IP FORWARDING IPTABLES

hi, any help on configuration of itatbles firewall?

I have three NICs with WAN eth0 (10.10.10.253), LAN1
eth1(192.168.0.253), LAN2 eth2(10.100.3.253) default gateway 10.10.10.1

router1 (provider1) = 10.10.10.1
router2 (provider2) = 10.10.10.2

I choose to configure my firewall to route packets in a different manner
depending on destination.
so I used ROUTE command to route packets this way

route add -net netmask
255.255.255.255 gw eth0

route add -net netmask
255.255.255.255 gw eth1


It seems to work, so I'm reaching destination IP_address1 AND
IP_address2 BUT if I ping destination IP or I traceroute it the only
one responding is the one on eth0 (default gateway card) route.

?? where is the filtering stopping my PING packets , so they don't get
back ?

help me, pls


marco

-------------------------------





ciao a tutti,
qualcuno mi saprebbe dareuna dritta ?

Re: IP FORWARDING IPTABLES

better (I hope) explain:

hi, any help on configuration of itatbles firewall?

I have three NICs with WAN eth0 (10.10.10.253), LAN1
eth1(192.168.0.253), LAN2 eth2(10.100.3.253) default gateway 10.10.10.1

router1 (provider1) = 10.10.10.1
router2 (provider2) = 10.10.10.2

I choose to configure my firewall to route packets in a different manner
depending on destination.
so I used ROUTE command (ON THE FIREWALL) to route packets this way

route add -net netmask
255.255.255.255 gw eth0

route add -net netmask
255.255.255.255 gw eth1


It seems to work, so I'm reaching destination IP_address1 AND
IP_address2 BUT if I ping destination IP or I traceroute it

it replies only if it routes through eth0

- the only one responding is the IP through eth0 (default gateway card)
route.

so:
PING
reply from

but
PING
no reply

?? where is the filtering stopping my PING packets , so they don't get
back ?

help me, pls


marco

-------------------------------



madmax71 ha scritto:
> hi, any help on configuration of itatbles firewall?
>
> I have three NICs with WAN eth0 (10.10.10.253), LAN1
> eth1(192.168.0.253), LAN2 eth2(10.100.3.253) default gateway 10.10.10.1
>
> router1 (provider1) = 10.10.10.1
> router2 (provider2) = 10.10.10.2
>
> I choose to configure my firewall to route packets in a different manner
> depending on destination.
> so I used ROUTE command to route packets this way
>
> route add -net netmask
> 255.255.255.255 gw eth0
>
> route add -net netmask
> 255.255.255.255 gw eth1
>
>
> It seems to work, so I'm reaching destination IP_address1 AND
> IP_address2 BUT if I ping destination IP or I traceroute it the only
> one responding is the one on eth0 (default gateway card) route.
>
> ?? where is the filtering stopping my PING packets , so they don't get
> back ?
>
> help me, pls
>
>
> marco
>
> -------------------------------
>
>
>
>
>
> ciao a tutti,
> qualcuno mi saprebbe dareuna dritta ?

Re: IP FORWARDING IPTABLES

On Fri, 15 Jun 2007, in the Usenet newsgroup comp.security.firewalls, in article
<4672c46f$0$4797$4fafbaef@reader4.news.tin.it>, madmax71 wrote:

>I have three NICs with WAN eth0 (10.10.10.253), LAN1
>eth1(192.168.0.253), LAN2 eth2(10.100.3.253) default gateway
>10.10.10.1

I'm guessing the network masks on the WAN and LAN2 are such that the
two do not overlap - anything narrower than 255.192.0.0 should be
satisfactory. Otherwise, there will be routing confusion.

>router1 (provider1) = 10.10.10.1
>router2 (provider2) = 10.10.10.2
>
>I choose to configure my firewall to route packets in a different
>manner depending on destination.
>so I used ROUTE command to route packets this way

except that the '/sbin/route' command has nothing to do with the
firewall. See http://www.netfilter.org/documentation/HOWTO/ where you
will find seven informative HOWTOs

[TXT] NAT-HOWTO.txt 24-Dec-2006 16:06 25K
[TXT] netfilter-double-nat-HOWTO.txt 24-Dec-2006 16:06 9.4K
[TXT] netfilter-extensions-HOWTO.txt 24-Dec-2006 16:06 79K
[TXT] netfilter-hacking-HOWTO.txt 24-Dec-2006 16:06 84K
[TXT] netfilter-mirror-HOWTO.txt 24-Dec-2006 16:06 8.1K
[TXT] networking-concepts-HOWTO.txt 24-Dec-2006 16:06 28K
[TXT] packet-filtering-HOWTO.txt 24-Dec-2006 16:06 52K

and also look through the "The Linux Network Administrator's Guide,
Second Edition" which is often included with Linux distributions, but
can also be found at any LDP mirror such as http://tldp.org/guides.html.
Another document to look at is the "Adv-Routing-HOWTO" which also should
be on your Linux box in /usr/share/HOWTO/

-rw-rw-r-- 1 gferg ldp 297491 Sep 4 2003 Adv-Routing-HOWTO

>route add -net netmask
>255.255.255.255 gw eth0
>
>route add -net netmask
>255.255.255.255 gw eth1

man route

"-net" implies that there is a network there, but the netmask of
255.255.255.255 is that of a host, not a net. Also, you normally
want to specify the IP of the gateway, in addition to the interface.
Thus, the command might be more accurate

route add -net 192.0.2.0 netmask 255.255.255.0 -gw 10.10.10.2 eth1
route add default 10.10.10.1

Note that the interface (eth1, eth2) does not have to be declared if
it is the last parameter in the command. Note also that the command
option you are showing ""
may be a problem - we don't know, because we can't imagine what you
actually have there.

