: Hubertus Wagenhauser -------------------------------------------------------- Nachricht von: dirk.schreiner@tria.de Nachricht an: suse-security@suse.com # Dateianhange: 0 Die Mitteilung dieser E-Mail ist vertraulich und nur fur den oben genannten Empfanger bestimmt. Wenn Sie nicht der vorgesehene Empfanger dieser E-Mail oder mit der Aushandigung an ihn betraut sind, weisen wir darauf hin, da? jede Form der Kenntnisnahme, Veroffentlichung, Vervielfaltigung sowie Weitergabe des Inhalts untersagt ist. Wir bitten Sie uns in diesem Fall umgehend zu unterrichten. Vielen Dank The information contained in this E-Mail is privileged and confidental intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient or competent to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this E-Mail is strictly prohibited. If you have received this E-Mail in error, please notify us immediately. Thank you
Hello Dirk, I think it was too late for me yesterday ... oh, man ! Dirk Schreiner schrieb:
Hi,
ups ;-))
Philipp Rusch schrieb:
Jason, Ok, we are one step further !
To clarify: (this has been defined like that, there is no obvious technical reason for that, ok there are some reasons, but that would lead us too far)
4 Bit CPU and serial communication ;-)
oka, we both know that this masking stuff comes from bitwise decoding from "left to right" and should save cycles in "those early days" .... ;-)
there are classes of IP-networks:
A-class : mask /8 B-class : mask /16 C-class : mask /24
D-Class /32 not to forget (Multicast)
E-Class (but this is Experimental, SCNR)
of course there are others ..., you're right but Jason got my point .... otherwise could read the RFC
which means, these are "unrouteable" adresses in terms of internet routes, that's the reason for NAT, for instance.
OK,
10.a.b.c "normally" has to have a /8 mask (type A class) you can divide this huge network of 16*16*16 hosts in smaller
which some special adresses reserved for "private use",
(256 * 256 * 256) - 2
ehemm, completely brain dead here, you are absolutely right with your calculation !!! how did I come to 16 ????. ip adress in notation a.b.c.d is 8bit.8bit.8bit.8bit = 32 bits adresses in IP v4 ok: number of host in a C class is 256 -2 then B-class is (256*256) -2 then, now we got it.
Now this is good explained:
thank you !
nets using a /16 or a /24 mask for instance.
172.16.m.n "normally" has to have a /16 mask (type B class) but the same concept of breaking it down into parts applies as above, you are free to do so.
192.168.x.y "normally" has to have a /24 mask (type C class) which implies that you choose the "x" and then this part of the network address is fix for your setup.
The advantage of having a 10.a.b.c/8 network instead of a 192.168.x.y/24 is that you can have more hosts belonging to the *same" network without the need to route.
In your case, if you are still free to choose your network adresses and don't have more than 254 hosts, I would strongly recommend that you go for something like 192.168.1.x/24 on eth1 and 192.168.2.y/24 on eth2 or if you have more hosts, go for 172.16.1.x/16 on eth1 if there is the majority of your hosts and take 192.168.2.x/24 for eth2.
Next question: what are the routing entries of your Windows PCs? They have to know about the other net as well !
No, they have to know the Gateway and if the Default-Gw knows they have only to know the default-gw.
ya, ok, I just wanted to say that they must somehow know where to route to, your statement is right, a gw-definition shuould suffice. I always explain this to beginners like that: Internet hosts mst only know their neighbours, which know about their neighbours which know a way to other neighbours and so on. Some of these know more about others and thus have a longer routing table (central routers at an ISP for instance) .... :-)
Post a route print example output of both networks back here.
And as seen, the Firewall is activated. First test Routing with deactivated Firewall. Then activate Firewall. (Remember the OSI - Layers ;-)
Uaah, OSI !!! No, bäh ... But you are right again: should test this setup without firewall first, test routing until it works, then get the rules straight.
Greetings Dirk TRIA IT-consulting GmbH Joseph-Wild-Stra?e 20 81829 Munchen Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de --------------------------------------------------------
working hard | for your success --------------------------------------------------------
what about your success ? ;-) - - SNIP - - Greetings, Philipp P.S.: I'm interested in talking on privately.
Ok on the 192.168.0.0 network ... I don't have a choice ... I have workstations and servers on 66.xx also have workstations on 65.xx and POS workstations on 67.xx ... Don't ask! I didn't have a choice with most of it :) ... as far as the 10.62.56.0 network ... everything is within the 56.xx range. Windows Print Route Dump ------------------------------------------------------- Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.66.252 192.168.65.228 20 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.0.0 255.255.0.0 192.168.65.228 192.168.65.228 20 192.168.65.228 255.255.255.255 127.0.0.1 127.0.0.1 20 192.168.65.255 255.255.255.255 192.168.65.228 192.168.65.228 20 224.0.0.0 240.0.0.0 192.168.65.228 192.168.65.228 20 255.255.255.255 255.255.255.255 192.168.65.228 192.168.65.228 1 Default Gateway: 192.168.66.252 =========================================================================== Persistent Routes: None Thank You, Jason Dobbs . IT Manager Westin Casuarina Casino Las Vegas Philipp Rusch wrote:
Jason, Ok, we are one step further !
To clarify: (this has been defined like that, there is no obvious technical reason for that, ok there are some reasons, but that would lead us too far)
there are classes of IP-networks:
A-class : mask /8 B-class : mask /16 C-class : mask /24
which some special adresses reserved for "private use", which means, these are "unrouteable" adresses in terms of internet routes, that's the reason for NAT, for instance.
OK,
10.a.b.c "normally" has to have a /8 mask (type A class) you can divide this huge network of 16*16*16 hosts in smaller nets using a /16 or a /24 mask for instance.
172.16.m.n "normally" has to have a /16 mask (type B class) but the same concept of breaking it down into parts applies as above, you are free to do so.
192.168.x.y "normally" has to have a /24 mask (type C class) which implies that you choose the "x" and then this part of the network address is fix for your setup.
The advantage of having a 10.a.b.c/8 network instead of a 192.168.x.y/24 is that you can have more hosts belonging to the *same" network without the need to route.
In your case, if you are still free to choose your network adresses and don't have more than 254 hosts, I would strongly recommend that you go for something like 192.168.1.x/24 on eth1 and 192.168.2.y/24 on eth2 or if you have more hosts, go for 172.16.1.x/16 on eth1 if there is the majority of your hosts and take 192.168.2.x/24 for eth2.
Next question: what are the routing entries of your Windows PCs? They have to know about the other net as well !
Post a route print example output of both networks back here.
Regards, Philipp
Jason Dobbs schrieb:
Ok here is the tracert data:
From a windows PC (192.168.65.228) to a windows PC (10.62.56.8) ----------------------------------------------------------------- 1 <1 ms <1 ms <1 ms 192.168.66.252 2 * * * Request timed out. 3 * * * Request timed out. 4 * * * Request timed out. 5 * * * Request timed out.
/var/log/messages ----------------------------------------------------------------- Apr 6 04:22:47 terminator kernel: SuSE-FW-TRACEROUTE-ATTEMPT IN= OUT=eth1 SRC=192.168.66.252 DST=192.168.65.228 LEN=120 TOS=0x00 PREC=0xC0 TTL=64 ID=1245 PROTO=ICMP TYPE=11 CODE=0 [SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=1530 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=24065 ] Apr 6 04:22:47 terminator kernel: SuSE-FW-TRACEROUTE-ATTEMPT IN= OUT=eth1 SRC=192.168.66.252 DST=192.168.65.228 LEN=120 TOS=0x00 PREC=0xC0 TTL=64 ID=1246 PROTO=ICMP TYPE=11 CODE=0 [SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=1531 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=24321 ] Apr 6 04:22:47 terminator kernel: SuSE-FW-TRACEROUTE-ATTEMPT IN= OUT=eth1 SRC=192.168.66.252 DST=192.168.65.228 LEN=120 TOS=0x00 PREC=0xC0 TTL=64 ID=1247 PROTO=ICMP TYPE=11 CODE=0 [SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=1532 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=24577 ] Apr 6 04:22:48 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=1534 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=24833 Apr 6 04:22:52 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=1577 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=25089 Apr 6 04:22:56 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=1579 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=25345 Apr 6 04:23:01 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=2 ID=1581 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=25601 Apr 6 04:23:05 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=2 ID=1589 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=25857 Apr 6 04:23:10 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=2 ID=1591 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26113 Apr 6 04:23:14 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=3 ID=1593 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26369 Apr 6 04:23:19 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=3 ID=1597 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26625 Apr 6 04:23:23 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=3 ID=1599 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26881 Apr 6 04:23:28 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=4 ID=1601 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27137 Apr 6 04:23:32 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=4 ID=1605 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27393 Apr 6 04:23:37 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=4 ID=1607 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27649 Apr 6 04:23:41 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=5 ID=1609 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27905
192.168.66.252 is the gateway for the 192.168.0.0/16 network. 10.62.56.252 is the gateway for the 10.62.56.0/24 network.
