Re: [LRP] ipchains/routing gurus, pl help
I didn't work through your ipchains script because I don't think that's
where your problem is. I see a problem in your routing table, which you
report as:
>203.200.144.162 dev eth2 scope link
>203.200.144.160/28 dev eth0 proto kernel scope link src 203.200.144.163
>192.168.100.0/24 dev eth1 proto kernel scope link src 192.168.100.254
>203.200.144.0/24 dev eth2 proto kernel scope link src 203.200.144.164
>default via 203.200.144.161 dev eth0
Note that you have two routes specified to addresses in the range
203.200.144.160-175, since they are on BOTH of these networks:
203.200.144.160/28 (on eth0)
203.200.144.0/24 (on eth2)
This leads to a sufficiently indeterminate solution with respect to
203.200.144.162, the Web server (even ignoring the host route you "hacked"
in) that I would hesitate to predict how packets to and from it would be
handled ... especialy when your report omits the detalis of *how* its pings
fail (an important disgnostic; pings fail in at least 4 distinct ways).
Even assuming the iffy proposition that overlapping routes of this sort will
work, it looks to me like you have them backwards. The only 203.200.144.X
host we know the actual location of is the Web server, 203.200.144.162, and
it is on eth2 -- but the first, and narrower, route to it is on eth0. Best
interpretation of the situation is that you have your routes specified
backwards.
Since I don't know what range of real IP addresses is available to you (do
you really own 203.200.144.0/24?), I can't suggest a specific fix. The
general idea would be to subnet more sensibly.
At 04:11 PM 8/29/00 +0000, Suresh Kumar.R wrote:
>Hi,
>
>I have a 486 with linuxrouter materhorn with charles extended scripts
>1.0 installed, with 3 ethernet cards as shown in the following figure,
>in my university computer lab.
>
> External Network (BAD)
> |
> |
> eth0|
> ----------------|
> |203.200.144.163| Server
> | |eth2
> | |---------------------
> | |203.200.144.164 |
> | | |
> |192.168.100.254| |
> ---------------- ---------
> | eth1 | WEB |
> | ----------
> | 203.200.144.162
> |
> Internal Network (GOOD)
>
>
>One card is terminated with the external leased line(eth0). One card
>is connected to my hub which caters to the private lan(eth1). The last
>card takes care of my dmzone (eth2).
>
>I designate external network by the word BAD, internal network by the
>word GOOD and the web server by the word DMZ, and this terms are used
>in creating my ipchains. Needless to say my
>configuration is a copy of the example given at the end of
>IPCHAINS-HOWTO.
>
>FACTS
>
>1. I am able to ping from the web server to all three cards of my
>router.
>2. I am able to ping from router to the web server
>3. From any machine in the internal network I am able to ping all
>cards of router
>4. From the internal lan, I can browse and do everything to external
>network.
>
>MY PROBLEMS.
>1. My web server in the dmz cannot ping anyone other than the router
>cards
>2. My internal lan cannot ping my web server in the dmz
>3. The router log files *DOES NOT SHOW* any log entries reg. dmz-bad chain.
>(ipchain rules are given at the end)
>
>Therefore I cannot use my web server at all.
[ipchains details deleted]
--
------------------------------------"Never tell me the odds!"---
Ray Olszewski -- Han Solo
Palo Alto, CA ray@comarre.com
----------------------------------------------------------------
Reply to: