IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Networking Forum / What am I overlooking?
Post #155,881
by jbrabeck
5/19/04 9:53:21 AM
Reply
New What am I overlooking?
Originally I posted in Linux that I was having problems with a client's Linux firewall. That was technically incorrect. Due to suggestions received I will be upgrading the version on Linux and adding better firewall software.

But, the real problem is using the Linux server as a router.

Here is the hardware setup.

Novell server with 2 nics 192.168.0.1 and 192.168.4.1
Linux server with 2 nics 192.168.0.251 and 192.168.1.33
DSL connection to Linux server providing DHCP to the Linux server (.33)

Everyone on the 192.168.0 net can access the internet through the Linux server to the DSL box. But nobody on the .4 net can reach the internet.

I added an entry to the static-routes in the Linux box to reach the .4. No matter how I've set the entry, nothing works. When I've downed the nic going to the DSL, and, from the Linux box, attempt to reach the .4 net, I get "Operation not permitted".

What am I missing?

OS is still RH 7.2.

Thanks,

Joe
Post #155,894
by folkert
Picture of folkert
5/19/04 10:41:41 AM
Reply
New Okay.
Let's draw a map:

A == 192.168.4.0/24 network
B == 192.168.0.0/24 network
C == 192.168.1.0/24 network
X == Novell Server
Y == Linux Server
Z == DSL Modem (assuming pppoe)
g h i == machines on Network A
l m n == machines on Network B
----A----[X]----B----[Y]----C----[Z]----\n|  |  |      |  |  |\n|  |  |      |  |  \\--[n] Yes Internet\n|  |  |      |  |\n|  |  |      |  \\--[m] Yes Internet\n|  |  |      |\n|  |  |      \\--[l] Yes Internet\n|  |  |\n|  |  \\--[i] No Internet\n|  |\n|  \\--[h] No Internet\n|\n\\--[g] No Internet
  1. Can [Y] ping the (192.168.4.1) address of [X]?
  2. Can [g,h,i] contact any machine on Network B using TCP/IP only (not NCP operations)? (ping etc...)
  3. Can [l,m,n] contact any machine on Network A using TCP/IP only (not NCP operations)? (ping etc...)


If the answers are:
1. Yes
2. No
3. No
My dear friend... you are barking up the wrong tree (nice pun there, huh?). It is NOT the Linux machine causing the difficulty. You need to add something the Novell Server. Add routes or start an a RIP(v1 or v2) daemon(not that hard) on the novell server and the linux machine (limiting the linux machine to just what it sees on the private interface) and adding a default route to the Linux machine to point at the DSL modom. Forcing a default route on the Novell server is a HACK. Will work but isn't going to allow the Network B to contact Network A if need be. Also do not start an OSPF or BGP daemon... WAY overkill and not friendly for first-timers.

Limit the scope on the Novell server to those two networks and the default advertising on the A network. Make the Linux machine adverstise default on the B network.

Do not advertise on the DSL side... for your own benefit.
--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey

Give a man a match, he'll be warm for a minute.
Set him on fire, he'll be warm for the rest of his life!
Post #155,899
by jbrabeck
5/19/04 10:49:49 AM
Reply
New Reverse the answers
1. No. Y cannot ping 192.168.4.1 "Operation not permitted" is returned
2. Yes. [g,h,i] can ping Network B
3. Yes. [l.m.n] can ping Network A

Added
Everyone on Network B can reach Z
Nobody on Network A can reach Z
Post #155,922
by folkert
Picture of folkert
5/19/04 12:46:06 PM
Reply
New Then it has to be packet rejection on the Linux machine
Spoofing protection (IOW allowed clients on the private side) on the outgoing is forcing things not right.

Or, to put it another way:

making sure who you are and who you claim to be is the same thing. From an ARP perspective and packet mangling. Usually an "interface rule"

--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey

Give a man a match, he'll be warm for a minute.
Set him on fire, he'll be warm for the rest of his life!
Post #155,906
by jake123
5/19/04 11:24:51 AM
Reply
New My guess
is that the NAT on the linux box is only aliasing for the 192.168.0/24 subnet, and not for the 192.168.4/24 subnet.

Worth taking a look at, anyway...
--\n-------------------------------------------------------------------\n* Jack Troughton                            jake at consultron.ca *\n* [link|http://consultron.ca|http://consultron.ca]                   [link|irc://irc.ecomstation.ca|irc://irc.ecomstation.ca] *\n* Kingston Ontario Canada               [link|news://news.consultron.ca|news://news.consultron.ca] *\n-------------------------------------------------------------------
Post #155,908
by jbrabeck
5/19/04 11:36:24 AM
Reply
New Update
Just called the client again. He has a local person learning to administer the network. Dennis, turned off IPTABLES and in now able to ping everywhere. So now it looks like I need to modify IPTABLES.
Post #155,920
by folkert
Picture of folkert
5/19/04 12:42:58 PM
Reply
New USE FWBUILDER!!!!!
[link|http://www.fwbuilder.org|http://www.fwbuilder.org]

It is what I use for my FW administration and port redirection.

Things are vera nice.

I'll bet that your outgoing spoofing protection is denying the packets to get through. Since the ping of .4.1 of X cannot get back to 0.1 it seems logical.

I could send you a stripped version of my .xml file for fwbuilder...

So you understand fwbuilder's operation. It is tough sometimes.

One last thing you are going to want to update the IPTABLES to at least v1.2.8a. Anything before it has some serious rule parsing issues.
--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey

Give a man a match, he'll be warm for a minute.
Set him on fire, he'll be warm for the rest of his life!
Post #155,928
by jbrabeck
5/19/04 1:15:40 PM
5/19/04 1:16:43 PM
Reply
New Have you heard of "Smooth Wall"?
Dennis has found a product called smooth wall that is supposed to be a Linux firewall builder similiar to FWBUILDER. I'd advice/recommendations for you (and the rest of the "gang" here) prior to that of a Novell administrator.

I'll be updating the OS from RH7.2 to RH9.x, then loading FWBuilder.

If you're willing to send me that stripped down .xml file, I'd appreciate it. jbrabeck at email dot usps dot gov.

Thanks,

Joe

edit fix my email addy!
Expand Edited by jbrabeck May 19, 2004, 01:16:43 PM EDT
Expand All History
Post #155,937
by Steve Lowe
5/19/04 1:57:41 PM
Reply
New Look at IPcop
www.ipcop.org

Is GPL and has a couple of key features (multiple IP addresses and aliasing on the wan side) that smoothwall only includes on their paid-for product.

I've run both, and stuck with IPcop.
-----
Steve
     What am I overlooking? - (jbrabeck) - (8) - May 19, 2004, 09:53:21 AM EDT
         Okay. - (folkert) - (2) - May 19, 2004, 10:41:41 AM EDT
             Reverse the answers - (jbrabeck) - (1) - May 19, 2004, 10:49:49 AM EDT
                 Then it has to be packet rejection on the Linux machine - (folkert) - May 19, 2004, 12:46:06 PM EDT
         My guess - (jake123) - May 19, 2004, 11:24:51 AM EDT
         Update - (jbrabeck) - (3) - May 19, 2004, 11:36:24 AM EDT
             USE FWBUILDER!!!!! - (folkert) - (2) - May 19, 2004, 12:42:58 PM EDT
                 Have you heard of "Smooth Wall"? - (jbrabeck) - (1) - May 19, 2004, 01:16:43 PM EDT
                     Look at IPcop - (Steve Lowe) - May 19, 2004, 01:57:41 PM EDT

It's Lord of the Flies, but with iPhones.
77 ms