Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] SuSEfirewall2 (?) and advanced routing problem.
  • From: Peter Wiersig <wiersig@xxxxxxxxx>
  • Date: Tue, 22 Jan 2002 14:39:22 +0100
  • Message-id: <200201221335.OAA29705@xxxxxxxxxxxxx>
Am Dienstag, 22. Januar 2002 11:58 schrieb Marcin Gryszczuk:

> 1 - problem 1-st:
> I have following problem that can not solve under SuSE 7.3 with
> SuSEfirewall2 - kernel 2.4.16, iptables 1.2.2.
> Problem is that I have 2 public interfaces (eth1 - default and eth2) with 2
> public IP addresses and 1 internal interface (eth0) with 192.168.0.x
> private class. On that last interface I have small private network which is
> MASUQREDED on my Linux box.
>
> What I have also realized is that I could see some (strange for me) lines
> in firewall log file like:
>
> Jan 21 11:24:01 linux kernel: martian source 192.168.0.22 from z.z.z.z, on
> dev eth2
> Jan 21 11:24:01 linux kernel: ll header:
> 00:00:c0:6a:65:d3:00:c0:df:b0:c2:a8:08:00

This contains the MAC address of the offending network interface card. You'll
able to see that under "Hardware address" in ifconfigs output. Is this card
in the proxy?

> 192.168.0.22 - is my comp in my private net., z.z.z.z is my proxy server IP
> address (what in fact I've just realized after the whole day yesterday
> looking at it).

This is your kernel which tells you that you have made an mistake:
It says: I got an IP-Packet from eth2 which could not originate from there if
I look it up in my routing table.

Check if your network connection is functional. It seems your proxy is not
only able to talk to you via eth0, but also (and falsely) talking to you via
eth2.

> Problem is that I would like to forward part of the traffic (let say all
> squid proxy requests to my external server) via my 2-nd public interface
> (eth2). At the moment all traffic goes via default gateway (eth1).
> I have tried the example I could find in Adv-routing HOWTO - routing all
> SQUID packets to be forwarded via eth2 :
>
> iptables -A PREROUTING -i eth0 -t mangle -p tcp --dport 3128 -j MARK
> --set-mark 1
>
> My rule table looks like:
> #ip rule ls
> 0: from all lookup local
> 32765: from all fwmark 1 lookup ic.out
> 32766: from all lookup main
> 32767: from all lookup 253
>
> #ip route ls table ic.out
> default via y.y.y.97 dev eth2
>
> - but it does not work. What is strange I have had SuSe 6.3 before and
> under ipchains it worked perfectly!
>
> What I have realized is that during testing this connection packets try to
> goes via eth2 - I could see it on tcpdump - but only packets with S (SYN ?)
> flag set appears there... And nothing else.

1) What was your ipchains-line which enabled you to make your set up
functional?
2) Are you sure that your proxy host has the right routing table?
3) Have you tried an host-route to your proxy via eth0?

Peter
-------------------------------------------------------
My scheme for your network:

/---------\ --eth1 +---------+
| INTERNET | | router | eth0 --- Internal LAN
\---------/ --eth2 +---------+ |
| Proxy
\--------<---------<-------------<------/

(From what you told me and from what your kernel told me and, of course, my
own conclusions.)

< Previous Next >
Follow Ups
References