From: <bigman@monster-solutions.net>
To: Antony Stone <Antony@Soft-Solutions.co.uk>,
netfilter@lists.netfilter.org
Subject: Re: DHCRELAY through IPTABLES Firewall
Date: Sun, 27 Oct 2002 03:58:09 -0500 [thread overview]
Message-ID: <001c01c27d96$fafd0ed0$8f33e40f@lsmith5953> (raw)
In-Reply-To: 20021027080906.OMSF9836.mta01-svc.ntlworld.com@there
I am running DHCRELAY as below
dhcrelay -i eth2 192.168.1.70
192.168.1.70 DHCP Server (W2K)
LAN1 192.168.1.0
LAN2 192.168.2.0
Here is my routing tables
Destination Gateway Genmask Flags Metric Ref Use
Iface
192.168.2.0 * 255.255.255.0 U 0 0 0 eth2
192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
x.x.x.x (ISP Subnet) * 255.255.252.0 U 0 0
0 eth0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default x.x.x.x (ISP Assigned IP) 0.0.0.0 UG 0 0
0 eth0
Here are my Netfilter settings
Chain INPUT (policy DROP 84 packets, 6522 bytes)
pkts bytes target prot opt in out source
destination
2402 839K lan1-in all -- eth1 * 0.0.0.0/0
0.0.0.0/0
4468 730K ext-int-in all -- eth0 * 0.0.0.0/0
0.0.0.0/0
9283 1160K lan2-in all -- eth2 * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
67892 42M lan1-lan2-fwd all -- eth1 eth2 0.0.0.0/0
0.0.0.0/0
54339 7531K lan2-lan1-fwd all -- eth2 eth1 0.0.0.0/0
0.0.0.0/0
133K 153M ext-int-fwd all -- eth0 * 0.0.0.0/0
0.0.0.0/0
50699 4126K lan1-ext-fwd all -- eth1 * 0.0.0.0/0
0.0.0.0/0
35220 30M lan2-ext-fwd all -- eth2 * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy DROP 172 packets, 19408 bytes)
pkts bytes target prot opt in out source
destination
817 133K lan1-lan2 all -- * eth2 0.0.0.0/0
0.0.0.0/0
2507 381K ACCEPT all -- * eth0 0.0.0.0/0
0.0.0.0/0
1351 337K ACCEPT all -- * * 192.168.1.0/24
0.0.0.0/0
60 3600 ACCEPT tcp -- * * 0.0.0.0/0 x.x.x.x
(ISP Assigned IP)
Chain ext-int-fwd (1 references)
pkts bytes target prot opt in out source
destination
133K 153M ACCEPT all -- eth0 * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all -- eth0 * 0.0.0.0/0
0.0.0.0/0
Chain ext-int-in (1 references)
pkts bytes target prot opt in out source
destination
2681 201K ACCEPT all -- eth0 * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
1432 483K DROP all -- eth0 * 0.0.0.0/0
0.0.0.0/0
Chain lan1-ext-fwd (1 references)
pkts bytes target prot opt in out source
destination
50699 4126K ACCEPT all -- eth1 * 0.0.0.0/0
0.0.0.0/0 state NEW,RELATED,ESTABLISHED
0 0 DROP all -- eth1 * 0.0.0.0/0
0.0.0.0/0
Chain lan1-in (1 references)
pkts bytes target prot opt in out source
destination
2387 834K ACCEPT all -- eth1 * 192.168.1.0/24
0.0.0.0/0
15 4920 DROP all -- eth1 * 0.0.0.0/0
0.0.0.0/0
Chain lan1-lan2 (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT udp -- * eth2 0.0.0.0/0
0.0.0.0/0 udp dpt:68
595 99614 ACCEPT all -- * eth2 0.0.0.0/0
192.168.2.0/24 state RELATED,ESTABLISHED
222 33821 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain lan1-lan2-fwd (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT udp -- * eth2 0.0.0.0/0
192.168.2.105 udp dpt:6257
