Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 04-04-2004, 10:10 PM   #1
Registered: May 2003
Location: S.F. Bay Area
Distribution: Ubuntu 9.04 AMD64
Posts: 595

Rep: Reputation: 30
ipchains firewall question

Ok, I'm working with someone on getting an ipchains based firewall up and running on a RedHat 8 box. We're running the 2.4.25 kernel and have ipchains configured as a module. We've also got ipchains 1.3.10 installed.

The module loads fine and we're able to configure our firewall BUT for some bizarre reason we're not seeing all of the traffic (in the logs) as we think we should see.

We need to be able to let this box route SSH or telnet traffic from external machines to selected internal machines on our network. ALL of the internal machines in question have "real" IP addresses so we really don't need any masquerading to be peformed but if we need to to make it work, that's cool.

Here's how we basically have ipchains configured:

ipchains -F
ipchains -X
ipchains -P input ACCEPT
ipchains -P forward ACCEPT

ipchains -A input -d 0/0 -j ACCEPT -l
ipchains -A forward -j MASQ -l

eth0 = internal network
eth1 = Internet connection

We DO realize that our box is basically wide open at this point but we're trying to figure out why we can't access some machines in our network from external machines. With the above, I can ping the firewall directly from an external machine and get replies and that traffic gets logged. Cool. If I try to ping another machine in the network I get timeouts on the external box. The strange part is I don't see anything in my firewall's log indicating the pings even made it to the firewall.

So, my firewall box has IP address a.b.c.10 (where a.b.c is some "real" IP address and NOT an internal address) and the machine I want to ping on my network has IP address a.b.c.15.

I can ping the external box from a.b.c.15 with a.b.c.10 configured as a.b.c.15's default gateway. That works fine. If I ping a.b.c.10 from the external box, I get replies back. If I try to ping a.b.c.15 from the external box, I get no replies back and NO entries in the syslog on the firewall box which makes me wonder if the firewall is seeing that traffic at all.

Any ideas?


Old 04-09-2004, 08:29 AM   #2
Senior Member
Registered: Dec 2000
Location: Gothenburg, SWEDEN
Distribution: OpenSUSE 10.3
Posts: 1,028

Rep: Reputation: 45
I think this has to do with your network topology.
Am I right if I say that a.b.c are the same in both a.b.c.10 and a.b.c.15?
For routing to work you will have to have two different networks on both sides of your router.

Reason you can ping from a.b.c.10 to the outer world would be the MASQ rule, but if both NICs on your router are on the same network it can't descied where to send the packet. That would be why you can't ping from the outside and in.

For us to help further you will have to tell us IP and Netmask for your routers NICs.

Routing only looks at the first part of the IP address to determine the destination of the packet, that where the Netmask comes in. The Netmask determines how many bits taken from the left that should be considered network and the rest would be the host part of the address.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Firewall Ipchains initpcsys Linux - Security 1 06-22-2003 06:35 PM
VPN through IPchains firewall snowdog12 Linux - Networking 1 04-26-2003 07:06 PM
Need help with ipchains firewall tarballedtux Linux - Security 3 12-01-2001 07:11 AM
ipchains firewall question simon Linux - Security 1 08-08-2001 06:58 AM
Ipchains firewall and games gridcaster Linux - Networking 1 03-12-2001 11:36 AM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:41 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration