Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
 |
GNU/Linux Basic Guide
This 255-page guide will provide you with the keys to understand the philosophy of free software, teach you how to use and handle it, and give you the tools required to move easily in the world of GNU/Linux. Many users and administrators will be taking their first steps with this GNU/Linux Basic guide and it will show you how to approach and solve the problems you encounter.
Click Here to receive this Complete Guide absolutely free. |
|
 |
08-14-2006, 06:57 AM
|
#1
|
|
LQ Newbie
Registered: Aug 2006
Posts: 6
Rep: 
|
Help Me Please !! Can not ping inner network from firewall - IPTABLES
Hi All, New on this Forum - will learn all the rules..soon
Problem: I can not ping internal network from my firewall.
Setup Description:
I have a P3 1GHz and 512 MB RAM with onboard network card and one additional network card. ADSL router with DDNS configured.
My goal here is to create a Firewall using SentOS 4 and IPTABLES. A firewall between my DSL router and my SERVER
Installation done so far.
I have installed SentOS 4 on the PC (Firewall), detected onboard card as eth0 and additional card as eth1
Eth0 has static IP 192.168.1.2 and Gateway as 192.168.1.1 (DSL Router)
My DSL router IP is 192.168.1.1 setup to see IP 192.168.1.2 as my DMZ.
Eth1 has static IP 192.168.1.3 and Gateway 192.168.1.2
DNS already configured and working… Sub Net Masks on all IP's is 255.255.255.0
Without doing anything else to the box I can do the following from the Firewall.
1) Ping a web address e.g. google
2) Ping the ADSL router IP 192.168.1.1
3) Ping outer network card eth0 IP 192.168.1.2
4) Ping inner network card eth1 IP 192.168.1.3
Eth1 is connected to a switch , and a server with IP 192.168.1.5 is connected to the same switch. (or call it a hub)
Now being a bit new to routing, NAT and IPTABLES I have the following in my IPTABLES
/etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [317:32144]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j DROP
-A RH-Firewall-1-INPUT -p ipv6-crypt -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-auth -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 10000 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 20000 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 30000 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 18080 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
*nat
:PREROUTING ACCEPT [899:74872]
:POSTROUTING ACCEPT [411:31356]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.5:80
-A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 192.168.1.5:443
-A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to 192.168.1.5:25
-A PREROUTING -i eth0 -p tcp --dport 110 -j DNAT --to 192.168.1.5:110
-A PREROUTING -i eth0 -p tcp --dport 10000 -j DNAT --to 192.168.1.5:10000
-A PREROUTING -i eth0 -p tcp --dport 20000 -j DNAT --to 192.168.1.5:20000
-A PREROUTING -i eth0 -p tcp --dport 30000 -j DNAT --to 192.168.1.8:30000
-A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to 192.168.1.2:22
-A PREROUTING -i eth0 -p tcp --dport 18080 -j DNAT --to 192.168.1.8:18080
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
PROBLEM
To test the IPTABLE I stopped IPTABLES and did a NMAP remotely to my router and NMAP displayed all my open ports on eth0 IP 192.168.1.2. When I started IPTABLES I then can not see any open ports using NMAP remotely. This is normal because that is what the configuration inside IPTABLES is suppose to do.
Now the problem (WITH IP TABLES OFF))I can not ping the server on IP 192.168.1.5 and I can not ping the inner network card on the firewall from the server.
I did tests on the switch and cables an it is working fine. If I unplug the servers cable and plug it in on the ADSL router then I can ping it. So IP 192.168.1.5 is working and all ok.
My suspicion is that the firewall PC is not routing pings through eth1 towards my internal network. Or eth1 should be bridge towards eth0 ???
Can anyone help me with this?
Thanks,
Last edited by I Love Linux; 08-14-2006 at 07:40 AM.
|
|
|
|
|
08-14-2006, 07:07 AM
|
#2
|
|
Member
Registered: Apr 2006
Location: Vienna-Austria
Distribution: Suse 10.x, Fedora, DSL
Posts: 63
Rep: 
|
Hi, I am not saying that I understand your full script in every detail,
but you explecitely drop icmp-Packages with:
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j DROP
So its rather obvious that your pings gets no result !?
|
|
|
|
|
08-14-2006, 07:12 AM
|
#3
|
|
LQ Newbie
Registered: Aug 2006
Posts: 6
Original Poster
Rep:
|
re
This is true but If I stop IPTABLES - I then can still not ping my server IP 192.168.1.5 from my Firewall,
sorry - forgot to mention that...
Before I configured IPTABLES I could not ping the SERVER 192.168.1.5 from the Firewall.
This raised my suspicion that the firewall PC is not routing pings through eth1 towards my internal network. Or eth1 should be bridge towards eth0 ???
Last edited by I Love Linux; 08-14-2006 at 08:06 AM.
|
|
|
|
|
08-14-2006, 09:38 AM
|
#4
|
|
Member
Registered: Sep 2004
Location: Malaysia, Johor
Distribution: Dual boot MacOS X/Ubuntu 9.10
Posts: 851
Rep:
|
I think you have problem with 2 network with same subnet.
network card eth0 IP 192.168.1.2
network card eth1 IP 192.168.1.3
Please make sure both network card using difference subnet.
|
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 08:17 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
