IP FORWARDING IPTABLES

better (I hope) explain:

hi, any help on configuration of itatbles firewall?

I have three NICs with WAN eth0 (10.10.10.253), LAN1 eth1(192.168.0.253), LAN2 eth2(10.100.3.253) default gateway 10.10.10.1

router1 (provider1) = 10.10.10.1 router2 (provider2) = 10.10.10.2

I choose to configure my firewall to route packets in a different manner depending on destination. so I used ROUTE command (ON THE FIREWALL) to route packets this way

route add -net netmask

255.255.255.255 gw eth0

route add -net netmask

255.255.255.255 gw eth1

It seems to work, so I'm reaching destination IP_address1 AND IP_address2 BUT if I ping destination IP or I traceroute it

it replies only if it routes through eth0

- the only one responding is the IP through eth0 (default gateway card) route.

so: PING reply from

but PING no reply

?? where is the filtering stopping my PING packets , so they don't get back ?

help me, pls

marco

-------------------------------

madmax71 ha scritto:

I'm guessing the network masks on the WAN and LAN2 are such that the two do not overlap - anything narrower than 255.192.0.0 should be satisfactory. Otherwise, there will be routing confusion.

except that the '/sbin/route' command has nothing to do with the firewall. See

where you will find seven informative HOWTOs

[TXT] NAT-HOWTO.txt 24-Dec-2006 16:06 25K [TXT] netfilter-double-nat-HOWTO.txt 24-Dec-2006 16:06 9.4K [TXT] netfilter-extensions-HOWTO.txt 24-Dec-2006 16:06 79K [TXT] netfilter-hacking-HOWTO.txt 24-Dec-2006 16:06 84K [TXT] netfilter-mirror-HOWTO.txt 24-Dec-2006 16:06 8.1K [TXT] networking-concepts-HOWTO.txt 24-Dec-2006 16:06 28K [TXT] packet-filtering-HOWTO.txt 24-Dec-2006 16:06 52K

and also look through the "The Linux Network Administrator's Guide, Second Edition" which is often included with Linux distributions, but can also be found at any LDP mirror such as

document to look at is the "Adv-Routing-HOWTO" which also should be on your Linux box in /usr/share/HOWTO/

-rw-rw-r-- 1 gferg ldp 297491 Sep 4 2003 Adv-Routing-HOWTO

man route

"-net" implies that there is a network there, but the netmask of

255.255.255.255 is that of a host, not a net. Also, you normally want to specify the IP of the gateway, in addition to the interface. Thus, the command might be more accurate

route add -net 192.0.2.0 netmask 255.255.255.0 -gw 10.10.10.2 eth1 route add default 10.10.10.1

Note that the interface (eth1, eth2) does not have to be declared if it is the last parameter in the command. Note also that the command option you are showing "" may be a problem - we don't know, because we can't imagine what you actually have there.

What version of traceroute? What mode? The standard LBL traceroute defaults to using UDP packets, but has a "-I" option to use ICMP echos. The "improved" version that comes with SuSE lacks the ICMP capability, and uses the -I option to specify the interface. The microsoft wincrap version (TRACERT.EXE) only uses ICMP echos because the idiots at microsoft don't know any better.

Do you know that the second router (10.10.10.2) is not blocking ICMP packets? "ping" has been abused by skript kiddiez and other wankers so that a lot of people now block it. You could try using a TCP version of traceroute (tcptraceroute, hping2, hping3) to see if that works, or if the router is dropping ICMP type 11 as well.

Another tool to look at is a packet sniffer - there are dozens available ranging from the original LBL "tcpdump" up through the click-and-drool tools like "wireshark" (formerly "ethereal").

Old guy

thanks, I'll study.

mm