[Linux-Anyway] Re: One thing before bed....
- From: horrorvacui@xxxxxxx
- To: Linux-Anyway@xxxxxxxxxxxxx
- Date: Thu, 13 Mar 2003 21:00:08 +0100
On Thu, 13 Mar 2003 10:28:30 -0800 (PST)
Meph Istopheles <meph@xxxxxxxxxxx> wrote:
>
> Horror,
>
> > You've probably set it to masq packets from the private
> > network, which (though it doesn't seem very logical) might be
> > preventing the private network from getting ICMP packets back.
> > Try turning off the firewall and pinging to help localise the
> > problem.
>
> Uh, before doing this, I'd opted to look at what masq is doing:
>
> /sbin/ipchains -L
> Chain input (policy ACCEPT):
> target prot opt source destination
> ports
> icmp icmp ------ anywhere anywhere
> any -> any
> ACCEPT tcp ----l- 192.168.0.0/24 192.168.0.3
> any -> any
> ACCEPT tcp ----l- 192.168.0.3 192.168.0.0/24
> any -> any
> Chain forward (policy ACCEPT):
> target prot opt source destination
> ports
> MASQ all ------ 192.168.0.0/24 anywhere
> n/a
> MASQ all ------ 10.0.0.0/24 anywhere
> n/a
> Chain output (policy ACCEPT):
> Chain icmp (1 references):
> target prot opt source destination
> ports
> ACCEPT all ------ anywhere anywhere
> n/a
>
> While I don't know what the deal iw with the 192's -- know how
> I remove them & replace with 10.etc's -- if necessary. Anyway,
> is this normal?
Hm, where do the rules come from at all? Do you use some firewall script
that automatically generates rules? There might be some residue of
previous setting orgies you forgot to remove, that makes the firewall
script think there is a 192.168/24 network which needs them.
Well, anyway, I don't think they're a problem since your chains all have a
default policy of ACCEPT, so packets which match no rules are accepted
(which is not very secure, by the way - it's better to do it the other way
around and DENY everything except explicitly allowed communications).
There is a rule to masq packets from 10.0/24, so that's fine.
But this rule masquerades also the packets intended for your public
addresses. This is unnecessary and can be resolved by adding rules that
allow simple forwarding before the masquerading rule. For now, temporarily
turning off the firewall while trying to ping should be enough to exclude
the firewall as the source of trouble.
> > Hm, I think configuring it as eth0:1 is better, since eth0 is
> > already eth0:0. I could imagine that your change didn't change
> > the kernel routing tables, which might be the cause of some
> > problems.
>
> OK. Well, I've switched it back to :1 now. But nothing still.
> Where, exactly, should I find the routing tables? I've looked &
> looked, but I can't find them.
route -n will display you the routing tables in numerical form. They're
set automatically based on subnets the box is a member of, to configure
additional, non-volatile routes you can use the /etc/route.conf file.
Cheers
--
Horror Vacui
Registered Linux user #257714
Go get yourself... counted: http://counter.li.org/
- and keep following the GNU.
To unsubcribe send e-mail with the word unsubscribe in the body to:
Linux-Anyway-Request@xxxxxxxxxxxxx?body=unsubscribe
Other related posts:
