LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 12-26-2009, 03:09 PM   #91
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92

Ok, now, keep the same firewall rules as it was in previous test and do telnet from computer with 2 NIC:

telnet 192.168.222.22 80
 
1 members found this post helpful.
Old 12-26-2009, 03:09 PM   #92
MikeHammer
Member
 
Registered: Dec 2009
Posts: 61

Original Poster
Rep: Reputation: 15
I guess that Debian Lenny is putting a bug or lock in low layer Ethernet or TCP/IP protocols... ?????????????

I remember that this OS is an upgrade from Debian Etch (Debian v. 4.0) to Debian Lenny (v. 5.0).

It is impossible to install Lenny (v. 5.0) in my server once, at the same time from the same CD. Is a old Compaq Proliant 3000.
In Lenny installer kernel modules, the IDE compatibility was removed, and for that reason HP SCSI ARRAY was not recognized and was not possible to access the RAID 5 and create it (server have 7 SCSI disk on array).

Then I should install the older version (Etch 4.0) and after it was installed Lenny. For this I performed repeated "aptitude safe-upgrade" and "aptitude dist-upgrade". This upgraded v. 4.0 Etch to current v 5.0 Lenny.

I wonder if this form of installation will have left a bad patch or undocumented incompatibility...

Regards
 
Old 12-26-2009, 03:11 PM   #93
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
Ok, now, keep the same firewall rules as it was in previous test and do telnet from computer with 2 NIC:

telnet 192.168.222.22 80
 
1 members found this post helpful.
Old 12-26-2009, 03:21 PM   #94
MikeHammer
Member
 
Registered: Dec 2009
Posts: 61

Original Poster
Rep: Reputation: 15
BINGO!!!!!!!!!!!!!!!!

 
Old 12-26-2009, 03:25 PM   #95
GrapefruiTgirl
LQ Guru
 
Registered: Dec 2006
Location: underground
Distribution: Slackware64
Posts: 7,594

Rep: Reputation: 553Reputation: 553Reputation: 553Reputation: 553Reputation: 553Reputation: 553
Wow!! I hope that "Bingo" means the issue is solved!?!? Or at least the problem is identified?? I read through this thread earlier and admit I became quite at a loss as to what was going on.

Kudos goes to nimnull22 for determinedly persevering despite the very tricky-seeming nature of this problem -- @ numnull2

And congratulations to MikeHammer for sticking with the problem and not giving up! I hope this continues to work out for you

Sasha
 
Old 12-26-2009, 03:40 PM   #96
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
We solve only half of it problem, because firewall allow everything.
Now we have to add rule by rule to make it suitable for use.
Please, I want to give some names to you computers:
1. Computer with 3 NIC = "firewall"
2. Computer with web server = "server".
3. Computers in 192.168.111.x = "client"

Please, if you agree with that name, use them and never confuse.
If you do not like its names - give others.
Firewall rules, which you use for last test = "Rules_new"

So please, load "Rules_new" and do:
lsmod |grep ip
Post output please.

Thanks

Last edited by nimnull22; 12-26-2009 at 09:21 PM.
 
1 members found this post helpful.
Old 12-26-2009, 05:19 PM   #97
MikeHammer
Member
 
Registered: Dec 2009
Posts: 61

Original Poster
Rep: Reputation: 15
Wink

Quote:
Originally Posted by GrapefruiTgirl View Post
Wow!! I hope that "Bingo" means the issue is solved!?!? Or at least the problem is identified?? I read through this thread earlier and admit I became quite at a loss as to what was going on.

Kudos goes to nimnull22 for determinedly persevering despite the very tricky-seeming nature of this problem -- @ numnull2

And congratulations to MikeHammer for sticking with the problem and not giving up! I hope this continues to work out for you

Sasha
Thanks GrapefruiTgirl ,
All credit goes to the scholarship and stoic patience of nimnull22 and, after, to my persistence in the face of adversity ...

I'm very happy to be in this very special forum, where attitudes like nimnull22 and yours (which involved a moderator and it's not common in general ...) are not random. Because the forum are encouraging them.
 
