On Wed, Feb 20, 2002 at 05:15:42PM -0500, Dougherty, Joe wrote: > Greetings: > > I'm slowly yanking out my hair over this one, and didn't see > anything similar in the archives. > > I had a Linux box with iptables and 2.4.13, two external NICS. One > talks to my internal net (192.168.1.0), the other to my internet network > (1.1.1.0). On the inside network, I have a server (192.168.1.10) I want to > make available through the firewall via ssh. > On the external NIC, I set up a virtual address (1.1.1.100) as > eth0:0. > There are tables and rules that move the packets into the internal > network and to the server. This has worked great for months (for http/https > and ftp, too). > Last week, I set up a new box that essentially identical to the > first (only the hostnames and hardware are different). With a couple of > exceptions, the iptables script on the new box sets up IDENTICALLY to the > first. The ifconfig routine sets up the virtual address, and the host names > all resolve properly on the external network.
Can you access that internal machine from the firewall itself? > However, I cannot get ANY responses from the machine behind the > firewall. My logs on the new firewall show a connection being made between > the requesting systems and the system behind the firewall, but I get no > response back from the internal machine. I've tried different virtual Which is it then? a connection is being made _but_ you get no response back from the internal machine? What does tcpdump say? What happens to the tcp handshake? > addresses, different requesting systems, and the target system refuses to Again, can you connect to the internal machine from the firewall machine with no iptables involvement? Ramin > reply. I even reverted back to kernel 2.4.13 from 2.4.17 on the new machine. > I ran tcpdump and attempted to connect to see if there were any errors. I > can see packets on the target machine, but nothing seems to get back to the > other side. > When I switch things back to the old machine, it works fine. > > I'm really stumped on this. I'd like to get the new machine up as > it's more powerful than the old box, but I cannot, for the life of me, see > anything wrong here. Does anyone have suggestions as to where I might look > that I haven't? > > Thanks. > > > Joe Dougherty > Information Technology Systems Officer > NAVLANTMETOCFAC Jacksonville > (904) 542-2541 ext. 35 (comm) > 942-2541 ext. 35 (DSN) > [EMAIL PROTECTED] > https://www.nlmof.navy.mil > > "rm -rf /bin/laden" > > >
