Re: Roach Motel For Packets...
Let me see if bad drawings help any: eth0(to Internet IP A.A.A.A)--|--| |Router|--eth2(192.168.1.1) eth1(to Internet IP B.B.B.B)--|--| eth2:0(10.0.0.1) and |---| --to router --eth0(192.168.1.2)---|PC #1 -localnet| eth0:0 (10.0.0.2) |---| All traffic to and from 192.168.1.0/27 goes over A.A.A.A All traffic to and from 10.0.0.0/27 goes over B.B.B.B A.A.A.A is the default gateway for all other traffic If I log into the router I can ping any IP, on any interface including my telco's first hop out eth0 and eth1. Packets get routed as expected. If I log into PC#1 I can ping any interface on the router, anything on the localnet and anything on the Internet (through the router's eth0 which is the default gateway) but I can not ping anything on the remote side of the router's eth1. If I log into a remote machine I can ping any IP serviced by eth0, can ping my telco's side of the eth1 connection but can not reach any IPs serviced by eth1, including eth1 itself. I'm using ipchains to log *all* packets on every interface and in all the above examples I can see the ping packets come in eth1 but that's it. They never attempt to leave through any interface. Note the IPs in the example are fake. The real IPs are in the public IP space so the problem isn't trying to route these private IPs over the internet. :-) The ipchains rules are: # Rules for eth0 these work! ipchains -A input -i eth2 -s 192.168.1.0/27 -j ACCEPT ipchains -A output -i eth2 -d 192.168.1.0/27 -j ACCEPT ipchains -A forward -i eth0 -s 192.168.1.0/27 -j ACCEPT ipchains -A forward -i eth2 -d 192.168.1.0/27 -j ACCEPT # Rules for eth1 these don't! ipchains -A input -i eth2 -s 10.0.0.0/27 -j ACCEPT ipchains -A output -i eth2 -d 10.0.0.0/27 -j ACCEPT ipchains -A forward -i eth1 -s 10.0.0.0/27 -j ACCEPT ipchains -A forward -i eth2 -d 10.0.0.0/27 -j ACCEPT # And of course there are other rules allowing traffic in and out eth0 and eth1. I'm stumped! I'd be happy if it was a routing problem that I could see or firewall rule screwing things up. Is there, maybe, something I need to do when I give the NIC an alias? Pete I am not sure if I understand this exactly. It may help to have more information. I have a feeling your replies are being sent out but are being firewalled by another router, since they appear to have a source address that doesn't belong to its network (i.e. address spoofing, SMURF attack). -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Roach Motel For Packets...
On Sat, Sep 29, 2001 at 10:46:37AM -0400, Peter Billson wrote: But if I try to ping eth1, or any of the IPs serviced by eth1, from a remote machine the packets come into the router and disappear. They do not get DENYed, ACCEPTed or FORWARDed by IPChains on any interface. The rules relating to eth0 and eth1 are identical. as is required by RFC, routing is disabled by default. to enable routing: echo 1 /proc/sys/net/ipv4/ip_forward use /etc/sysctl.conf to have it enabled automatically at boot. craig -- craig sanders [EMAIL PROTECTED] Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Roach Motel For Packets...
On Sun, Sep 30, 2001 at 10:18:28AM +1000, Craig Sanders wrote: echo 1 /proc/sys/net/ipv4/ip_forward use /etc/sysctl.conf to have it enabled automatically at boot. That's one way. The other being: vim /etc/network/options There you'll find two other useful options also. All 3 would be the equivalent of the echo or sysctl.conf above. -- CaTAs you can expect it's really affecting my sex life. I can't help it. Each time my wife initiates sex, these ejaculating hippos keep floating through my mind. - Mohd. Binatang bin Goncang, Singapore Zoological Gardens -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Roach Motel For Packets...
as is required by RFC, routing is disabled by default. to enable routing: echo 1 /proc/sys/net/ipv4/ip_forward use /etc/sysctl.conf to have it enabled automatically at boot. 100% correct you are, but I have already done this. Note that stuff coming in eth0 is getting forwarded correctly, only packets coming in eth1 are not. Even eth1 itself does not respond to pings even though I can log the packets coming in. Pete -- http://www.elbnet.com ELB Internet Services, Inc. Web Design, Computer Consulting, Internet Hosting -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Roach Motel For Packets...
On Sat, 29 Sep 2001, Peter Billson wrote: I have a Linux router with two connections from different service providers (eth0 and eth1) coming in and want to route all traffic to go out eth2. Eth0 is the router's default gateway I assigned eth2 two ips (eth2=192.168.0.1 and eth2:0=10.0.0.1)The (important) routes are set to Networkgatewaynetmaskiface 192.168.0.0 * 255.255.255.0eth2 10.0.0.1 * 255.255.255.0eth2 (eth1 net)* 255.255.255.0eth1 default(eth0 ip) 0.0.0.0 eth0 Ips have been changed to protect the innocent. All ips are really in the public IP space. I am *not* trying to load balance, do BGP or anything like that. I basically want the boxen on the network to respond to packets coming from either network. I'm using IPChains to get this all working nice. Show us. If I ping any of the IPs serviced by eth0 (remotely or locally) everything works fine. I can ping eth0, eth2 or any of the boxes on the network. From the router I can ping eth0, eth1, eth2, and IPs that should be serviced by eth1 on the network and I can ping the provider going out eth1. From the local network I can ping any other machine and *any* IP on the router. But if I try to ping eth1, or any of the IPs serviced by eth1, from a remote machine the packets come into the router and disappear. They do not get DENYed, ACCEPTed or FORWARDed by IPChains on any interface. The rules relating to eth0 and eth1 are identical. I am not sure if I understand this exactly. It may help to have more information. I have a feeling your replies are being sent out but are being firewalled by another router, since they appear to have a source address that doesn't belong to its network (i.e. address spoofing, SMURF attack). Jeremy C. Reed echo 'G014AE824B0-07CC?/JJFFFI?D64CBD=3C427=;6HI2J' | tr /-_ :\ Sc-y./ | sed swxw`uname`w -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