>It seems to work, so I'm reaching destination IP_address1 AND
>IP_address2 BUT if I ping destination IP or I traceroute it the only
>one responding is the one on eth0 (default gateway card) route.

What version of traceroute? What mode? The standard LBL traceroute
defaults to using UDP packets, but has a "-I" option to use ICMP echos.
The "improved" version that comes with SuSE lacks the ICMP capability,
and uses the -I option to specify the interface. The microsoft wincrap
version (TRACERT.EXE) only uses ICMP echos because the idiots at
microsoft don't know any better.

Do you know that the second router (10.10.10.2) is not blocking ICMP
packets? "ping" has been abused by skript kiddiez and other wankers
so that a lot of people now block it. You could try using a TCP version
of traceroute (tcptraceroute, hping2, hping3) to see if that works,
or if the router is dropping ICMP type 11 as well.

>?? where is the filtering stopping my PING packets , so they don't get
>back ?

Another tool to look at is a packet sniffer - there are dozens available
ranging from the original LBL "tcpdump" up through the click-and-drool
tools like "wireshark" (formerly "ethereal").

Old guy

Re: IP FORWARDING IPTABLES

thanks,
I'll study.

mm


----
Moe Trin ha scritto:
> On Fri, 15 Jun 2007, in the Usenet newsgroup comp.security.firewalls, in article
> <4672c46f$0$4797$4fafbaef@reader4.news.tin.it>, madmax71 wrote:
>
>> I have three NICs with WAN eth0 (10.10.10.253), LAN1
>> eth1(192.168.0.253), LAN2 eth2(10.100.3.253) default gateway
>> 10.10.10.1
>
> I'm guessing the network masks on the WAN and LAN2 are such that the
> two do not overlap - anything narrower than 255.192.0.0 should be
> satisfactory. Otherwise, there will be routing confusion.
>
>> router1 (provider1) = 10.10.10.1
>> router2 (provider2) = 10.10.10.2
>>
>> I choose to configure my firewall to route packets in a different
>> manner depending on destination.
>> so I used ROUTE command to route packets this way
>
> except that the '/sbin/route' command has nothing to do with the
> firewall. See http://www.netfilter.org/documentation/HOWTO/ where you
> will find seven informative HOWTOs
>
> [TXT] NAT-HOWTO.txt 24-Dec-2006 16:06 25K
> [TXT] netfilter-double-nat-HOWTO.txt 24-Dec-2006 16:06 9.4K
> [TXT] netfilter-extensions-HOWTO.txt 24-Dec-2006 16:06 79K
> [TXT] netfilter-hacking-HOWTO.txt 24-Dec-2006 16:06 84K
> [TXT] netfilter-mirror-HOWTO.txt 24-Dec-2006 16:06 8.1K
> [TXT] networking-concepts-HOWTO.txt 24-Dec-2006 16:06 28K
> [TXT] packet-filtering-HOWTO.txt 24-Dec-2006 16:06 52K
>
> and also look through the "The Linux Network Administrator's Guide,
> Second Edition" which is often included with Linux distributions, but
> can also be found at any LDP mirror such as http://tldp.org/guides.html.
> Another document to look at is the "Adv-Routing-HOWTO" which also should
> be on your Linux box in /usr/share/HOWTO/
>
> -rw-rw-r-- 1 gferg ldp 297491 Sep 4 2003 Adv-Routing-HOWTO
>
>> route add -net netmask
>> 255.255.255.255 gw eth0
>>
>> route add -net netmask
>> 255.255.255.255 gw eth1
>
> man route
>
> "-net" implies that there is a network there, but the netmask of
> 255.255.255.255 is that of a host, not a net. Also, you normally
> want to specify the IP of the gateway, in addition to the interface.
> Thus, the command might be more accurate
>
> route add -net 192.0.2.0 netmask 255.255.255.0 -gw 10.10.10.2 eth1
> route add default 10.10.10.1
>
> Note that the interface (eth1, eth2) does not have to be declared if
> it is the last parameter in the command. Note also that the command
> option you are showing ""
> may be a problem - we don't know, because we can't imagine what you
> actually have there.
>
>> It seems to work, so I'm reaching destination IP_address1 AND
>> IP_address2 BUT if I ping destination IP or I traceroute it the only
>> one responding is the one on eth0 (default gateway card) route.
>
> What version of traceroute? What mode? The standard LBL traceroute
> defaults to using UDP packets, but has a "-I" option to use ICMP echos.
> The "improved" version that comes with SuSE lacks the ICMP capability,
> and uses the -I option to specify the interface. The microsoft wincrap
> version (TRACERT.EXE) only uses ICMP echos because the idiots at
> microsoft don't know any better.
>
> Do you know that the second router (10.10.10.2) is not blocking ICMP
> packets? "ping" has been abused by skript kiddiez and other wankers
> so that a lot of people now block it. You could try using a TCP version
> of traceroute (tcptraceroute, hping2, hping3) to see if that works,
> or if the router is dropping ICMP type 11 as well.
>
>> ?? where is the filtering stopping my PING packets , so they don't get
>> back ?
>
> Another tool to look at is a packet sniffer - there are dozens available
> ranging from the original LBL "tcpdump" up through the click-and-drool
> tools like "wireshark" (formerly "ethereal").
>
> Old guy
>