[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Roach Motel For Packets...

Let me see if bad drawings help any:

eth0(to Internet IP "A.A.A.A")--|------|
                                |Router|--eth2(192.168.1.1)
eth1(to Internet IP "B.B.B.B")--|------|  eth2:0(10.0.0.1) 


and

                                    |---------------|
<<--to router --eth0(192.168.1.2)---|PC #1 -localnet|
                eth0:0 (10.0.0.2)   |---------------|

All traffic to and from 192.168.1.0/27 goes over A.A.A.A
All traffic to and from 10.0.0.0/27 goes over B.B.B.B
A.A.A.A is the default gateway for all other traffic

If I log into the router I can ping any IP, on any interface including
my telco's first hop out eth0 and eth1. Packets get routed as expected.

If I log into PC#1 I can ping any interface on the router, anything on
the localnet and anything on the Internet (through the router's eth0
which is the default gateway) but I can not ping anything on the remote
side of the router's eth1.

If I log into a remote machine I can ping any IP serviced by eth0, can
ping my telco's side of the eth1 connection but can not reach any IPs
serviced by eth1, including eth1 itself.

I'm using ipchains to log *all* packets on every interface and in all
the above examples I can see the ping packets come in eth1 but that's
it. They never attempt to leave through any interface.

Note the IPs in the example are fake. The real IPs are in the public IP
space so the problem isn't trying to route these private IPs over the
internet. :-)

The ipchains rules are:
# Rules for eth0 these work!
ipchains -A input   -i eth2 -s 192.168.1.0/27 -j ACCEPT
ipchains -A output  -i eth2 -d 192.168.1.0/27 -j ACCEPT
ipchains -A forward -i eth0 -s 192.168.1.0/27 -j ACCEPT
ipchains -A forward -i eth2 -d 192.168.1.0/27 -j ACCEPT

# Rules for eth1 these don't!
ipchains -A input   -i eth2 -s 10.0.0.0/27 -j ACCEPT
ipchains -A output  -i eth2 -d 10.0.0.0/27 -j ACCEPT
ipchains -A forward -i eth1 -s 10.0.0.0/27 -j ACCEPT
ipchains -A forward -i eth2 -d 10.0.0.0/27 -j ACCEPT

# And of course there are other rules allowing traffic in and out eth0
and eth1.

I'm stumped! I'd be happy if it was a routing problem that I could see
or  firewall rule screwing things up.

Is there, maybe, something I need to do when I give the NIC an alias?

Pete
 

> I am not sure if I understand this exactly. It may help to have more
> information.
> 
> I have a feeling your replies are being sent out but are being firewalled
> by another router, since they appear to have a source address that doesn't
> belong to its network (i.e. address spoofing, SMURF attack).
Reply to: