Re: no ipchains with 2.2/no network with 2.4

To: ixel@gmx.de, debian-firewall@lists.debian.org
Subject: Re: no ipchains with 2.2/no network with 2.4
From: "Pierre A. Damas" <pierredamas@hotmail.com>
Date: Mon, 10 Jan 2005 22:35:17 +0100
Message-id: <BAY18-F416FB8EA5BD6CAA26C9324AC970@phx.gbl>
In-reply-to: <20050110210244.GA2098@localdomain>

If your testing does not succeed, try to describe your network config,
that we see what you want to achieve, additionally

- internal interface, IP, address range of internal net
- DMZ interface, IP, address range of DMZ net, gateway IP
- output of
	$ ifconfig
	and
	$ route -n
	and
	$ ipchains -L -n
- your /etc/network/interfaces file


OK.
On one side, I have my internal network - 192.168.1.0/255.255.255.0, on eth1
On the other side, I have my DMZ - 192.168.254.0/255.255.255.240 on eth0
The router on DMZ is 192.168.254.1

The firewall has two addresses, 192.168.1.1 (serving as gateway for theinternal network),and 192.168.254.2 (the address on which the internet router redirects thecalls). The internet gateway (Cisco router) is 192.168.254.1.My first aim, before starting to edit my firewall script to close down allbut selective ports, is to make it work: being able to access the internalnetwork and the DMZ from my Debian machine.


The interface file contains:

# /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)

# The loopback interface
auto lo
iface lo inet loopback

# The first network card - this entry was created during the Debianinstallation

# (network, broadcast and gateway are optional)
auto eth1
iface eth1 inet static
	address 192.168.1.1
	netmask 255.255.255.0
	network 192.168.1.0
	broadcast 192.168.1.255
	gateway 192.168.1.1

auto eth0
iface eth0 inet static
	address 192.168.254.2
	netmask 255.255.255.240
	network 192.168.254.0
	broadcast 192.168.254.15
	gateway 192.168.254.1

and ifconfig says:

eth0      Link encap:Ethernet  HWaddr 00:20:E4:80:16:71

inet addr:192.168.254.2 Bcast:192.168.254.15Mask:255.255.255.240

         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:46 errors:0 dropped:0 overruns:0 frame:0
         TX packets:48 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:100
         RX bytes:5080 (4.9 KiB)  TX bytes:2880 (2.8 KiB)
         Interrupt:12 Base address:0x300

eth1      Link encap:Ethernet  HWaddr 00:50:BF:49:DC:28
         inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:0 errors:0 dropped:0 overruns:0 frame:0
         TX packets:60 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:100
         RX bytes:0 (0.0 b)  TX bytes:3600 (3.5 KiB)
         Interrupt:10 Base address:0x7000

lo        Link encap:Local Loopback
         inet addr:127.0.0.1  Mask:255.0.0.0
         UP LOOPBACK RUNNING  MTU:3924  Metric:1
         RX packets:18 errors:0 dropped:0 overruns:0 frame:0
         TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0
         RX bytes:1455 (1.4 KiB)  TX bytes:1455 (1.4 KiB)

route -n gives:

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref UseIface

192.168.254.0   0.0.0.0         255.255.255.240 U     0      0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
0.0.0.0         192.168.254.1   0.0.0.0         UG    0      0        0 eth0
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth1

This config works with the kernel in which there is no ipchains support. Ican ping both subnets and squid works for internet access (not as atransparent proxy, though)

With the ipchains support, ipchains -n -L says (for example, since I triedvarious configs)


Chain input (policy ACCEPT):
target     prot opt     source                destination           ports
ACCEPT     all  ------  192.168.1.0/24       0.0.0.0/0             n/a
ACCEPT     all  ------  192.168.254.0/28     0.0.0.0/0             n/a
Chain forward (policy ACCEPT):
target     prot opt     source                destination           ports
ACCEPT     all  ------  192.168.1.0/24       0.0.0.0/0             n/a
ACCEPT     all  ------  192.168.254.0/28     0.0.0.0/0             n/a
Chain output (policy ACCEPT):
target     prot opt     source                destination           ports
ACCEPT     all  ------  0.0.0.0/0            192.168.1.0/24        n/a
ACCEPT     all  ------  0.0.0.0/0            192.168.254.0/28      n/a

(This is not a firewall config ;-) I just want it to work first)

Another config is

Chain input (policy ACCEPT):
Chain forward (policy ACCEPT):
Chain output (policy ACCEPT):

I try ping 192.168.1.3 (a server in the internal network) and ping192.168.254.1 (the router/gateway), without success (100% lost)


Hope this will document my stupid error ;-)

Thanks for your help.

Pierre A.

_________________________________________________________________
Do you have your own space?! http://spaces.msn.com

Reply to:

Follow-Ups:
- Re: no ipchains with 2.2/no network with 2.4
  - From: Gian Piero Carrubba <gp-ml@rm-rf.it>

References:
- Re: no ipchains with 2.2/no network with 2.4
  - From: Martin Bock <ixel@gmx.de>

Prev by Date: DNS estranho
Next by Date: Re: no ipchains with 2.2/no network with 2.4
Previous by thread: Re: no ipchains with 2.2/no network with 2.4
Next by thread: Re: no ipchains with 2.2/no network with 2.4
Index(es):
- Date
- Thread