as far as your note on /16 and /24 ... maybe I have them backwards! I though 192.168.0.0 was /16 and 10.62.56.0 was /24!!!!!! <-- Please clearify this!
Thank You, Jason Dobbs . IT Manager Westin Casuarina Casino Las Vegas
Philipp Rusch wrote:
Hello Jason, OK, I see ... what about my note about /16 and /24 masks ? do you *have* to do it like that ?
When you leave both FW_MASQ_NETS="" (empty) and FW_FORWARD="" (empty) and do a traceroute from a host on eth1 to a host on eth2 or vice versa, what do you see in the firewall logs in /var/logs/messages ?
Lets get this to work, Philipp
Jason Dobbs schrieb:
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface <public ip> 0.0.0.0 255.255.255.128 U 0 0 0 eth0 10.62.56.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 192.168.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1 0.0.0.0 <public gw> 0.0.0.0 UG 0 0 0 eth0
ip forwarding is turned on in yast!
Thank You, Jason Dobbs . IT Manager Westin Casuarina Casino Las Vegas p. 702.836.5939 f. 270.913.7462 mailto: jdobbs@casuarinacasino.com
Philipp Rusch wrote:
Hi Jason what is your routing table looking like ? post route -nv back here are you routing at all ? (set ip_forward=yes in YAST)
other comments inline ...
Jason Dobbs schrieb:
--SNIP ---
FW_MASQ_NETS="192.168.65.224/27 10.62.56.0/24 192.168.0.0/16,<mail server ip>/32 10.62.56.0/24,<mail server ip>/32"
----------------------------------^ this ----------------------------------and this ^ is redundant, 192.168.65.224/27 is completely contained in 192.168.0.0./16 network, which means all 192.168."something" nets ... you know that normally 192.168.x.y net is a /24-type network and a 10.x.y.z has a /16 type mask ??
--SNIP--
FW_FORWARD="192.168.0.0/16,10.62.56.0/24,tcp,1:65535 10.62.56.0/24,192.168.0.0/16,tcp,1:65535 \ 192.168.0.0/16,10.62.56.0/24,udp,1:65535 10.62.56.0/24,192.168.0.0/16,udp,1:65535 \ 192.168.0.0/16,10.62.56.0/24,icmp 10.62.56.0/24,192.168.0.0/16,icmp" FW_FORWARD_MASQ="0/0,192.168.65.227,tcp,5800 0/0,192.168.65.227,tcp,5900 \ 0/0,192.168.65.227,tcp,5632 0/0,192.168.65.227,udp,5632"
what are you trying to do here ? If routing just doesn't work then forwarding doesn't help that much ...
I think something different is causing your troubles than missing entries here, seems you did to much of a work, it is normally quite simple, what you try to do :-)
Regards from Germany, Philipp
Jason, I don't think that windows clients will handle your setup correctly. You can see from your route print dump that 192.168.65.x clients assume to be alone on that segment and dont know nothing about 192.168.66.y or others at first sight. What you are doing is called supernetting; you form a supernet of several 192.169.a.b nets and treat them as a whole. Cisco routers do handle this very well, I don't know of windows clients and even if SuSEfirewall is handling this correctly... Netbios uses broadcasts to find other windows pcs resources in a network, one has to make sure that broadcasts get through a router, or one has to use other methods of windows name resolution (WINS. DDNS in w2k and so on). Others may add their comments here, please. One thing I would try, just to be sure: give a prinout from route print from one of the 10.62.56.xx clients. Could try to add a route from there to 192.168.0.0: route add 192.168.0.0 mask 255.255.0.0 gateway 10.62.56.252 and the other nets clients should have: route add 10.62.56.0 mask 255.255.255.0 gateway 192.168.66.252 HTH, Philipp Jason Dobbs schrieb:
Ok on the 192.168.0.0 network ... I don't have a choice ... I have workstations and servers on 66.xx also have workstations on 65.xx and POS workstations on 67.xx ... Don't ask! I didn't have a choice with most of it :) ... as far as the 10.62.56.0 network ... everything is within the 56.xx range.
Windows Print Route Dump ------------------------------------------------------- Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.66.252 192.168.65.228 20 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.0.0 255.255.0.0 192.168.65.228 192.168.65.228 20 192.168.65.228 255.255.255.255 127.0.0.1 127.0.0.1 20 192.168.65.255 255.255.255.255 192.168.65.228 192.168.65.228 20 224.0.0.0 240.0.0.0 192.168.65.228 192.168.65.228 20 255.255.255.255 255.255.255.255 192.168.65.228 192.168.65.228 1 Default Gateway: 192.168.66.252 ===========================================================================
Persistent Routes: None
Thank You, Jason Dobbs . IT Manager Westin Casuarina Casino Las Vegas
Philipp Rusch wrote:
Jason, Ok, we are one step further !
To clarify: (this has been defined like that, there is no obvious technical reason for that, ok there are some reasons, but that would lead us too far)
there are classes of IP-networks:
A-class : mask /8 B-class : mask /16 C-class : mask /24
which some special adresses reserved for "private use", which means, these are "unrouteable" adresses in terms of internet routes, that's the reason for NAT, for instance.
OK,
10.a.b.c "normally" has to have a /8 mask (type A class) you can divide this huge network of 16*16*16 hosts in smaller nets using a /16 or a /24 mask for instance.
172.16.m.n "normally" has to have a /16 mask (type B class) but the same concept of breaking it down into parts applies as above, you are free to do so.
192.168.x.y "normally" has to have a /24 mask (type C class) which implies that you choose the "x" and then this part of the network address is fix for your setup.
The advantage of having a 10.a.b.c/8 network instead of a 192.168.x.y/24 is that you can have more hosts belonging to the *same" network without the need to route.
In your case, if you are still free to choose your network adresses and don't have more than 254 hosts, I would strongly recommend that you go for something like 192.168.1.x/24 on eth1 and 192.168.2.y/24 on eth2 or if you have more hosts, go for 172.16.1.x/16 on eth1 if there is the majority of your hosts and take 192.168.2.x/24 for eth2.
Next question: what are the routing entries of your Windows PCs? They have to know about the other net as well !
Post a route print example output of both networks back here.
Regards, Philipp
Jason Dobbs schrieb:
Ok here is the tracert data:
From a windows PC (192.168.65.228) to a windows PC (10.62.56.8) ----------------------------------------------------------------- 1 <1 ms <1 ms <1 ms 192.168.66.252 2 * * * Request timed out. 3 * * * Request timed out. 4 * * * Request timed out. 5 * * * Request timed out.
