Re: Roach Motel For Packets...

2001-09-30 Thread Jason Lim

Why not bridge eth0 and eth1?

- Original Message -
From: "Peter Billson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, September 30, 2001 9:25 PM
Subject: Re: Roach Motel For Packets...


> Let me see if bad drawings help any:
>
> eth0(to Internet IP "A.A.A.A")--|--|
> |Router|--eth2(192.168.1.1)
> eth1(to Internet IP "B.B.B.B")--|--|  eth2:0(10.0.0.1)
>
>
> and
>
> |---|
> <<--to router --eth0(192.168.1.2)---|PC #1 -localnet|
> eth0:0 (10.0.0.2)   |---|
>
> All traffic to and from 192.168.1.0/27 goes over A.A.A.A
> All traffic to and from 10.0.0.0/27 goes over B.B.B.B
> A.A.A.A is the default gateway for all other traffic
>
> If I log into the router I can ping any IP, on any interface including
> my telco's first hop out eth0 and eth1. Packets get routed as expected.
>
> If I log into PC#1 I can ping any interface on the router, anything on
> the localnet and anything on the Internet (through the router's eth0
> which is the default gateway) but I can not ping anything on the remote
> side of the router's eth1.
>
> If I log into a remote machine I can ping any IP serviced by eth0, can
> ping my telco's side of the eth1 connection but can not reach any IPs
> serviced by eth1, including eth1 itself.
>
> I'm using ipchains to log *all* packets on every interface and in all
> the above examples I can see the ping packets come in eth1 but that's
> it. They never attempt to leave through any interface.
>
> Note the IPs in the example are fake. The real IPs are in the public IP
> space so the problem isn't trying to route these private IPs over the
> internet. :-)
>
> The ipchains rules are:
> # Rules for eth0 these work!
> ipchains -A input   -i eth2 -s 192.168.1.0/27 -j ACCEPT
> ipchains -A output  -i eth2 -d 192.168.1.0/27 -j ACCEPT
> ipchains -A forward -i eth0 -s 192.168.1.0/27 -j ACCEPT
> ipchains -A forward -i eth2 -d 192.168.1.0/27 -j ACCEPT
>
> # Rules for eth1 these don't!
> ipchains -A input   -i eth2 -s 10.0.0.0/27 -j ACCEPT
> ipchains -A output  -i eth2 -d 10.0.0.0/27 -j ACCEPT
> ipchains -A forward -i eth1 -s 10.0.0.0/27 -j ACCEPT
> ipchains -A forward -i eth2 -d 10.0.0.0/27 -j ACCEPT
>
> # And of course there are other rules allowing traffic in and out eth0
> and eth1.
>
> I'm stumped! I'd be happy if it was a routing problem that I could see
> or  firewall rule screwing things up.
>
> Is there, maybe, something I need to do when I give the NIC an alias?
>
> Pete
>
>
> > I am not sure if I understand this exactly. It may help to have more
> > information.
> >
> > I have a feeling your replies are being sent out but are being
firewalled
> > by another router, since they appear to have a source address that
doesn't
> > belong to its network (i.e. address spoofing, SMURF attack).
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]
> http://www.zentek-international.com
>


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: Roach Motel For Packets...

2001-09-30 Thread Peter Billson

Let me see if bad drawings help any:

eth0(to Internet IP "A.A.A.A")--|--|
|Router|--eth2(192.168.1.1)
eth1(to Internet IP "B.B.B.B")--|--|  eth2:0(10.0.0.1) 


and

|---|
<<--to router --eth0(192.168.1.2)---|PC #1 -localnet|
eth0:0 (10.0.0.2)   |---|

All traffic to and from 192.168.1.0/27 goes over A.A.A.A
All traffic to and from 10.0.0.0/27 goes over B.B.B.B
A.A.A.A is the default gateway for all other traffic

If I log into the router I can ping any IP, on any interface including
my telco's first hop out eth0 and eth1. Packets get routed as expected.

If I log into PC#1 I can ping any interface on the router, anything on
the localnet and anything on the Internet (through the router's eth0
which is the default gateway) but I can not ping anything on the remote
side of the router's eth1.

If I log into a remote machine I can ping any IP serviced by eth0, can
ping my telco's side of the eth1 connection but can not reach any IPs
serviced by eth1, including eth1 itself.

I'm using ipchains to log *all* packets on every interface and in all
the above examples I can see the ping packets come in eth1 but that's
it. They never attempt to leave through any interface.

Note the IPs in the example are fake. The real IPs are in the public IP
space so the problem isn't trying to route these private IPs over the
internet. :-)

The ipchains rules are:
# Rules for eth0 these work!
ipchains -A input   -i eth2 -s 192.168.1.0/27 -j ACCEPT
ipchains -A output  -i eth2 -d 192.168.1.0/27 -j ACCEPT
ipchains -A forward -i eth0 -s 192.168.1.0/27 -j ACCEPT
ipchains -A forward -i eth2 -d 192.168.1.0/27 -j ACCEPT

# Rules for eth1 these don't!
ipchains -A input   -i eth2 -s 10.0.0.0/27 -j ACCEPT
ipchains -A output  -i eth2 -d 10.0.0.0/27 -j ACCEPT
ipchains -A forward -i eth1 -s 10.0.0.0/27 -j ACCEPT
ipchains -A forward -i eth2 -d 10.0.0.0/27 -j ACCEPT

# And of course there are other rules allowing traffic in and out eth0
and eth1.

I'm stumped! I'd be happy if it was a routing problem that I could see
or  firewall rule screwing things up.

Is there, maybe, something I need to do when I give the NIC an alias?

Pete
 

> I am not sure if I understand this exactly. It may help to have more
> information.
> 
> I have a feeling your replies are being sent out but are being firewalled
> by another router, since they appear to have a source address that doesn't
> belong to its network (i.e. address spoofing, SMURF attack).


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: Roach Motel For Packets...

2001-09-29 Thread Jeremy C. Reed

On Sat, 29 Sep 2001, Peter Billson wrote:

>   I have a Linux router with two connections from different service
> providers (eth0 and eth1) coming in and want to route all traffic to go
> out eth2. Eth0 is the router's default gateway
> 
>   I assigned eth2 two ips (eth2=192.168.0.1 and eth2:0=10.0.0.1)The
> (important) routes are set to
> 
>  Networkgatewaynetmaskiface
> 192.168.0.0   *   255.255.255.0eth2
> 10.0.0.1  *   255.255.255.0eth2
> (eth1 net)*   255.255.255.0eth1
> default(eth0 ip)   0.0.0.0 eth0
> 
>   Ips have been changed to protect the innocent. All ips are really in
> the public IP space.
> 
>   I am *not* trying to load balance, do BGP or anything like that. I
> basically want the boxen on the network to respond to packets coming
> from either network.
> 
>   I'm using IPChains to get this all working nice.

Show us.

>   If I ping any of the IPs serviced by eth0 (remotely or locally)
> everything works fine. I can ping eth0, eth2 or any of the boxes on the
> network.
> 
>   From the router I can ping eth0, eth1, eth2, and IPs that should be
> serviced by eth1 on the network and I can ping the provider going out
> eth1.
> 
>   From the local network I can ping any other machine and *any* IP on
> the router.
> 
>   But if I try to ping eth1, or any of the IPs serviced by eth1, from a
> remote machine the packets come into the router and disappear. They do
> not get DENYed, ACCEPTed or FORWARDed by IPChains on any interface. The
> rules relating to eth0 and eth1 are identical.

I am not sure if I understand this exactly. It may help to have more
information.

I have a feeling your replies are being sent out but are being firewalled
by another router, since they appear to have a source address that doesn't
belong to its network (i.e. address spoofing, SMURF attack).

  Jeremy C. Reed
echo 'G014AE824B0-07CC?/JJFFFI?D64CB>D=3C427=>;>6HI2>


Re: Roach Motel For Packets...

2001-09-29 Thread Peter Billson

> as is required by RFC, routing is disabled by default. to enable
> routing:
> 
> echo 1 >/proc/sys/net/ipv4/ip_forward
> 
> use /etc/sysctl.conf to have it enabled automatically at boot.

100% correct you are, but I have already done this. Note that "stuff"
coming in eth0 is getting forwarded correctly, only packets coming in
eth1 are not. Even eth1 itself does not respond to pings even though I
can log the packets coming in.

Pete
-- 
http://www.elbnet.com
ELB Internet Services, Inc.
Web Design, Computer Consulting, Internet Hosting


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: Roach Motel For Packets...

2001-09-29 Thread CaT

On Sun, Sep 30, 2001 at 10:18:28AM +1000, Craig Sanders wrote:
> echo 1 >/proc/sys/net/ipv4/ip_forward
> 
> use /etc/sysctl.conf to have it enabled automatically at boot.

That's one way. The other being:

vim /etc/network/options

There you'll find two other useful options also. All 3 would be
the equivalent of the echo or sysctl.conf above.

-- 
CaT"As you can expect it's really affecting my sex life. I can't help
   it. Each time my wife initiates sex, these ejaculating hippos keep
   floating through my mind."
- Mohd. Binatang bin Goncang, Singapore Zoological Gardens


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: Roach Motel For Packets...

2001-09-29 Thread Craig Sanders

On Sat, Sep 29, 2001 at 10:46:37AM -0400, Peter Billson wrote:
> But if I try to ping eth1, or any of the IPs serviced by eth1, from a
> remote machine the packets come into the router and disappear. They
> do not get DENYed, ACCEPTed or FORWARDed by IPChains on any
> interface. The rules relating to eth0 and eth1 are identical.

as is required by RFC, routing is disabled by default. to enable
routing:

echo 1 >/proc/sys/net/ipv4/ip_forward

use /etc/sysctl.conf to have it enabled automatically at boot.

craig

-- 
craig sanders <[EMAIL PROTECTED]>

Fabricati Diem, PVNC.
 -- motto of the Ankh-Morpork City Watch


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]