Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
Re: [suse-security] iptables question
The problem is not iptables, but the routing.

A short excourse.

The subnet mask connected with an a ip address determines,
whether another ip should be reachable via the standard gateway
or directly through a certain nic.

For example (only 1 NIC in your box)

192.168.1.0/24 means a subnetmask of 255.255.255.0 so if
the routing part of your kernel has to reach 192.168.2.1 it does
following:

own ip AND 255.255.255.0 = 192.168.1
other ip AND 255.255.255.0 = 192.168.2

if the results differ the routing routine decides to take the standard
gateway.

To be more precious: any box in your 10.1.1.1/8 network will
not be routed through your standard gateway according above
description. For example 10.1.1.30 want to reach mail server.

10.1.1.20 and 255.0.0.0 = 10.0.0.0
10.1.1.30 and 255.0.0.0 = 10.0.0.0

result DONT differ, so kernel will send packets directly.

Solution:

add extra routes for e.g mail server

route add 10.1.1.20 netmask 255.0.0.0 gw your.ext.ip.addr

hope that helps

Yours Michael

BTW: Why you want to do so - logging purposes ?

>I have a dmz firewall setup that connects 2 private networks with the
>public Internet (net1 and net2).
>
>I don't seem to be able to get my configuration to the point where a
>machine in net1 can connect to another machine in net1 trough its public
>IP address.
>Example:
>dmz router: 10.1.1.1
>mail server: 10.1.1.20
>http server: 10.1.1.30
>
>I would like to enable the http server to to go to the mail server
>through the public IP address of the mail server rather than being
>limited to going straight to 10.1.1.20.
>
>All machines have 10.1.1.1 as their default gateway and NAT for mail
>connections from the outside works. I don't see any packets being
>dropped on the firewall since I allowed port 25 connections from the
>inside of the firewall as well.



< Previous Next >
Follow Ups