Re: Ip_forward trouble
On Sun, 6 Jan 2002, Thomas Cook wrote:
> Ok, I think we're starting to home in on an understanding.
>
> I understand the necessity to harden the firewall and the servers behind it,
> and this task is most defiantly on the list. I am using the Debian potato
> 2.2 stock kernel, and thus ipchains. Constructing these rules is not a
> problem. I think I have a good understanding of the syntax, and have used
> scripts in the pat to construct working models.
>
> My main problem is with the availability of internet access behind the
> firewall. With all firewall rules disabled (input output and forward all
> set to ACCEPT) I can't get a test box behind the firewall to see the
> firewall or any Ethernet signal on the network line. With the settings I
> have described, when I plug a line from the internal adapter of the firewall
> to the NIC of the Win2k test box, I expect to see the link light to come on,
> the network indicator in the system tray to so a connection, and to be able
> to ping the firewall from the test box, but I am not. As far as I can tell,
> there is no Ethernet signal coming form the firewall to service the internal
> network. This is my problem.
>
> Is there a setting I have forgotten, a service I should be running, a
> configuration I am missing? I have a base potato install, have changed the
> ipforward flag in /etc/network/options installed the second NIC in
> /etc/network/interfaces and reset the network. I have set the win2k box
> Tcp/Ip settings with the firewall as the gateway and given it an ip in the
> firewall's range. I have flushed the firewall rules and made them all
> ACCEPT. I even put a whimsical penguin sticker on the side of the firewall
> but strangely with no effect! What am I missing?
Is that interface really up?
(Use ifconfig to see that)
If you have several interface than this could be confusing. Go over the
list of eth interfaces that are up and verify that all of them are what
you think that they are.
What is the physical connection between the two computers? Is there a hub
or a swtich in the middle? Has it worked before?
> > On Sun, 2002-01-06 at 22:47, Thomas Cook wrote:
> >> TOKI:
> >>
> >>
> >> The use is that I don¹t really know what I'm doing. Well, not totally...
> >> Here is the lay of the land.
> >>
> >> I have a high speed connection connected (appropriately enough) to a
> >> hardware router and hub. This router (192.168.1.1) serves as a DHCP host
> >> for my little LAN. On this LAN there are basically 2 sectors. The first is
> >> the general house computers, used by the people here for surfing and e-mail,
> >> nothing fancy. There are at any time, between 6 and 12 of these, mostly
> >> running windows. Because they have no use for it, all of their ports are
> >> blocked from the outside by the router I mentioned.
> >>
> >> The second leg of the network is my computer lab. This lab consists of
> >> about 2 dozen boxes running any number of OS's and services like my mail,
> >> web site, shell server, etc. Not all of this are set up, mainly because
> >> they need to be seen from the outside, and thus protected. Hence the
> >> firewall (among other protections).
> >>
> >> I have set the firewall up on the network, with an IP address from the
> >> router, and have left that IP in the DMZ of the router so it is seen from
> >> the internet at large. I want to set up some sort of NAT to translate the
> >> ports of the firewall to the appropriate servers behind the firewall. To
> >> avoid any confusion by the people on the larger house network, I was going
> >> to use the 10... IP rang for the network, but it really makes no difference,
> >> and I can just as easily set them up with the subnet you suggest. (though
> >> the term easily may not apply as I have yet to get this working).
--
Tzafrir Cohen
mailto:tzafrir@technion.ac.il
http://www.technion.ac.il/~tzafrir
Reply to: