Re: Roach Motel For Packets...
Why not bridge eth0 and eth1?
----- Original Message -----
From: "Peter Billson" <firstname.lastname@example.org>
Sent: Sunday, September 30, 2001 9:25 PM
Subject: Re: Roach Motel For Packets...
> Let me see if bad drawings help any:
> eth0(to Internet IP "A.A.A.A")--|------|
> eth1(to Internet IP "B.B.B.B")--|------| eth2:0(10.0.0.1)
> <<--to router --eth0(192.168.1.2)---|PC #1 -localnet|
> eth0:0 (10.0.0.2) |---------------|
> All traffic to and from 192.168.1.0/27 goes over A.A.A.A
> All traffic to and from 10.0.0.0/27 goes over B.B.B.B
> A.A.A.A is the default gateway for all other traffic
> If I log into the router I can ping any IP, on any interface including
> my telco's first hop out eth0 and eth1. Packets get routed as expected.
> If I log into PC#1 I can ping any interface on the router, anything on
> the localnet and anything on the Internet (through the router's eth0
> which is the default gateway) but I can not ping anything on the remote
> side of the router's eth1.
> If I log into a remote machine I can ping any IP serviced by eth0, can
> ping my telco's side of the eth1 connection but can not reach any IPs
> serviced by eth1, including eth1 itself.
> I'm using ipchains to log *all* packets on every interface and in all
> the above examples I can see the ping packets come in eth1 but that's
> it. They never attempt to leave through any interface.
> Note the IPs in the example are fake. The real IPs are in the public IP
> space so the problem isn't trying to route these private IPs over the
> internet. :-)
> The ipchains rules are:
> # Rules for eth0 these work!
> ipchains -A input -i eth2 -s 192.168.1.0/27 -j ACCEPT
> ipchains -A output -i eth2 -d 192.168.1.0/27 -j ACCEPT
> ipchains -A forward -i eth0 -s 192.168.1.0/27 -j ACCEPT
> ipchains -A forward -i eth2 -d 192.168.1.0/27 -j ACCEPT
> # Rules for eth1 these don't!
> ipchains -A input -i eth2 -s 10.0.0.0/27 -j ACCEPT
> ipchains -A output -i eth2 -d 10.0.0.0/27 -j ACCEPT
> ipchains -A forward -i eth1 -s 10.0.0.0/27 -j ACCEPT
> ipchains -A forward -i eth2 -d 10.0.0.0/27 -j ACCEPT
> # And of course there are other rules allowing traffic in and out eth0
> and eth1.
> I'm stumped! I'd be happy if it was a routing problem that I could see
> or firewall rule screwing things up.
> Is there, maybe, something I need to do when I give the NIC an alias?
> > I am not sure if I understand this exactly. It may help to have more
> > information.
> > I have a feeling your replies are being sent out but are being
> > by another router, since they appear to have a source address that
> > belong to its network (i.e. address spoofing, SMURF attack).
> To UNSUBSCRIBE, email to email@example.com
> with a subject of "unsubscribe". Trouble? Contact