/var/log/messages ----------------------------------------------------------------- Apr 6 04:22:47 terminator kernel: SuSE-FW-TRACEROUTE-ATTEMPT IN= OUT=eth1 SRC=192.168.66.252 DST=192.168.65.228 LEN=120 TOS=0x00 PREC=0xC0 TTL=64 ID=1245 PROTO=ICMP TYPE=11 CODE=0 [SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=1530 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=24065 ] Apr 6 04:22:47 terminator kernel: SuSE-FW-TRACEROUTE-ATTEMPT IN= OUT=eth1 SRC=192.168.66.252 DST=192.168.65.228 LEN=120 TOS=0x00 PREC=0xC0 TTL=64 ID=1246 PROTO=ICMP TYPE=11 CODE=0 [SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=1531 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=24321 ] Apr 6 04:22:47 terminator kernel: SuSE-FW-TRACEROUTE-ATTEMPT IN= OUT=eth1 SRC=192.168.66.252 DST=192.168.65.228 LEN=120 TOS=0x00 PREC=0xC0 TTL=64 ID=1247 PROTO=ICMP TYPE=11 CODE=0 [SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=1532 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=24577 ] Apr 6 04:22:48 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=1534 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=24833 Apr 6 04:22:52 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=1577 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=25089 Apr 6 04:22:56 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=1579 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=25345 Apr 6 04:23:01 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=2 ID=1581 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=25601 Apr 6 04:23:05 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=2 ID=1589 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=25857 Apr 6 04:23:10 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=2 ID=1591 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26113 Apr 6 04:23:14 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=3 ID=1593 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26369 Apr 6 04:23:19 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=3 ID=1597 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26625 Apr 6 04:23:23 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=3 ID=1599 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26881 Apr 6 04:23:28 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=4 ID=1601 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27137 Apr 6 04:23:32 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=4 ID=1605 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27393 Apr 6 04:23:37 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=4 ID=1607 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27649 Apr 6 04:23:41 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=5 ID=1609 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27905
192.168.66.252 is the gateway for the 192.168.0.0/16 network. 10.62.56.252 is the gateway for the 10.62.56.0/24 network.
as far as your note on /16 and /24 ... maybe I have them backwards! I though 192.168.0.0 was /16 and 10.62.56.0 was /24!!!!!! <-- Please clearify this!
Thank You, Jason Dobbs . IT Manager Westin Casuarina Casino Las Vegas
Philipp Rusch wrote:
Hello Jason, OK, I see ... what about my note about /16 and /24 masks ? do you *have* to do it like that ?
When you leave both FW_MASQ_NETS="" (empty) and FW_FORWARD="" (empty) and do a traceroute from a host on eth1 to a host on eth2 or vice versa, what do you see in the firewall logs in /var/logs/messages ?
Lets get this to work, Philipp
Jason Dobbs schrieb:
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface <public ip> 0.0.0.0 255.255.255.128 U 0 0 0 eth0 10.62.56.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 192.168.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1 0.0.0.0 <public gw> 0.0.0.0 UG 0 0 0 eth0
ip forwarding is turned on in yast!
Thank You, Jason Dobbs . IT Manager Westin Casuarina Casino Las Vegas p. 702.836.5939 f. 270.913.7462 mailto: jdobbs@casuarinacasino.com
Philipp Rusch wrote:
Hi Jason what is your routing table looking like ? post route -nv back here are you routing at all ? (set ip_forward=yes in YAST)
other comments inline ...
Jason Dobbs schrieb:
> --SNIP ---
> FW_MASQ_NETS="192.168.65.224/27 10.62.56.0/24 > 192.168.0.0/16,<mail server ip>/32 10.62.56.0/24,<mail server > ip>/32"
----------------------------------^ this ----------------------------------and this ^ is redundant, 192.168.65.224/27 is completely contained in 192.168.0.0./16 network, which means all 192.168."something" nets ... you know that normally 192.168.x.y net is a /24-type network and a 10.x.y.z has a /16 type mask ??
--SNIP--
> FW_FORWARD="192.168.0.0/16,10.62.56.0/24,tcp,1:65535 > 10.62.56.0/24,192.168.0.0/16,tcp,1:65535 \ > 192.168.0.0/16,10.62.56.0/24,udp,1:65535 > 10.62.56.0/24,192.168.0.0/16,udp,1:65535 \ > 192.168.0.0/16,10.62.56.0/24,icmp > 10.62.56.0/24,192.168.0.0/16,icmp" > FW_FORWARD_MASQ="0/0,192.168.65.227,tcp,5800 > 0/0,192.168.65.227,tcp,5900 \ > 0/0,192.168.65.227,tcp,5632 0/0,192.168.65.227,udp,5632"
what are you trying to do here ? If routing just doesn't work then forwarding doesn't help that much ...
I think something different is causing your troubles than missing entries here, seems you did to much of a work, it is normally quite simple, what you try to do :-)
Regards from Germany, Philipp
participants (3)
-
Dirk Schreiner
-
Jason Dobbs
-
Philipp Rusch