I choose to configure my firewall to route packets in a different manner depending on destination. so I used ROUTE command to route packets this way
route add -net netmask
255.255.255.255 gw eth0
route add -net netmask
255.255.255.255 gw eth1
It seems to work, so I'm reaching destination IP_address1 AND IP_address2 BUT if I ping destination IP or I traceroute it the only one responding is the one on eth0 (default gateway card) route.
?? where is the filtering stopping my PING packets , so they don't get back ?
help me, pls
marco
-------------------------------
ciao a tutti, qualcuno mi saprebbe dareuna dritta ?
I choose to configure my firewall to route packets in a different manner depending on destination. so I used ROUTE command (ON THE FIREWALL) to route packets this way
route add -net netmask
255.255.255.255 gw eth0
route add -net netmask
255.255.255.255 gw eth1
It seems to work, so I'm reaching destination IP_address1 AND IP_address2 BUT if I ping destination IP or I traceroute it
it replies only if it routes through eth0
- the only one responding is the IP through eth0 (default gateway card) route.
so: PING reply from
but PING no reply
?? where is the filtering stopping my PING packets , so they don't get back ?
I'm guessing the network masks on the WAN and LAN2 are such that the two do not overlap - anything narrower than 255.192.0.0 should be satisfactory. Otherwise, there will be routing confusion.
except that the '/sbin/route' command has nothing to do with the firewall. See
and also look through the "The Linux Network Administrator's Guide, Second Edition" which is often included with Linux distributions, but can also be found at any LDP mirror such as
formatting link
document to look at is the "Adv-Routing-HOWTO" which also should be on your Linux box in /usr/share/HOWTO/
"-net" implies that there is a network there, but the netmask of
255.255.255.255 is that of a host, not a net. Also, you normally want to specify the IP of the gateway, in addition to the interface. Thus, the command might be more accurate
Note that the interface (eth1, eth2) does not have to be declared if it is the last parameter in the command. Note also that the command option you are showing "" may be a problem - we don't know, because we can't imagine what you actually have there.
What version of traceroute? What mode? The standard LBL traceroute defaults to using UDP packets, but has a "-I" option to use ICMP echos. The "improved" version that comes with SuSE lacks the ICMP capability, and uses the -I option to specify the interface. The microsoft wincrap version (TRACERT.EXE) only uses ICMP echos because the idiots at microsoft don't know any better.
Do you know that the second router (10.10.10.2) is not blocking ICMP packets? "ping" has been abused by skript kiddiez and other wankers so that a lot of people now block it. You could try using a TCP version of traceroute (tcptraceroute, hping2, hping3) to see if that works, or if the router is dropping ICMP type 11 as well.
Another tool to look at is a packet sniffer - there are dozens available ranging from the original LBL "tcpdump" up through the click-and-drool tools like "wireshark" (formerly "ethereal").
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.