Firewall/router - doesn't forward
Hello! We are currently trying to build a packet filtering firewall using SUSE Linux 6.2 and ipchains. The hardware used is a Pentium 133 with two Level One NICs using the Realtek 8139 chipset.
From what we read in the literature (Firewall and Ipchains HowTo, several articles in the german magazine ct etc.) it seemed quite manageable, but then reality struck.
After several successless tests with a bigger installation we set up an installation almost identical to the one shown in part 6.3 of the "Firewall and Proxy Server HOWTO" written by Mark Grennan, the only difference being the IP-adresses for the outside part. Our setup passes all the tests described except one - it doesn't forward. I can ping any computer from the firewall/router, I can ping both sides of the firewall from the LAN, but I can only ping the outside adress from the outside and I can't get through it. IP-forwarding is switched on and all default policies in ipchains are set to ACCEPT. We are quite desperate (and my boss is losing patience), so any ideas are highly welcome. Might it be useful to try some other network adapters? Is there something we have overlooked? Is there a fault in the HOWTO? Best regards
Hi, I had absolutely no luck with the HOWTO or the SuSEFirewall script (it wouldnt forward either !@#!@), so I created my own script system. Attached is a tar.gz file containing a directory called fw2, inside this directory you will find: fw This is the perl script that actually sets up the firewall. allowed_tcp This file lists all tcp ports allowed into the external interface. allowed_udp This file lists all udp ports allowed into the external interface. internal This file lists all inside hosts/networks you want to masquerade. While this script isnt that robust, it is simple enough that you should be able to do what you need to do by building on to it. If you need any assistance please contact me at secureaustin@consultant.com. Regards, HD Moore http://nlog.ings.com (Like Nmap? Try Nlog!) http://www.secureaustin.com (Its Coming...) romba@fem.maschinenbau.uni-dortmund.de wrote:
Hello!
We are currently trying to build a packet filtering firewall using SUSE Linux 6.2 and ipchains. The hardware used is a Pentium 133 with two Level One NICs using the Realtek 8139 chipset.
From what we read in the literature (Firewall and Ipchains HowTo, several articles in the german magazine ct etc.) it seemed quite manageable, but then reality struck.
[ snip ]
We are quite desperate (and my boss is losing patience), so any ideas are highly welcome. Might it be useful to try some other network adapters? Is there something we have overlooked? Is there a fault in the HOWTO?
Best regards
On Mon, Oct 18, 1999 at 08:50 +0000, romba@fem.maschinenbau.uni-dortmund.de wrote:
Our setup passes all the tests described except one - it doesn't forward. I can ping any computer from the firewall/router, I can ping both sides of the firewall from the LAN, but I can only ping the outside adress from the outside and I can't get through it. IP-forwarding is switched on and all default policies in ipchains are set to ACCEPT.
You know that ping is using icmp packets which might not make it through the masquerading (I suppose the router does masq your net, too)? Try tcpdump which by default uses udp packets if not told otherwise. And keep in mind that you might not want to keep ping open after successfully installing your firewall -- there are ways (have been for quite some time) to use this channel as a "regular" means of transport. virtually yours - Gerhard Sittig -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
Following up to myself ... On Mon, Oct 18, 1999 at 20:49 +0200, Gerhard Sittig wrote:
You know that ping is using icmp packets which might not make it through the masquerading (I suppose the router does masq your net, too)? Try tcpdump which by default uses udp packets if not told otherwise. [ ... ]
Noone noticed til now? Ofcourse this should read "try traceroute which by default uses udp packets". Just for the record ... virtually yours - Gerhard Sittig -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
participants (3)
-
Gerhard Sittig -
H D Moore -
romba@fem.maschinenbau.uni-dortmund.de