hi everyone, I just subscribed the list, and haven't seen what the usual topics are like... So tell me if I'm OT :) I run a local network with a SuSE 7.0 box as nat/dns/firewall (more or less...). as it's only a beginning my rules are not very "secured" yet. now what troubles me is I can ping from this box the internal network, I can ping my two nics, I can ping the external routeur, but I can't ping outside (e.g. real internet sites...). here's an overview of my config : Cisco SuSE7.0 Box LAN | eth0 tr0 internet-----|----------|-----------|-------------- | xxx.xxx.xxx.aaa | xx.xxx.xxx.rrr 192.168.0.ccc xxx.xxx.xxx.bbb On the internal side, I have 2 adresses for the same nic as I need a internal adress for the lan, and an external adress for another computer to be seen from the outside. the eth0 is configured with yast as follow : adress : xxx.xxx.xxx.aaa subnet : 255.255.255.224 gateway : xxx.xxx.xxx.rrr (routeur cisco) the tr0 nic : adress : 192.168.0.ccc subnet : 255.255.255.0 gateway : xxx.xxx.xxx.aaa (eth0) adress : xxx.xxx.xxx.bbb subnet : 255.255.255.224 gateway : xxx.xxx.xxx.aaa (eth0) I've written the script that "should" do the trick.... echo 1 > /proc/sys/net/ipv4/ip_forward /sbin/ipchains -F forward /sbin/ipchains -P forward DENY route add -net xxx.xxx.xxx.eee netmask 255.255.255.224 gw xxx.xxx.xxx.bbb tr0 /sbin/ipchains -A forward -b -s 0.0.0.0/0 -d xxx.xxx.xxx.fff -j ACCEPT /sbin/ipchains -A forward -b -s 0.0.0.0/0 -d xxx.xxx.xxx.ggg -j ACCEPT /sbin/ipchains -A forward -s 192.168.0.0/24 -d 0.0.0.0 -j MASQ (this script has been taken from the old linux box that is supposed to be "dumped"...) I haven't set any default route.. The problem is I can't see outside of the cisco... i don't ping the internet while I can ping both nics from the linux box, and i can also ping the internal network from the linux box.... what have I gorgotten ?.... Thanks in Advance for your answers stephane
hi everyone,
I just subscribed the list, and haven't seen what the usual topics are
Did your Cisco corectly setted, I mean does the Internet is accessible when
you're connected on your CiSCO ?
Pascal
----- Original Message -----
From: "stephane parenton"
I run a local network with a SuSE 7.0 box as nat/dns/firewall (more or
less...).
as it's only a beginning my rules are not very "secured" yet. now what
troubles me is I can ping from this box the internal network, I can ping my two nics, I can ping the external routeur, but I can't ping outside (e.g. real internet sites...).
here's an overview of my config :
Cisco SuSE7.0 Box LAN | eth0 tr0 internet-----|----------|-----------|-------------- | xxx.xxx.xxx.aaa | xx.xxx.xxx.rrr 192.168.0.ccc xxx.xxx.xxx.bbb
On the internal side, I have 2 adresses for the same nic as I need a
internal adress for the lan, and an external adress for another computer to be seen from the outside.
the eth0 is configured with yast as follow : adress : xxx.xxx.xxx.aaa subnet : 255.255.255.224 gateway : xxx.xxx.xxx.rrr (routeur cisco)
the tr0 nic : adress : 192.168.0.ccc subnet : 255.255.255.0 gateway : xxx.xxx.xxx.aaa (eth0)
adress : xxx.xxx.xxx.bbb subnet : 255.255.255.224 gateway : xxx.xxx.xxx.aaa (eth0)
I've written the script that "should" do the trick....
echo 1 > /proc/sys/net/ipv4/ip_forward /sbin/ipchains -F forward /sbin/ipchains -P forward DENY route add -net xxx.xxx.xxx.eee netmask 255.255.255.224 gw xxx.xxx.xxx.bbb
/sbin/ipchains -A forward -b -s 0.0.0.0/0 -d xxx.xxx.xxx.fff -j ACCEPT /sbin/ipchains -A forward -b -s 0.0.0.0/0 -d xxx.xxx.xxx.ggg -j ACCEPT /sbin/ipchains -A forward -s 192.168.0.0/24 -d 0.0.0.0 -j MASQ
(this script has been taken from the old linux box that is supposed to be "dumped"...)
I haven't set any default route.. The problem is I can't see outside of
tr0 the cisco... i don't ping the internet while I can ping both nics from the linux box, and i can also ping the internal network from the linux box.... what have I gorgotten ?....
Thanks in Advance for your answers stephane
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com
Pascal MiQUET wrote:
Did your Cisco corectly setted, I mean does the Internet is accessible when you're connected on your CiSCO ?
Cisco SuSE7.0 Box LAN | eth0 tr0 internet-----|----------|-----------|-------------- | xxx.xxx.xxx.aaa | xx.xxx.xxx.rrr 192.168.0.ccc xxx.xxx.xxx.bbb
yes, I'm sure that everything (except my box...) is clean, because we use it everyday... the SuSE 7.0 is intended to replace an old RH 6.0 that has never been updated. Moreover the old one runs on an old and somehow tired 486 DX2/66... So we're moving to something brand new and quite exiting.... the pentium 166 :)))... (We're using our unused computers...) The RH6.0 box has the same configuration (one eth0 and one tr0 nic with the same adresses...).. This is what I don't understand... I've checked the routes with route -n on both boxes and some routes are missing... the new boxe states this : Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 62.161.161.192 62.161.161.222 255.255.255.224 UG 0 0 0 tr0 62.161.161.192 0.0.0.0 255.255.255.224 U 0 0 0 tr0 62.161.161.224 62.161.161.253 255.255.255.224 UG 0 0 0 eth0 62.161.161.224 0.0.0.0 255.255.255.224 U 0 0 0 eth0 192.168.0.0 192.168.0.3 255.255.255.0 UG 0 0 0 tr0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tr0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 62.161.161.253 0.0.0.0 UG 0 0 0 eth0 and the old one this : Table de routage IP du noyau Destination Passerelle Genmask Indic Metric Ref Use Iface 192.168.0.3 0.0.0.0 255.255.255.255 UH 0 0 0 tr0 62.161.161.192 62.161.161.222 255.255.255.224 UG 0 0 0 tr0 62.161.161.224 0.0.0.0 255.255.255.224 U 0 0 0 eth0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tr0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 62.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth0 62.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 tr0 0.0.0.0 62.161.161.254 0.0.0.0 UG 0 0 0 eth0 I see that routes are different, but my problem is If I simply play with route saying route add -net 62.0.0.0 netmask 255.0.0.0 gw 0.0.0.0 tr0 and so on... will it be enough ?.... I don't want to enter route if they are not needed or if it can compromise the box security... Stephane qui aime bien parler anglais :))
participants (2)
-
Pascal MiQUET
-
stephane parenton