Red Hat Firewall
I am attempting to set up a Linux (Red Hat 7.2) firewall. I have installed two network cards and verified that they are booth working (booth the internal and the external (a ADSL router (a Cisco 677i-DIR)) networks responds to ping from the Linux firewall machine). However, I get no response when I ping the ADSL router from a machine on the inside network. Booth the internal and the external (10.0.0.2) firewall IP-addresses reply when pinged from the same inside machine, so it appears that the "firewall.conf" file is allowing traffic through.
I suspect that the fault might lie with the config file for the firewall outside network card ("/etc/sysconfig/network-scripts/ifconfig-eth0"), as my ADSL router has a built-in DHCP server. The DHCP server is 10.0.0.1 and it allocates 10.0.0.2 to the firewall. I have tried booth static configuration: DEVICE=eth0 BOOTPROTO=static BROADCAST=10.0.0.255 IPADDR=10.0.0.2 NETMASK=255.255.255.0 NETWORK=10.0.0.0 GATEWAY=10.0.0.1 ONBOOT=yes and dynamic configuration: DEVICE=eth0 BOOTPROTO=dhcp ONBOOT=yes but booth give the same result: no response when I ping the ADSL router (10.0.0.1) from a machine on the inside. The firewall outside addr. 10.0.0.2, however, responds. What am I overlooking? Thanks in advance. |
10.0.0.x is a set of unaddressable IPs. This means you can't ping them from any computer that is located behind the firewall. You need to try to ping the adsl modem with the router box. If that works then ping another address like the IP for this site or any other IP for any webpage. If that works then try to ping that same IP from a computer behind the firewall.
Please post your firewall script. |
Red Hat Firewall
The iptables scripts is as follows:
# ****************** IPtables initial configuration file ****************** # Extern network card: eth0: 10.0.0.1 # Intern network card: eth1: 192.168.2.1 # Flush all chains iptables -F FORWARD iptables -F INPUT iptables -F OUTPUT iptables -t nat -F POSTROUTING # Set default policy of forward, input and output chain to DROP # (reject everything) iptables -P FORWARD DROP iptables -P INPUT DROP iptables -P OUTPUT DROP # Allow ftp, mail, HTTP, pop and SSL/TLS iptables -A FORWARD -p tcp -d 192.168.2.0/24 -m multiport \ --sport 21,25,80,110,443 -m state --state ESTABLISHED -j ACCEPT iptables -A FORWARD -p tcp -s 192.168.2.0/24 -m multiport \ --dport 21,25,80,110,443 -m state --state NEW,ESTABLISHED -j ACCEPT # DNS iptables -A FORWARD -p udp -d 192.168.2.0/24 --sport 53 -j ACCEPT iptables -A FORWARD -p udp -s 192.168.2.0/24 --dport 53 -j ACCEPT # Allow active FTP iptables -A FORWARD -p tcp -d 192.168.2.0/24 --sport 20 -m state \ --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -p tcp -s 192.168.2.0/24 --dport 20 -m state \ --state ESTABLISHED -j ACCEPT # Allow passive FTP iptables -A FORWARD -p tcp -s 192.168.2.0/24 -m state \ --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -p tcp -d 192.168.2.0/24 -m state \ --state ESTABLISHED -j ACCEPT # Allow inside users to ping out but not vica versa iptables -A FORWARD -p ICMP -d 192.168.2.0/24 \ --icmp-type echo-request -j DROP iptables -A FORWARD -p ICMP -s 192.168.2.0/24 \ --icmp-type echo-reply -j DROP # Allow all other ICMP packets iptables -A FORWARD -p ICMP -j ACCEPT # Set up NAT iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 10.0.0.1 |
All times are GMT -5. The time now is 07:39 PM. |