Re: [interfaces + route] My new firewall doesn't forward packages
> > iface eth0 inet static
> > address 194.224.7.9
> > iface eth1 inet static
> > address 194.224.7.10
>
> I dont think it is a particular good idea to do it like this with the ip
> address. But if you do not have a transit network from your provider, you
> can delete the both automatically added routed. I guess at least for eth0
> you must use an netmask of 255.255.255.128?
>
> Perhaps you should describe how your network is layed out.
We own a ClassC network, 194.224.7.0. We offer an ISP service here at Spain:
Intenet
|
|
Gateway; Cisco: 194.224.7.1
|
|
| 194.224.7.9
Firewall
| 194.224.7.10
|
|
----------------------------------------------------------------- LAN
| | |
194.224.7.3 194.224.7.2 10.128.114.2.2 (Radius) etc.
194.224.7.1 Gateway (Cisco 2500)
To know the interfaces and routing configuration of the firewall see the
previous email.
194.224.7.9 External interface
194.224.7.10 Internal interface
See the Radius configuration in the attached files.
194.224.7.2 Radius server
10.128.114.2, 10.128.114.4
194.224.7.3 SMTP, POP3 & DNS servers
194.224.7.4 HTTP, FTP servers
>From 194.224.7.129 upto 194.224.7.224 are used by the Radius server; granted
to the external clients.
>From 194.224.7.1 upto 194.224.7.127 are used to the ISP hosts.
It seams (I'm not sure) that our Radius has an external IP granted by our
provider (Telefonica, Infovia). I don't understand this point, so I use the
'mimic' strategy to install the new firewall.
up route add 10.128.114.2 dev eth1
up route add 10.128.114.4 dev eth1
P.S.: And yes, I have echo 1 > /proc/sys/net/ipv4/ip_forward
1.- boot
2.- cat shows 0
3.- echo 1 > /proc/sys/net/ipv4/ip_forward
4.- /etc/init.d/networking restart
5.- cat shows 1
6.- Test problem: ping from the firewall host work ok, both to outside
and to internal network. The ping from the internal network to the external
network (Internet) doesn't work. However the ping from the internal network
to both firewall interfaces works rightly. Could this be caused by the two
additional lines of routing?: (See previous email)
194.224.7.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
194.224.7.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
Newbie question: Is there any utility to debug the IP trafic in the
firewall?. Why is the ping from inside to outside not forwarded?. I use ping
& traceroute.
Regards,
Davi Leal
lo Link encap:Local Loopback
inet addr:127.0.0.1 Bcast:127.255.255.255 Mask:255.0.0.0
UP BROADCAST LOOPBACK RUNNING MTU:3584 Metric:1
RX packets:327529 errors:0 dropped:0 overruns:0 frame:0
TX packets:327529 errors:0 dropped:0 overruns:0 carrier:0
collisions:0
eth0 Link encap:Ethernet HWaddr 00:10:4B:B0:2E:C3
inet addr:194.224.7.2 Bcast:194.224.7.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9585187 errors:1255 dropped:0 overruns:0 frame:1137
TX packets:3388072 errors:0 dropped:0 overruns:0 carrier:216
collisions:124794
Interrupt:10 Base address:0xb800
eth0:0 Link encap:Ethernet HWaddr 00:10:4B:B0:2E:C3
inet addr:10.128.114.2 Mask:255.0.0.0
UP RUNNING MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0
eth0:1 Link encap:Ethernet HWaddr 00:10:4B:B0:2E:C3
inet addr:194.224.7.6 Mask:255.255.255.0
UP RUNNING MTU:1500 Metric:1
RX packets:1 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0
./rc.d/init.d/routes:route add -net 10.128.114.0 netmask 255.255.255.240 dev eth0:0
./rc.d/init.d/routes:route add -net 10.128.0.0 netmask 255.128.0.0 gw 10.128.114.1 dev eth0:0
./rc.d/init.d/routes:route add -net 10.0.0.0 netmask 255.128.0.0 gw 10.128.114.1 dev eth0:0
./rc.d/init.d/routes:route add -host 172.16.192.1 gw 10.128.114.1 dev eth0:0
./rc.d/init.d/routes:route add -host 172.16.192.97 gw 10.128.114.1 dev eth0:0
./rc.d/init.d/routes:route add -host 172.16.193.1 gw 10.128.114.1 dev eth0:0
./rc.d/init.d/routes:route add -host 172.16.223.1 gw 10.128.114.1 dev eth0:0
./rc.d/init.d/routes:route add -host 172.16.192.33 gw 10.128.114.1 dev eth0:0
./rc.d/init.d/routes:route add -host 172.16.192.49 gw 10.128.114.1 dev eth0:0
./rc.d/init.d/routes:route add -host 172.16.192.65 gw 10.128.114.1 dev eth0:0
./rc.d/init.d/routes:route add -host 172.16.192.81 gw 10.128.114.1 dev eth0:0
./rc.d/init.d/routes:route add -net 194.224.7.128 netmask 255.255.255.192 gw 194.224.7.1 dev eth0
./rc.d/init.d/routes:route add -net 194.224.7.192 netmask 255.255.255.192 gw 194.224.7.1 dev eth0
./rc.d/init.d/routes:route add -host 127.0.0.1 dev lo
./rc.d/init.d/routes:route del -host 10.128.114.2 dev eth0:0
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
194.224.7.6 0.0.0.0 255.255.255.255 UH 0 0 0 eth0:1
172.16.192.1 10.128.114.1 255.255.255.255 UGH 0 0 0 eth0:0
172.16.192.97 10.128.114.1 255.255.255.255 UGH 0 0 0 eth0:0
172.16.193.1 10.128.114.1 255.255.255.255 UGH 0 0 0 eth0:0
172.16.223.1 10.128.114.1 255.255.255.255 UGH 0 0 0 eth0:0
172.16.192.33 10.128.114.1 255.255.255.255 UGH 0 0 0 eth0:0
172.16.192.49 10.128.114.1 255.255.255.255 UGH 0 0 0 eth0:0
172.16.192.65 10.128.114.1 255.255.255.255 UGH 0 0 0 eth0:0
172.16.192.81 10.128.114.1 255.255.255.255 UGH 0 0 0 eth0:0
127.0.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 lo
10.128.114.0 0.0.0.0 255.255.255.240 U 0 0 0 eth0:0
194.224.7.128 194.224.7.1 255.255.255.192 UG 0 0 0 eth0
194.224.7.192 194.224.7.1 255.255.255.192 UG 0 0 0 eth0
194.224.7.0 0.0.0.0 255.255.255.0 U 0 0 815 eth0
10.128.0.0 10.128.114.1 255.128.0.0 UG 0 0 0 eth0:0
10.0.0.0 10.128.114.1 255.128.0.0 UG 0 0 0 eth0:0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 84 lo
0.0.0.0 194.224.7.1 0.0.0.0 UG 0 0 489 eth0
Reply to: