Yes, IP forwarding is on. Without it, the eth1 and eth2 networks won't talk
to each other. I did try toggling Forwarding policy to DENY and ACCEPT, and
got the same result both times.
"Mikkel L. Ellertson" wrote:
> At 01:06 PM 4/27/00 -0500, you wrote:
> >I'm attempting to setup a full firewall on my network at work.
> >
> >When I have the following (eth1 and eth2 are /24 subnet):
> >
> >eth0 (111.222.333.254) connected to a hub (static route to 111.222.333.1
> >mask /32)
> >eth1 (111.222.333.253) connected to a hub
> >eth2 (192.168.0.1) connected to a hub
> >T1 router (111.222.333.1) connected to a hub
> >Workstations inside the 111.222.333.x subnet have their gateway set to
> >111.222.333.253.
> >
> >When I have all interfaces (eth0-2 and the router) connected to a hub,
> >things work great, however, DMZ (111.222.333 network) is not controlled
> >via the firewall box, the router has free reign of the network (not very
> >secure). When all interfaces are connected to the hub, workstations can
> >get out of the building using eth1's address as a gateway. No problem.
> >
> >Here is the problem: When I attempt to connect a cross-over cable to
> >the router directly to eth0, no workstation can get outside of the
> >building. Traceroutes stop with the 111.222.333.253 interface.
> >However, at the firewall box, I can go everywhere (outside the building,
> >to the DMZ, to the protected network, etc).
> >
> >I even tried using metric 1 (the routing table shows metric 0 default)
> >and it still does not work. Again, from the box itself, it can go out
> >through the router to the internet, but workstations connected to the
> >253 card (eth1) can't.
> >
> >My IPChains info (if this is the problem), with everything wide-open for
> >the moment:
> >Chain input (policy ACCEPT):
> >Chain forward (policy ACCEPT):
> >target prot opt source
> >destination ports
> >MASQ all ---- 192.168.0.1/24 0.0.0.0/0
> >n/a
> >ACCEPT all ---- 111.222.333.0/24 0.0.0.0/0 n/a
> >Chain output (policy ACCEPT):
> >
> >Please help!!
> >
> Did you enable IP forwarding? Make sure that:
>
> cat /proc/sys/net/ipv4/ip_forward
>
> returns 1. If not, do:
>
> echo "1" > /proc/sys/net/ipv4/ip_forward
>
> You may also have to set the default forward policy to deny.
>
> Mikkel
>
> --
> Do not meddle in the affairs of dragons,
> for you are crunchy and taste good with ketchup.
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
