[Linux-Anyway] Re: One thing before bed....

  • From: Meph Istopheles <meph@xxxxxxxxxxx>
  • To: Linux-Anyway@xxxxxxxxxxxxx
  • Date: Thu, 13 Mar 2003 12:53:15 -0800 (PST)

> > > You've probably set it to masq packets from the private
> > > network, which (though it doesn't seem very logical) might
> > > be preventing the private network from getting ICMP packets
> > > back. Try turning off the firewall and pinging to help
> > > localise the problem.

> >   Uh, before doing this, I'd opted to look at what masq is
> >   doing:

> > /sbin/ipchains -L
> > Chain input (policy ACCEPT):
> > target     prot opt     source                destination           
> > ports
> > icmp       icmp ------  anywhere             anywhere              
> > any ->   any
> > ACCEPT     tcp  ----l-  192.168.0.0/24       192.168.0.3           
> > any ->   any
> > ACCEPT     tcp  ----l-  192.168.0.3          192.168.0.0/24        
> > any ->   any
> > Chain forward (policy ACCEPT):
> > target     prot opt     source                destination           
> > ports
> > MASQ       all  ------  192.168.0.0/24       anywhere              
> > n/a
> > MASQ       all  ------  10.0.0.0/24          anywhere              
> > n/a
> > Chain output (policy ACCEPT):
> > Chain icmp (1 references):
> > target     prot opt     source                destination           
> > ports
> > ACCEPT     all  ------  anywhere             anywhere              
> > n/a

> >   While I don't know what the deal iw with the 192's -- know
> > how I remove them & replace with 10.etc's -- if necessary.  
> > Anyway, is this normal?

> Hm, where do the rules come from at all?

  Got me.  As you'll see below, there are no 192.'s in the 
routing table.

> Do you use some firewall script that automatically generates
> rules?

  Haven't, still, had time to read up on chains or tables, so I 
use RH's setup app wiich has a listing for firewalling.  I allow 
only eth0, www, ssh, & ftp.  Till I have the chance to really 
look into specifics, this has done well enough to keep others 
out.

> There might be some residue of previous setting orgies you
> forgot to remove, that makes the firewall script think there is
> a 192.168/24 network which needs them.

  Possibly.  Dunno.

> Well, anyway, I don't think they're a problem since your chains
> all have a default policy of ACCEPT, so packets which match no
> rules are accepted (which is not very secure, by the way - it's
> better to do it the other way around and DENY everything except
> explicitly allowed communications). There is a rule to masq
> packets from 10.0/24, so that's fine.

  Oh, I'd agree, but RH -- even back in the wrappers days -- 
seems to think otherwise.  First thing I do after installing is 
run setup, get the firewall in place, quickly set the other 
things in there I trouble with & reboot.  It's worked so far....

> But this rule masquerades also the packets intended for your
> public addresses. This is unnecessary and can be resolved by
> adding rules that allow simple forwarding before the
> masquerading rule.

  Ah, but all this is new territory for me, so I've no idea how 
to do that.

> For now, temporarily turning off the firewall while trying to
> ping should be enough to exclude the firewall as the source of
> trouble.

  Heh.  One look at ps aux shows nothing remotely like ipchains 
or firewall running.  What would I be looking for?

> >   OK.  Well, I've switched it back to :1 now.  But nothing
> > still.  Where, exactly, should I find the routing tables?  
> > I've looked & looked, but I can't find them.

> route -n will display you the routing tables in numerical form.
> They're set automatically based on subnets the box is a member
> of

  OK.  Well, here're the results:

/sbin/route -n
Kernel IP routing table
Destination  Gateway       Genmask        Flags Metric Ref    
Use Iface
10.0.0.0     10.0.0.1      255.255.255.0  UG    0      0        
0 eth0
10.0.0.0     10.0.0.2      255.0.0.0      UG    0      0        
0 eth0
10.0.0.0     0.0.0.0       255.0.0.0      U     0      0        
0 eth0
127.0.0.0    0.0.0.0       255.0.0.0      U     0      0        
0 lo
63.0.0.0     63.249.19.72  255.0.0.0      UG    0      0        
0 eth0
63.0.0.0     0.0.0.0       255.0.0.0      U     0      0        
0 eth0
0.0.0.0      63.249.19.1   0.0.0.0        UG    0      0        
0 eth0

  Hey, while all these (save .1) are on the same subnet, my W98 
is on the subnet .1 is on.  Shouldn't all these be 255.255.255.0 
for them to all work together properly...?

> to configure additional, non-volatile routes you can use the
> /etc/route.conf file.

  Ah, well, there is no such file, but from what you say, I only 
need it if I have different networks than I already have which I 
want to add, yes?

-- 
  There is no act of treachery or mean-ness of which a political 
  party is not capable; for in politics there is no honour.
  -Benjamin Disraeli, "Vivian Grey"
To unsubcribe send e-mail with the word unsubscribe in the body to:   
Linux-Anyway-Request@xxxxxxxxxxxxx?body=unsubscribe

Other related posts:

  1. Home
  2. linux-anyway
  3. Archive
  4. 03-2003