0 0 ACCEPT tcp -- * eth2 0.0.0.0/0
192.168.2.105 tcp dpt:6699
67463 42M ACCEPT all -- * eth2 0.0.0.0/0
192.168.2.0/24 state RELATED,ESTABLISHED
429 385K DROP all -- * eth2 0.0.0.0/0
0.0.0.0/0
Chain lan2-ext-fwd (1 references)
pkts bytes target prot opt in out source
destination
35220 30M ACCEPT all -- eth2 * 0.0.0.0/0
0.0.0.0/0 state NEW,RELATED,ESTABLISHED
0 0 DROP all -- eth2 * 0.0.0.0/0
0.0.0.0/0
Chain lan2-in (1 references)
pkts bytes target prot opt in out source
destination
109 37146 ACCEPT udp -- eth2 * 0.0.0.0/0
0.0.0.0/0 udp dpt:67
9173 1123K ACCEPT all -- eth2 * 192.168.2.0/24
0.0.0.0/0
1 328 DROP all -- eth2 * 0.0.0.0/0
0.0.0.0/0
Chain lan2-lan1-fwd (1 references)
pkts bytes target prot opt in out source
destination
54339 7531K ACCEPT all -- eth2 eth1 0.0.0.0/0
0.0.0.0/0
0 0 DROP all -- eth2 eth1 0.0.0.0/0
0.0.0.0/0
----- Original Message -----
From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
To: <netfilter@lists.netfilter.org>
Sent: Sunday, October 27, 2002 3:09 AM
Subject: Re: DHCRELAY through IPTABLES Firewall
> On Sunday 27 October 2002 4:33 am, bigman@monster-solutions.net wrote:
>
> > All,
> > I am wondering if someone out there would be so kind as to help me
> > figure out why I cannot get DHCRELAY to relay DHCP requests from one LAN
> > segment to another LAN segment where a Windows 2000 DHCP server resides.
I
> > have verified that the requests are hitting the DHCRELAY on 67/UDP and
then
> > the DHCRELAY is trying to send back out on ETH2 (LAN2 Segment) to the
DHCP
> > Server on LAN1, but there is nothing after that. I have used Snort in
> > sniffer mode and I can see UDP traffic on 68/UDP and 67/UDP on LAN2, but
I
> > never see any on LAN1. So my guess is that for some reason it is not
> > routing through the firewall correctly. Any help would be greatly
> > appreciated.
>
> Tell us:
>
> 1. Your netfilter rules
>
> 2. Your network addresses for LAN1 and LAN2.
>
> 3. The routing table on the firewall.
>
> 4. Your dhcrelay command line.
>
> Antony.
>
> --
>
> If at first you don't succeed, destroy all the evidence that you tried.
>
next prev parent reply other threads:[~2002-10-27 8:58 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-10-27 4:33 DHCRELAY through IPTABLES Firewall bigman
2002-10-27 8:09 ` Antony Stone
2002-10-27 8:58 ` bigman [this message]
2002-10-28 8:49 ` Antony Stone
2002-10-28 10:36 ` bigman
2002-10-28 10:54 ` Antony Stone
2002-10-28 11:26 ` bigman
2002-10-28 11:39 ` Antony Stone
2002-10-29 7:37 ` bigman
2002-10-29 9:15 ` Antony Stone
2002-10-29 11:20 ` bigman
2002-10-29 13:03 ` Antony Stone
2002-10-30 0:30 ` bigman
2002-10-30 0:41 ` Antony Stone
2002-10-30 7:15 ` bigman
2002-10-29 10:02 ` bigman
2002-10-29 10:29 ` Antony Stone
2002-10-29 11:44 ` bigman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='001c01c27d96$fafd0ed0$8f33e40f@lsmith5953' \
--to=bigman@monster-solutions.net \
--cc=Antony@Soft-Solutions.co.uk \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.