LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-20-2006, 04:23 AM   #1
notsosmart
LQ Newbie
 
Registered: Oct 2006
Posts: 6

Rep: Reputation: 0
problem forwarding packets with iptable


I am having problems forwarding packets between my two nics, in my one machine, with iptables.

eg while connected to eth0 ip 192.168.1.15 I would
#ping 192.168.0.15.
result "network unreachable"

I can only ping the nic that is directly connected to the system I am pinging with. If I try to ping the nic that is not directly connected, I get the message "network unreachable"

I do not have a router on this machine. I also cannot get all those router setups, on the web, to work. What am I doing wrong? Do I have to use another tool other than ping to test if the packets are forwarded?


Here is my script
-----------------
#configuration area
ssh="23"
min_delay="0"
max_throughput="0"
lan_addresses="192.168.0.0/24"
lan_interface="dev5861"
external_interface="eth0"
loopback_interface="lo"
gateway="192.168.0.15"
external_address="192.168.1.15"
unprivports="1024:65535"
privports="0:1023"
loopback="127.0.0.1/8"

#Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
echo Your new firewall -assignA is now loaded
#Resetting all the chains

#Reset all the default policies
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

#flushing all the specific policies
iptables -F
#flush all the specific existing rules user chains
iptables --flush
#flush all the user define chains
iptables -X


#Setting new firewall rules

#Unlimited traffic on the loopback interface
iptables -A INPUT -i $loopback_interface -j ACCEPT
iptables -A OUTPUT -o $loopback_interface -j ACCEPT


#Setting all default policies to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#Logging all packets transmitted into file /var/log/messages
iptables -A INPUT -j LOG
iptables -A OUTPUT -j LOG
iptables -A FORWARD -j LOG


iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


iptables -A FORWARD -i $external_interface -o $lan_interface -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


iptables -A INPUT -i $external_interface -p tcp -s $lan_addresses -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -o $lan_interface -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


Thank you for your reply

Last edited by notsosmart; 10-20-2006 at 04:24 AM.
 
Old 10-20-2006, 06:42 AM   #2
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
You are trying to ping from box A to box C going through box B where box B has the two NICs and the firewall rules listed above? I don't know if this is your problem, but both box A and box C would need to list box B as a gateway to the other network.

Also, your last 3 firewall rules are superfluous because any packet that could match them has already matched one of the previous three rules.
 
Old 10-22-2006, 03:26 AM   #3
notsosmart
LQ Newbie
 
Registered: Oct 2006
Posts: 6

Original Poster
Rep: Reputation: 0
Thank you, thank you, thank you, blackhole54!!! I did what you suggested - set the gateway for both box A and box C as box B. I then added a few routes and it works!!! Box A pings box C and vice versa.

Here is my script.
#add routes

route add -net 192.168.10.0 netmask 255.255.255.0 gw 192.168.10.1 dev dev28028
route add -net 192.168.0.0 netmask 255.255.255.0 gw 192.168.0.1 dev eth0
#SIOCADDRT: Network is unreachable

#configuration area
ssh="23"
min_delay="0"
max_throughput="0"
lan_addresses="192.168.10.0/24"
lan_interface="dev5861"
external_interface="eth0"
loopback_interface="lo"
gateway="192.168.10.1"
external_address="192.168.0.1"
unprivports="1024:65535"
privports="0:1023"
loopback="127.0.0.1/8"

#Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
echo Your new firewall -assignA is now loaded
#Resetting all the chains

#Reset all the default policies
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

#flushing all the specific policies
iptables -F
#flush all the specific existing rules user chains
iptables --flush
#flush all the user define chains
iptables -X


#Setting new firewall rules

#Unlimited traffic on the loopback interface
iptables -A INPUT -i $loopback_interface -j ACCEPT
iptables -A OUTPUT -o $loopback_interface -j ACCEPT


#Setting all default policies to drop
#iptables -P INPUT DROP
#iptables -P OUTPUT DROP
#iptables -P FORWARD DROP

#Logging all packets transmitted into file /var/log/messages
iptables -A INPUT -j LOG
iptables -A OUTPUT -j LOG
iptables -A FORWARD -j LOG


iptables -A FORWARD -i $external_interface -o $lan_interface -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


iptables -A INPUT -i $external_interface -p tcp -s $lan_addresses -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -o $lan_interface -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


Thanks again and best regards,

notsosmart
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
forwarding packets with iptable and nat notsosmart Linux - Newbie 2 10-20-2006 04:07 AM
port forwarding using IPTABLE ...( Help) ad2005 Linux - Networking 5 03-15-2006 11:56 PM
Not forwarding packets meadensi Linux - Networking 0 02-08-2005 08:02 PM
IPTable Problems (Port Forwarding)... Arch3Angel Linux - Security 3 12-04-2004 05:56 PM
Problem about forwarding packets in kernel Lite Linux - Networking 0 07-20-2004 10:33 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:37 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration