LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 08-14-2006, 06:57 AM   #1
I Love Linux
LQ Newbie
 
Registered: Aug 2006
Posts: 6

Rep: Reputation: 0
Unhappy Help Me Please !! Can not ping inner network from firewall - IPTABLES


Hi All, New on this Forum - will learn all the rules..soon

Problem: I can not ping internal network from my firewall.

Setup Description:

I have a P3 1GHz and 512 MB RAM with onboard network card and one additional network card. ADSL router with DDNS configured.

My goal here is to create a Firewall using SentOS 4 and IPTABLES. A firewall between my DSL router and my SERVER

Installation done so far.

I have installed SentOS 4 on the PC (Firewall), detected onboard card as eth0 and additional card as eth1

Eth0 has static IP 192.168.1.2 and Gateway as 192.168.1.1 (DSL Router)

My DSL router IP is 192.168.1.1 setup to see IP 192.168.1.2 as my DMZ.

Eth1 has static IP 192.168.1.3 and Gateway 192.168.1.2

DNS already configured and working… Sub Net Masks on all IP's is 255.255.255.0

Without doing anything else to the box I can do the following from the Firewall.

1) Ping a web address e.g. google
2) Ping the ADSL router IP 192.168.1.1
3) Ping outer network card eth0 IP 192.168.1.2
4) Ping inner network card eth1 IP 192.168.1.3

Eth1 is connected to a switch , and a server with IP 192.168.1.5 is connected to the same switch. (or call it a hub)

Now being a bit new to routing, NAT and IPTABLES I have the following in my IPTABLES

/etc/sysconfig/iptables

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [317:32144]
:RH-Firewall-1-INPUT - [0:0]

-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j DROP
-A RH-Firewall-1-INPUT -p ipv6-crypt -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-auth -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 10000 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 20000 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 30000 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 18080 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

COMMIT

*nat
:PREROUTING ACCEPT [899:74872]
:POSTROUTING ACCEPT [411:31356]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.5:80
-A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 192.168.1.5:443
-A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to 192.168.1.5:25
-A PREROUTING -i eth0 -p tcp --dport 110 -j DNAT --to 192.168.1.5:110
-A PREROUTING -i eth0 -p tcp --dport 10000 -j DNAT --to 192.168.1.5:10000
-A PREROUTING -i eth0 -p tcp --dport 20000 -j DNAT --to 192.168.1.5:20000
-A PREROUTING -i eth0 -p tcp --dport 30000 -j DNAT --to 192.168.1.8:30000
-A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to 192.168.1.2:22
-A PREROUTING -i eth0 -p tcp --dport 18080 -j DNAT --to 192.168.1.8:18080
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT



PROBLEM

To test the IPTABLE I stopped IPTABLES and did a NMAP remotely to my router and NMAP displayed all my open ports on eth0 IP 192.168.1.2. When I started IPTABLES I then can not see any open ports using NMAP remotely. This is normal because that is what the configuration inside IPTABLES is suppose to do.

Now the problem (WITH IP TABLES OFF))I can not ping the server on IP 192.168.1.5 and I can not ping the inner network card on the firewall from the server.

I did tests on the switch and cables an it is working fine. If I unplug the servers cable and plug it in on the ADSL router then I can ping it. So IP 192.168.1.5 is working and all ok.

My suspicion is that the firewall PC is not routing pings through eth1 towards my internal network. Or eth1 should be bridge towards eth0 ???

Can anyone help me with this?

Thanks,

Last edited by I Love Linux; 08-14-2006 at 07:40 AM.
 
Old 08-14-2006, 07:07 AM   #2
mkirc
Member
 
Registered: Apr 2006
Location: Vienna-Austria
Distribution: Suse 10.x, Fedora, DSL
Posts: 63

Rep: Reputation: 15
Hi, I am not saying that I understand your full script in every detail,
but you explecitely drop icmp-Packages with:
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j DROP

So its rather obvious that your pings gets no result !?
 
Old 08-14-2006, 07:12 AM   #3
I Love Linux
LQ Newbie
 
Registered: Aug 2006
Posts: 6

Original Poster
Rep: Reputation: 0
Unhappy re

This is true but If I stop IPTABLES - I then can still not ping my server IP 192.168.1.5 from my Firewall,

sorry - forgot to mention that...

Before I configured IPTABLES I could not ping the SERVER 192.168.1.5 from the Firewall.

This raised my suspicion that the firewall PC is not routing pings through eth1 towards my internal network. Or eth1 should be bridge towards eth0 ???

Last edited by I Love Linux; 08-14-2006 at 08:06 AM.
 
Old 08-14-2006, 09:38 AM   #4
kstan
Member
 
Registered: Sep 2004
Location: Malaysia, Johor
Distribution: Dual boot MacOS X/Ubuntu 9.10
Posts: 851

Rep: Reputation: 31
I think you have problem with 2 network with same subnet.

network card eth0 IP 192.168.1.2
network card eth1 IP 192.168.1.3

Please make sure both network card using difference subnet.
 
  


Reply

Tags
can, firewall, from, network, ping


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT -5. The time now is 01:01 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration