Hi Again,
1) Is the routing ok ? How can I check the routing ? The SuSEfirewall-Script generates more rules than G.W. bushisms.
2) Are there any firewall log entries ? Nothing critical for the 'dead' Interface. But I have to retry with logging everything.
3) Are you sure you don't masq your webserver's reply packets with the wrong IP ? (I understand that you now have 2 external IPs) I am completely unshure about everything! I guess, everything should be clear by understanding the IP rules. Is there a debugging tool for this ?
Thanks so far Peter ___________________________________________________________ Dr. Peter Münstermann mobil: +49 (0)173/2309398 Schützenstr. 11 tel.: +49 (0)7531/919122 D-78462 Konstanz fax.: +49 (0)7531/914370 ___________________________________________________________
Von: Andreas Baetz
Datum: Mon, 5 Jan 2004 09:01:10 +0100 An: suse-security@suse.com Betreff: Re: [suse-security] another 3-interface firewall problem (two external, no DMZ) You could check the following: 1) Is the routing ok ? 2) Are there any firewall log entries ? 3) Are you sure you don't masq your webserver's reply packets with the wrong IP ? (I understand that you now have 2 external IPs)
You could get more info by tcpdumping your interfaces.
Andreas
On Sunday 04 January 2004 00:00, Dr. Peter M?nstermann wrote:
Hi,
I am running a small enterprise server under Suse 9.0. The main tasks are: Masquerading an internal network, SMTP, POP3 and web serving.
Everything works nice with two interfaces: eth0: 1.2.3.4 netmask 255.255.255.192 (leased line with static IP) eth1: 192.168.0.1 netmask 255.255.255.0 (internal network) with default route 1.2.3.3 Web server is listening on 1.2.3.4, SMTP on both interfaces, POP3 only at the internal interface
NOW: to keep traffic costs as low as possible, we like to route the main traffic over a DSL flat rate. Configuring the DSL stuff gives the aditional ppp0 interface (PPPoE with eth2), masquerading works and I can see the web server at 1.2.3.4 due to the additional entry: iptables -A INPUT -i eth1 -s 192.168.0.0/24 -d 1.2.3.4 -j ACCEPT
BUT: The address 1.2.3.4 is not responding from the outside any more. Both eth0 and ppp0 are configured as external interfaces in the SuSEfirewall configuration.
I think, the problem can be seen as a sort of load balancing for the leaving IP packets.
Any hints, how to get the official external IP address working again ?
Best regards Peter
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here