From: "Slawomir Orlowski" <orlowscy@hotpop.com>
To: netfilter@lists.netfilter.org
Subject: virtual interfaces not visible from internet
Date: Wed, 22 Oct 2003 13:57:01 -0400 [thread overview]
Message-ID: <00a101c398c5$e5546b00$4900a8c0@cympak.com> (raw)
Hello there,
I have working Linux 6.1 kernel 2.16 firewall with ipchains + ipmasqadm.
And I have wanted to build new one based on RH 9.0 kernel 2.4 + iptables.
I have build it following guidelines of Oskar Andreasson (Iptables Tutorial
1.1.19) expanding, adding some rules.
I have 10 virtual interfaces (web pages on LAN). So I needed to add
Prerouting (DNAT) rules to it and proper Forward rules because web servers
are behind firewall.
I can ping from firewall all its interfaces external eth0, eth0:0 ...
eth0:10 and internal eth1.
But they are not visible form internet, not all of them, sometimes some of
them...
From internet I can ping eth0 and sometime two of its virtual interfaces
(one for DNS, anothe for web page) for example eth0:3 and eth0:1 and them if
I can ping it I can get web page of IP of this interface.
Funny thing is then I swap to old firewall I will not be able for a few
hours to ping this two IP address (it is not the some interface exact
interface). For example IP 198.x.x.89 on old one is eth1:4 on new one is
eth0:3.
There is a difference between then on old working one, external interfaces
are eth1, eth1:0 ... eth1:10 and internal is eth0, but this should not
matter, should not it?
I have been swapping them on the fly. There are first 20 something "BTP: not
in syn" packets from broken masq connection from old one, but there are not
dropped INPUT OUTPUT or FORWARD packages (I'm logging nearly everything).
So usually after swapping to new one, I can get the first web page I'm
trying to get by external proxy (to check it from outside).
The some behavior is then I'm doing it for some PC at home.
And I can not get other web pages, I cannot ping their IP addressees. After
swapping from new one to old one, this first web page would not work but
rest would.
I have two virtual interfaces designated to answer DNS queries about our
domains.
Funny thing after connecting new firewall one will work with it second not,
after swapping to old one will be opposite way for a few hours. Latter both
will work. It do not make any sense to me, I cannot understand it.
So please somebody help me. It looks like magic to me.
One more thing traffic originated form LAN will go through firewall
(eth1-eth0 SNAT) without any problems.
This magic situation concerns only virtual interfaces. This is really strong
firewall in not letting anybody in :)
I would appreciate if somebody would be willing to help me in any way.
ANY advice appreciated.
Best regards.
Slawomir Orlowski
reply other threads:[~2003-10-22 17:57 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='00a101c398c5$e5546b00$4900a8c0@cympak.com' \
--to=orlowscy@hotpop.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.