Re: no ipchains with 2.2/no network with 2.4
If your testing does not succeed, try to describe your network config,
that we see what you want to achieve, additionally
- internal interface, IP, address range of internal net
- DMZ interface, IP, address range of DMZ net, gateway IP
- output of
$ ifconfig
and
$ route -n
and
$ ipchains -L -n
- your /etc/network/interfaces file
OK.
On one side, I have my internal network - 192.168.1.0/255.255.255.0, on eth1
On the other side, I have my DMZ - 192.168.254.0/255.255.255.240 on eth0
The router on DMZ is 192.168.254.1
The firewall has two addresses, 192.168.1.1 (serving as gateway for the
internal network),
and 192.168.254.2 (the address on which the internet router redirects the
calls). The internet gateway (Cisco router) is 192.168.254.1.
My first aim, before starting to edit my firewall script to close down all
but selective ports, is to make it work: being able to access the internal
network and the DMZ from my Debian machine.
The interface file contains:
# /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)
# The loopback interface
auto lo
iface lo inet loopback
# The first network card - this entry was created during the Debian
installation
# (network, broadcast and gateway are optional)
auto eth1
iface eth1 inet static
address 192.168.1.1
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1
auto eth0
iface eth0 inet static
address 192.168.254.2
netmask 255.255.255.240
network 192.168.254.0
broadcast 192.168.254.15
gateway 192.168.254.1
and ifconfig says:
eth0 Link encap:Ethernet HWaddr 00:20:E4:80:16:71
inet addr:192.168.254.2 Bcast:192.168.254.15
Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:46 errors:0 dropped:0 overruns:0 frame:0
TX packets:48 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:5080 (4.9 KiB) TX bytes:2880 (2.8 KiB)
Interrupt:12 Base address:0x300
eth1 Link encap:Ethernet HWaddr 00:50:BF:49:DC:28
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:60 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:3600 (3.5 KiB)
Interrupt:10 Base address:0x7000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:18 errors:0 dropped:0 overruns:0 frame:0
TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1455 (1.4 KiB) TX bytes:1455 (1.4 KiB)
route -n gives:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
192.168.254.0 0.0.0.0 255.255.255.240 U 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 192.168.254.1 0.0.0.0 UG 0 0 0 eth0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth1
This config works with the kernel in which there is no ipchains support. I
can ping both subnets and squid works for internet access (not as a
transparent proxy, though)
With the ipchains support, ipchains -n -L says (for example, since I tried
various configs)
Chain input (policy ACCEPT):
target prot opt source destination ports
ACCEPT all ------ 192.168.1.0/24 0.0.0.0/0 n/a
ACCEPT all ------ 192.168.254.0/28 0.0.0.0/0 n/a
Chain forward (policy ACCEPT):
target prot opt source destination ports
ACCEPT all ------ 192.168.1.0/24 0.0.0.0/0 n/a
ACCEPT all ------ 192.168.254.0/28 0.0.0.0/0 n/a
Chain output (policy ACCEPT):
target prot opt source destination ports
ACCEPT all ------ 0.0.0.0/0 192.168.1.0/24 n/a
ACCEPT all ------ 0.0.0.0/0 192.168.254.0/28 n/a
(This is not a firewall config ;-) I just want it to work first)
Another config is
Chain input (policy ACCEPT):
Chain forward (policy ACCEPT):
Chain output (policy ACCEPT):
I try ping 192.168.1.3 (a server in the internal network) and ping
192.168.254.1 (the router/gateway), without success (100% lost)
Hope this will document my stupid error ;-)
Thanks for your help.
Pierre A.
_________________________________________________________________
Do you have your own space?! http://spaces.msn.com
Reply to: