I am attempting to set up a Linux (Red Hat 7.2) firewall. I have installed two network cards and verified that they are booth working (booth the internal and the external (a ADSL router (a Cisco 677i-DIR)) networks responds to ping from the Linux firewall machine). However, I get no response when I ping the ADSL router from a machine on the inside network. Booth the internal and the external (10.0.0.2) firewall IP-addresses reply when pinged from the same inside machine, so it appears that the "firewall.conf" file is allowing traffic through.

I suspect that the fault might lie with the config file for the firewall outside network card ("/etc/sysconfig/network-scripts/ifconfig-eth0"), as my ADSL router has a built-in DHCP server. The DHCP server is 10.0.0.1 and it allocates 10.0.0.2 to the firewall. I have tried booth static configuration:

DEVICE=eth0
BOOTPROTO=static
BROADCAST=10.0.0.255
IPADDR=10.0.0.2
NETMASK=255.255.255.0
NETWORK=10.0.0.0
GATEWAY=10.0.0.1
ONBOOT=yes

and dynamic configuration:

DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=yes

but booth give the same result: no response when I ping the ADSL router (10.0.0.1) from a machine on the inside. The firewall outside addr. 10.0.0.2, however, responds.

What am I overlooking?

Thanks in advance.

10.0.0.x is a set of unaddressable IPs. This means you can't ping them from any computer that is located behind the firewall. You need to try to ping the adsl modem with the router box. If that works then ping another address like the IP for this site or any other IP for any webpage. If that works then try to ping that same IP from a computer behind the firewall.

Please post your firewall script.

The iptables scripts is as follows:


# ****************** IPtables initial configuration file ******************
# Extern network card: eth0: 10.0.0.1
# Intern network card: eth1: 192.168.2.1

# Flush all chains
iptables -F FORWARD
iptables -F INPUT
iptables -F OUTPUT
iptables -t nat -F POSTROUTING

# Set default policy of forward, input and output chain to DROP
# (reject everything)
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP

# Allow ftp, mail, HTTP, pop and SSL/TLS
iptables -A FORWARD -p tcp -d 192.168.2.0/24 -m multiport \
--sport 21,25,80,110,443 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.2.0/24 -m multiport \
--dport 21,25,80,110,443 -m state --state NEW,ESTABLISHED -j ACCEPT

# DNS
iptables -A FORWARD -p udp -d 192.168.2.0/24 --sport 53 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.2.0/24 --dport 53 -j ACCEPT

# Allow active FTP
iptables -A FORWARD -p tcp -d 192.168.2.0/24 --sport 20 -m state \
--state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.2.0/24 --dport 20 -m state \
--state ESTABLISHED -j ACCEPT

# Allow passive FTP
iptables -A FORWARD -p tcp -s 192.168.2.0/24 -m state \
--state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.2.0/24 -m state \
--state ESTABLISHED -j ACCEPT

# Allow inside users to ping out but not vica versa
iptables -A FORWARD -p ICMP -d 192.168.2.0/24 \
--icmp-type echo-request -j DROP
iptables -A FORWARD -p ICMP -s 192.168.2.0/24 \
--icmp-type echo-reply -j DROP

# Allow all other ICMP packets
iptables -A FORWARD -p ICMP -j ACCEPT

# Set up NAT
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 10.0.0.1