Old 12-26-2009, 05:25 PM   #98
MikeHammer
Member
 
Registered: Dec 2009
Posts: 61

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by nimnull22 View Post
We solve only half of it problem, because firewall allow everything.
Now we have to add rule by rule to make it suitable for use.
Please, I want to give some names to you computers:
1. Computer with 2 NIC = "firewall"
2. Computer with web server = "server".
3. Computers in 192.168.111.x = "client"

Please, if you agree with that name, use them and never confuse.
If you do not like its names - give others.
Firewall rules, which you use for last test = "Rules_new"

So please, load "Rules_new" and do:
lsmod |grep ip
Post output please.

Thanks
OK, master

Send file lsmod.txt
Attached Files
File Type: txt lsmod.txt (623 Bytes, 4 views)
 
Old 12-26-2009, 05:42 PM   #99
MikeHammer
Member
 
Registered: Dec 2009
Posts: 61

Original Poster
Rep: Reputation: 15
Now, out of curiosity, the output of "lsmod | grep ip" from the server with script firewall original (that's origen of problem... ).
Send file lsmod_from_orig_firew.txt

Thanks
Attached Files
File Type: txt lsmod_from_orig_firew.txt (624 Bytes, 3 views)
 
Old 12-26-2009, 09:23 PM   #100
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
Please, send:
1. iptables-save from "firewall" compuret (3 NIC)
2. iptables-save from "server" computer

I want to be sure I have the same as you.

Thanks

Last edited by nimnull22; 12-26-2009 at 09:34 PM.
 
1 members found this post helpful.
Old 12-26-2009, 10:47 PM   #101
MikeHammer
Member
 
Registered: Dec 2009
Posts: 61

Original Poster
Rep: Reputation: 15
I send you output iptables-save you asked. I warn you that in "firewall", the iptables script don't have port 80 open. This for prevent, while we doing testing servers and NIC eth0 is unneeded, the port scanning from Kaspersky Forum...

Thanks
Attached Files
File Type: txt iptables_on_firewall.txt (6.5 KB, 4 views)
File Type: txt iptables_on_server.txt (406 Bytes, 2 views)

Last edited by MikeHammer; 12-26-2009 at 10:52 PM.
 
Old 12-27-2009, 04:56 PM   #102
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
Before, we start to do anything, I would like to check something.
1. Are you able to telnet from outside to your "server"?
2. Are you able to telnet from "firewall" to your "server"?
3 .Are you able to telnet from any "clients" to your "server"?

telnet 192.168.222.22 80.

Thanks
 
Old 12-27-2009, 08:06 PM   #103
MikeHammer
Member
 
Registered: Dec 2009
Posts: 61

Original Poster
Rep: Reputation: 15
1. Are you able to telnet from outside to your "server"? --> YES!!!

2. Are you able to telnet from "firewall" to your "server"? --> YES!!!

3 .Are you able to telnet from any "clients" to your "server"? --YEAAAHH!!!

I tested with "rules_new" with FORWARD DROP and FORWARD ACCEPT. Both chains works...

Regards
 
Old 12-27-2009, 08:31 PM   #104
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
So, if you can use main features of your network we can live everything like this.
It will work.
But, still there is "but", I want you to understand the situation:
1. main firewall right now is "firewall" computer, "server" does not filter anything.
that is not bad, that is how it should be.
2. your "firewall" does not have any rules to restrict access to "server" from certain IP addresses, anyone who want to connect to your port 80, will be redirected to "server". If you want to add additional rules, add them to "firewall" rules script.
3. your "server" can initiate an outgoing connection and it will go out. So if you want to prevent it, modify rule on "firewall"

If I find something else I will write.
If you do not see any problems, just live it like this.
 
1 members found this post helpful.
Old 12-27-2009, 09:16 PM   #105
MikeHammer
Member
 
Registered: Dec 2009
Posts: 61

Original Poster
Rep: Reputation: 15
OK, I'm very grateful to you.

You is a notable support on forum but also you are a consistent helper who don't talk about bullshit and goes to target with excelent precission. My respects colleague

One fact more.
Could I attemp chains DROP or this was the trouble???

Regards
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables and DMZ scroogie Linux - Networking 2 02-28-2008 05:39 AM
iptables DMZ garnser Linux - Security 2 12-15-2007 12:14 AM
question about iptables (DMZ machine connect to other DMZ machine 's publuic IP) wingmak Linux - Security 1 01-20-2007 04:01 PM
iptables + DMZ Braytac Linux - Networking 3 10-06-2006 05:57 AM
IPTABLES and DMZ Host htimst Linux - Security 1 12-21-2001 07:04 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 10:26 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration