[LARTC] Simple routing configuration

[LARTC] Simple routing configuration

[Paul Lewis]

Hi,

I have a simple question (well, at least I think it's simple!). I have a
router, with four Ethernet cards; eth0-eth3. eth0 and eth3 are the
'external' cards, connecting to my ISPs. eth1 and eth2 are connected to my
internal networks. What I want to do is basically filter all the traffic
from one card to another, in this configuration:
	eth1 to eth3
	eth2 to eth0

The thing is, I'm not sure if this is a routing or a firewall problem, or
maybe a bit of both? I've tried setting up the routing using ip route, using
the command below, but to no avail. When I used these commands, I did not
change any of my existing firewall configuration. Here are the ip route
commands:

echo "101 ISP_1" >> /etc/iproute2/rt_tables
echo "102 ISP_2" >> /etc/iproute2/rt_tables

ip route add 192.168.4.0/22 dev eth2 src 192.168.7.253 table ISP_1
ip route add default via 192.168.100.253 table ISP_1
ip route add 192.168.0.0/22 dev eth1 src 192.168.3.253 table ISP_2
ip route add default via 192.168.20.253 table ISP_2

ip rule add from 192.168.7.253 table ISP_1
ip rule add from 192.168.3.253 table ISP_2

I also tried a simple iptables forward command, in the form of:

iptables -A FORWARD -i eth0 -o eth2 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth3 -j ACCEPT
iptables -A FORWARD -i eth3 -o eth1 -j ACCEPT

# default policy
iptables -P FORWARD DROP

In both cases, I have set /proc/sys/net/ipv4/ip_forward to "1".

Any help would be greatly appreciated.

Many thanks,

Paul

---
Paul Lewis (paul.lewis@st-annes.ox.ac.uk)
Part II Student
Materials Science
University of Oxford




_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Simple routing configuration

[Paul Lewis]

Hi,

I have a simple question (well, at least I think it's simple!). I have a
router, with four Ethernet cards; eth0-eth3. eth0 and eth3 are the
'external' cards, connecting to my ISPs. eth1 and eth2 are connected to my
internal networks. What I want to do is basically filter all the traffic
from one card to another, in this configuration:
	eth1 to eth3
	eth2 to eth0

The thing is, I'm not sure if this is a routing or a firewall problem, or
maybe a bit of both? I've tried setting up the routing using ip route, using
the command below, but to no avail. When I used these commands, I did not
change any of my existing firewall configuration. Here are the ip route
commands:

echo "101 ISP_1" >> /etc/iproute2/rt_tables
echo "102 ISP_2" >> /etc/iproute2/rt_tables

ip route add 192.168.4.0/22 dev eth2 src 192.168.7.253 table ISP_1
ip route add default via 192.168.100.253 table ISP_1
ip route add 192.168.0.0/22 dev eth1 src 192.168.3.253 table ISP_2
ip route add default via 192.168.20.253 table ISP_2

ip rule add from 192.168.7.253 table ISP_1
ip rule add from 192.168.3.253 table ISP_2

I also tried a simple iptables forward command, in the form of:

iptables -A FORWARD -i eth0 -o eth2 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth3 -j ACCEPT
iptables -A FORWARD -i eth3 -o eth1 -j ACCEPT

# default policy
iptables -P FORWARD DROP

In both cases, I have set /proc/sys/net/ipv4/ip_forward to "1".

Any help would be greatly appreciated.

Many thanks,

Paul

---
Paul Lewis (paul.lewis@st-annes.ox.ac.uk)
Part II Student
Materials Science
University of Oxford

Re: Simple routing configuration

[John A. Sullivan III]

On Sat, 2005-12-24 at 18:11 +0000, Paul Lewis wrote:
> Hi,
> 
> I have a simple question (well, at least I think it's simple!). I have a
> router, with four Ethernet cards; eth0-eth3. eth0 and eth3 are the
> 'external' cards, connecting to my ISPs. eth1 and eth2 are connected to my
> internal networks. What I want to do is basically filter all the traffic
> from one card to another, in this configuration:
> 	eth1 to eth3
> 	eth2 to eth0
> 
> The thing is, I'm not sure if this is a routing or a firewall problem, or
> maybe a bit of both? I've tried setting up the routing using ip route, using
> the command below, but to no avail. When I used these commands, I did not
> change any of my existing firewall configuration. Here are the ip route
> commands:
> 
> echo "101 ISP_1" >> /etc/iproute2/rt_tables
> echo "102 ISP_2" >> /etc/iproute2/rt_tables
> 
> ip route add 192.168.4.0/22 dev eth2 src 192.168.7.253 table ISP_1
> ip route add default via 192.168.100.253 table ISP_1
> ip route add 192.168.0.0/22 dev eth1 src 192.168.3.253 table ISP_2
> ip route add default via 192.168.20.253 table ISP_2
> 
> ip rule add from 192.168.7.253 table ISP_1
> ip rule add from 192.168.3.253 table ISP_2
> 
> I also tried a simple iptables forward command, in the form of:
> 
> iptables -A FORWARD -i eth0 -o eth2 -j ACCEPT
> iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT
> iptables -A FORWARD -i eth1 -o eth3 -j ACCEPT
> iptables -A FORWARD -i eth3 -o eth1 -j ACCEPT
> 
> # default policy
> iptables -P FORWARD DROP
> 
> In both cases, I have set /proc/sys/net/ipv4/ip_forward to "1".
> 
<snip>
After a quick look, I would guess you need to use the iif selector for
your rules (Inbound InterFace).  There is a training slide show about
this in the training section of the ISCS network security management
project web site (http://iscs.sourceforge.net) or you can look in the
ip-cref.ps file that shipped with your distribution.  On my FC4, it
is /usr/share/doc/iproute-2.6.11/ip-cref.ps.  Hope this helps - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com

Networking question

[Dave Beach]

 
This is undoubtedly off-topic in oh-so-many ways; I'd be quite happy to be
redirected to another, more appropriate mailing list should someone be so
kind as to suggest one.

Internal, home, private network, WinXP boxen and a Squid proxy, connecting
through an iptables box to my router and cable modem. Everything works
peachy.

While trying to poke bittorrent holes through my iptables setup (see? Some
vague evidence of relevance), I encountered problems and decided to take the
proxy out of the picture. VERY much to my surprise, when I reconfigured IE
to not use the proxy (and configured iptables to allow for a direct
connection), I see no HTTP traffic whatsoever leaving the XP box destined
for the firewall. In fact, no TCP traffic either (all traffic analysis done
with ethereal on the XP box). I can ping to/from the XP box, and see THAT
via ethereal.

I am considerably confused by this. My presumption was that IE would just
happily send HTTP traffic directly to the firewall, but this is NOT the
behaviour I'm seeing.

I know it's Christmas Eve day, and I was out a bit late last night, but
there's clearly something VERY obvious I'm missing.

Re: Networking question

[John A. Sullivan III]

On Sat, 2005-12-24 at 13:34 -0500, Dave Beach wrote:
>  This is undoubtedly off-topic in oh-so-many ways; I'd be quite happy to be
> redirected to another, more appropriate mailing list should someone be so
> kind as to suggest one.
> 
> Internal, home, private network, WinXP boxen and a Squid proxy, connecting
> through an iptables box to my router and cable modem. Everything works
> peachy.
> 
> While trying to poke bittorrent holes through my iptables setup (see? Some
> vague evidence of relevance), I encountered problems and decided to take the
> proxy out of the picture. VERY much to my surprise, when I reconfigured IE
> to not use the proxy (and configured iptables to allow for a direct
> connection), I see no HTTP traffic whatsoever leaving the XP box destined
> for the firewall. In fact, no TCP traffic either (all traffic analysis done
> with ethereal on the XP box). I can ping to/from the XP box, and see THAT
> via ethereal.
> 
> I am considerably confused by this. My presumption was that IE would just
> happily send HTTP traffic directly to the firewall, but this is NOT the
> behaviour I'm seeing.
> 
> I know it's Christmas Eve day, and I was out a bit late last night, but
> there's clearly something VERY obvious I'm missing.
> 
> 
If the problem is on the XP station (no packets egressing), could there
be an XP personal firewall problem? - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com

Re: Networking question

[/dev/rob0]

On Saturday 2005-December-24 12:53, John A. Sullivan III wrote:
> If the problem is on the XP station (no packets egressing), could
> there be an XP personal firewall problem? - John

That or routing, is a default route set?
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

Re: Networking question

[Edmundo Carmona]

Probably there's no gateway in the XP box setup... or the gateway is
plain wrong.

Merry Xorg-mas to everyone around! ;-)

On 12/24/05, Dave Beach <drbeach@rogers.com> wrote:
>
> This is undoubtedly off-topic in oh-so-many ways; I'd be quite happy to be
> redirected to another, more appropriate mailing list should someone be so
> kind as to suggest one.
>
> Internal, home, private network, WinXP boxen and a Squid proxy, connecting
> through an iptables box to my router and cable modem. Everything works
> peachy.
>
> While trying to poke bittorrent holes through my iptables setup (see? Some
> vague evidence of relevance), I encountered problems and decided to take the
> proxy out of the picture. VERY much to my surprise, when I reconfigured IE
> to not use the proxy (and configured iptables to allow for a direct
> connection), I see no HTTP traffic whatsoever leaving the XP box destined
> for the firewall. In fact, no TCP traffic either (all traffic analysis done
> with ethereal on the XP box). I can ping to/from the XP box, and see THAT
> via ethereal.
>
> I am considerably confused by this. My presumption was that IE would just
> happily send HTTP traffic directly to the firewall, but this is NOT the
> behaviour I'm seeing.
>
> I know it's Christmas Eve day, and I was out a bit late last night, but
> there's clearly something VERY obvious I'm missing.
>
>
>

RE: Networking question

[Dave Beach]

Thanks for the reply. The default gateway for the internal network is the
firewall box.

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Edmundo Carmona
Sent: December 24, 2005 1:59 PM
To: netfilter@lists.netfilter.org
Subject: Re: Networking question

Probably there's no gateway in the XP box setup... or the gateway is plain
wrong.

Merry Xorg-mas to everyone around! ;-)

On 12/24/05, Dave Beach <drbeach@rogers.com> wrote:
>
> This is undoubtedly off-topic in oh-so-many ways; I'd be quite happy 
> to be redirected to another, more appropriate mailing list should 
> someone be so kind as to suggest one.
>
> Internal, home, private network, WinXP boxen and a Squid proxy, 
> connecting through an iptables box to my router and cable modem. 
> Everything works peachy.
>
> While trying to poke bittorrent holes through my iptables setup (see? 
> Some vague evidence of relevance), I encountered problems and decided 
> to take the proxy out of the picture. VERY much to my surprise, when I 
> reconfigured IE to not use the proxy (and configured iptables to allow 
> for a direct connection), I see no HTTP traffic whatsoever leaving the 
> XP box destined for the firewall. In fact, no TCP traffic either (all 
> traffic analysis done with ethereal on the XP box). I can ping to/from 
> the XP box, and see THAT via ethereal.
>
> I am considerably confused by this. My presumption was that IE would 
> just happily send HTTP traffic directly to the firewall, but this is 
> NOT the behaviour I'm seeing.
>
> I know it's Christmas Eve day, and I was out a bit late last night, 
> but there's clearly something VERY obvious I'm missing.
>
>
>