|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: AW: AW: [suse-security] Multiple Internal Networks not Routing
From: Philipp Rusch (philipp.rusch
rusch-edv.de)
Date: Tue Apr 06 2004 - 17:07:36 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Jason,
Roberts suggestion to stop the firewall and see if routing at all is working
correctly is the way to go.
I sometimes have think over it at customers sites , when setting up
complex IP networks:
You always have to remember that IP is not "oneway traffic" : the packets
MUST know the way back, so setting up a route on one site is okay,
the *other site* has to know the way back as well , then !!!
May be it's only a routing problem you have.
HTH, Philipp
Jason Dobbs schrieb:
> Robert,
>
> Yeah the GW is correct for both networks and I can ping both GWs. I
> can even ping the far side of the box (i.e. - On 192.168.65.228 I can
> ping it's Gw of 192.168.66.252 and the 10.62.56.x GW of 10.62.56.252.
> I however can't ping any other 10.62.56.x address. The same goes for
> any traffic from the 10.62.56.x network to the 192.168.x.x network.
>
> 192.168.65.228 Route Print Dump
> ------------------------------------------------------
> Active Routes:
> Network Destination Netmask Gateway Interface
> Metric
> 0.0.0.0 0.0.0.0 192.168.66.252
> 192.168.65.228 20
> 10.62.56.0 255.255.255.0 192.168.66.252
> 192.168.65.228 1
> 127.0.0.0 255.0.0.0 127.0.0.1
> 127.0.0.1 1
> 192.168.0.0 255.255.0.0 192.168.65.228
> 192.168.65.228 20
> 192.168.65.228 255.255.255.255 127.0.0.1
> 127.0.0.1 20
> 192.168.65.255 255.255.255.255 192.168.65.228
> 192.168.65.228 20
> 224.0.0.0 240.0.0.0 192.168.65.228
> 192.168.65.228 20
> 255.255.255.255 255.255.255.255 192.168.65.228
> 192.168.65.228 1
> Default Gateway: 192.168.66.252
> ===========================================================================
>
> Persistent Routes:
> None
>
>
> ***NOTE*** ---- I added the 10.62.56.0 route hoping to produce
> results. This however did not work either and has been removed.
>
>
> Thank You,
> Jason Dobbs . IT Manager
> Westin Casuarina Casino Las Vegas
>
>
>
> Rasp, Robert wrote:
>
>> Jason,
>>
>> Routing on the Router is looking good, i think...
>> Is the Default-Gateway set correct on the workstations ?
>> Can you Ping this IP ???
>>
>> Can i have the routingtable from your router and the IP's of the
>> Networkcards.
>> Can i have a Routing-Table from one client on each Network (Windows
>> --> route print)
>>
>> CU
>> Robert
>>
>>
>> -----Ursprüngliche Nachricht-----
>> Von: Jason Dobbs [mailto:jdobbscasuarinacasino.com]
>> Gesendet: Dienstag, 6. April 2004 22:37
>> An: suse-securitysuse.com
>> Betreff: Re: AW: [suse-security] Multiple Internal Networks not Routing
>>
>>
>> Robert,
>>
>> ETH1 Dump
>> ------------------------------------------
>> tcpdump: listening on eth1
>> 05:33:19.653787 192.168.65.228 > 10.62.56.8: icmp: echo request
>> 05:33:24.707194 192.168.65.228 > 10.62.56.8: icmp: echo request
>> 05:33:30.207866 192.168.65.228 > 10.62.56.8: icmp: echo request
>> 05:33:35.708547 192.168.65.228 > 10.62.56.8: icmp: echo request
>>
>> 4 packets received by filter
>> 0 packets dropped by kernel
>>
>>
>> ETH2 Dump
>> -------------------------------------------
>> tcpdump -pni eth2 icmp
>> tcpdump: listening on eth2
>> 05:33:19.654447 192.168.65.228 > 10.62.56.8: icmp: echo request
>> 05:33:24.707232 192.168.65.228 > 10.62.56.8: icmp: echo request
>> 05:33:30.207911 192.168.65.228 > 10.62.56.8: icmp: echo request
>> 05:33:35.708586 192.168.65.228 > 10.62.56.8: icmp: echo request
>>
>> 4 packets received by filter
>> 0 packets dropped by kernel
>>
>>
>> 192.168.65.228 trying to ping 10.62.56.8
>> ---------------------------------------------------
>> Pinging 10.62.56.8 with 32 bytes of data:
>>
>> Request timed out.
>> Request timed out.
>> Request timed out.
>> Request timed out.
>>
>> Ping statistics for 10.62.56.8:
>> Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
>>
>>
>>
>>
>> IP-Forwarding
>> ----------------------------------------
>> cat /proc/sys/net/ipv4/ip_forward <enter>
>> 1
>>
>>
>>
>> Thank You,
>> Jason Dobbs . IT Manager
>> Westin Casuarina Casino Las Vegas
>>
>>
>>
>> Rasp, Robert wrote:
>>
>>
>>
>>> Hello,
>>>
>>> i had this problem by my self... i hate routing sometimes ;-)
>>> Is IP-Forwaring enabled (cat /proc/sys/net/ipv4/ip_forward)
>>> Try this:
>>> Open two Shell's and start "tcpdump -pni eth1 icmp" on one Shell and
>>> "tcpdump -pni eth2 icmp" on the other.
>>> Try the Ping again and watch the results...
>>>
>>> CU
>>> Robert
>>>
>>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: Jason Dobbs [mailto:jdobbscasuarinacasino.com]
>>> Gesendet: Dienstag, 6. April 2004 21:49
>>> An: Rasp, Robert
>>> Betreff: Re: *****list-suse***** AW: [suse-security] Multiple Internal
>>> Networks not Routing
>>>
>>>
>>> Robert,
>>>
>>> I took the firewall script down and tried a ping from 192.168.65.228
>>> to 10.62.56.8 and got the same results, request timed out.
>>>
>>> Thank You,
>>> Jason Dobbs . IT Manager
>>> Westin Casuarina Casino Las Vegas
>>>
>>>
>>>
>>> Rasp, Robert wrote:
>>>
>>>
>>>
>>>
>>>
>>>> Hello,
>>>>
>>>> if i had this problem, i try it without firewall first....
>>>> Then you can be sure your routing is ok.
>>>> It may be better to stay offline while the firewallscript isn't
>>>> runnung :-)
>>>>
>>>> CU
>>>> Robert
>>>>
>>>> -----Ursprüngliche Nachricht-----
>>>> Von: Jason Dobbs [mailto:jdobbscasuarinacasino.com]
>>>> Gesendet: Dienstag, 6. April 2004 17:18
>>>> An: suse-securitysuse.com
>>>> Betreff: [suse-security] Multiple Internal Networks not Routing
>>>>
>>>>
>>>> Hi,
>>>>
>>>> Hoping someone can point out my mistake here! I have SuSE 9.0
>>>> running with 3 NICS (eth0=internet, eth1=192.168.0.0/16, and
>>>> eth2=10.62.56.0/24). Everything with the internet is working great.
>>>> The problem is routing traffic between eth1 and eth2. I've set both
>>>> networks as trusted, set FW_FORWARD, and enabled
>>>> FW_ALLOW_CLASS_ROUTING. Nothing has seemed to work. Posted is also
>>>> a copy of my /etc/sysconfig/SuSEfirewall2. I'd like to allow all
>>>> traffic between these 2 networks.
>>>>
>>>> Any ideas?
>>>>
>>>> -------------------------------------------------------------------
>>>> FW_QUICKMODE="no"
>>>> FW_DEV_EXT="eth0"
>>>> FW_DEV_INT="eth1 eth2"
>>>> FW_DEV_DMZ=""
>>>> FW_ROUTE="yes"
>>>> FW_MASQUERADE="yes"
>>>> FW_MASQ_DEV="$FW_DEV_EXT"
>>>> FW_MASQ_NETS="192.168.65.224/27 10.62.56.0/24 192.168.0.0/16,<mail
>>>> server ip>/32 10.62.56.0/24,<mail server ip>/32"
>>>> FW_PROTECT_FROM_INTERNAL="no"
>>>> FW_AUTOPROTECT_SERVICES="yes"
>>>> FW_SERVICES_EXT_TCP="http https ssh"
>>>> FW_SERVICES_EXT_IP=""
>>>> FW_SERVICES_DMZ_TCP=""
>>>> FW_SERVICES_DMZ_IP=""
>>>> FW_SERVICES_INT_TCP=""
>>>> FW_SERVICES_INT_UDP=""
>>>> FW_SERVICES_INT_IP=""
>>>> FW_SERVICES_QUICK_TCP=""
>>>> FW_SERVICES_QUICK_UDP=""
>>>> FW_SERVICES_QUICK_IP=""
>>>> FW_TRUSTED_NETS="192.168.0.0/16 10.62.56.0/24"
>>>> FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"
>>>> FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS"
>>>> FW_SERVICE_AUTODETECT="yes"
>>>> FW_SERVICE_DNS="yes"
>>>> FW_SERVICE_DHCLIENT="no"
>>>> FW_SERVICE_DHCPD="yes"
>>>> FW_SERVICE_SQUID="yes"
>>>> FW_SERVICE_SAMBA="no"
>>>> FW_FORWARD="192.168.0.0/16,10.62.56.0/24,tcp,1:65535
>>>> 10.62.56.0/24,192.168.0.0/16,tcp,1:65535 \
>>>> 192.168.0.0/16,10.62.56.0/24,udp,1:65535
>>>> 10.62.56.0/24,192.168.0.0/16,udp,1:65535 \
>>>> 192.168.0.0/16,10.62.56.0/24,icmp
>>>> 10.62.56.0/24,192.168.0.0/16,icmp"
>>>> FW_FORWARD_MASQ="0/0,192.168.65.227,tcp,5800
>>>> 0/0,192.168.65.227,tcp,5900 \
>>>> 0/0,192.168.65.227,tcp,5632 0/0,192.168.65.227,udp,5632"
>>>> FW_REDIRECT=""
>>>> FW_LOG_DROP_CRIT="yes"
>>>> FW_LOG_DROP_ALL="yes" # Jason Dobbs
>>>> FW_LOG_ACCEPT_CRIT="yes"
>>>> FW_LOG_ACCEPT_ALL="yes" # Jason Dobbs
>>>> FW_LOG="--log-level warning --log-tcp-options --log-ip-option
>>>> --log-prefix SuSE-FW"
>>>> FW_KERNEL_SECURITY="yes"
>>>> FW_STOP_KEEP_ROUTING_STATE="no"
>>>> FW_ALLOW_PING_FW="yes"
>>>> FW_ALLOW_PING_DMZ="no"
>>>> FW_ALLOW_PING_EXT="no"
>>>> FW_ALLOW_FW_TRACEROUTE="yes"
>>>> FW_ALLOW_FW_SOURCEQUENCH="yes"
>>>> FW_ALLOW_FW_BROADCAST="no"
>>>> FW_IGNORE_FW_BROADCAST="yes"
>>>> FW_ALLOW_CLASS_ROUTING="yes"
>>>> FW_CUSTOMRULES=""
>>>> FW_REJECT="no"
>>>> FW_HTB_TUNE_DEV=""
>>>> -----------------------------------------------------------------------------------
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>
>
>
--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]