Linux Netfilter discussions
 help / color / mirror / Atom feed
* Today's Brain Teaser.
@ 2003-03-12  8:35 Jonathan Humphrey
  2003-03-12  9:08 ` Raymond Leach
  0 siblings, 1 reply; 6+ messages in thread
From: Jonathan Humphrey @ 2003-03-12  8:35 UTC (permalink / raw)
  To: netfilter


[-- Attachment #1.1: Type: text/plain, Size: 1343 bytes --]

I've been struggling with this one for some time, i am currently at the end
of my teather so if anyone has any great ideas about why this happens let me
know.
 
Basically, i have a linux server that has three interfaces;
 
    eth1          aaa.aaa.aaa.202        External Facing network
    eth0          bbb.bbb.bbb.254        Internal protected network
    eth1:0       aaa.aaa.aaa.197        External IP Address for FTPServer
 
I have a device that sits on xxx.xxx.xxx.5 that cannot get to any service on
aaa.aaa.aaa.197, however every other ip address i have tried can.  I suspect
that if i release the real ip address of aaa.aaa.aaa.197 then everyone
reading this list could too.
 
And it's on the .5 address, if i try from xxx.xxx.xxx.15 i can connect.
 
Nothing is being show as dropped in the logs either.    
 
Thanks,
 
Jonathan Humphrey
 


**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.

**********************************************************************


[-- Attachment #1.2: Type: text/html, Size: 3266 bytes --]

[-- Attachment #2: public_2_5 --]
[-- Type: application/octet-stream, Size: 16168 bytes --]

#!/bin/sh
#

# Scripts Settings
VERBOSE=1		# Allows for Debug Checking

############################################################################
# Assignments
[ $VERBOSE -gt 0 ] && echo "Assignments"
############################################################################

# Change these assignments to conform to your network architecture
# Weed unneeded variables

EXTDEV=eth1
EXTIP="aaa.aaa.aaa.202"
EXTBASE="aaa.aaa.aaa.192"
EXTBCAST="aaa.aaa.aaa.240"
EXTGATE="aaa.aaa.aaa.193"

# FTPSERVER's External IP Address
EXTIP_FTPSERVER="aaa.aaa.aaa.197"

# Trusted Network Info

INTDEV=eth0
INTIP="bbb.bbb.bbb.254"
INTBASE="bbb.bbb.bbb.0"
INTBCAST="bbb.bbb.bbb.255"
INTNET="bbb.bbb.bbb.0/24"

# IP addresses of hosts and networks authorized to ping firewall
PING="xxx.xxx.xxx.0/24 $INTNET 127.0.0.1"

# IP addresses of hosts and networks allowed to SSH into firewall
SSH="xxx.xxx.xxx.5 bbb.bbb.bbb.200"

# IP addresses of hosts and networks allowed to FTP into firewall
FTP="xxx.xxx.xxx.5"

# IP addresses of hosts and networks allowed to use firewall as SMTP relay
SMTP="xxx.xxx.xxx.5"

# IP addresses of hosts on protected network allowed all port access
PORTALL="bbb.bbb.bbb.200"

# IP addresses of hosts on protected network allowed port 21 access (ftp)
PORT21=""

# IP addresses of hosts on protected network  allowed port 22 access (ssh)
PORT22=""

# IP addresses of hosts on protected network  allowed port 25 access (smtp)
PORT25=""

# IP addresses of hosts on protected network  allowed port 53 access (domain)
PORT53=""

# IP addresses of hosts on protected network  allowed port 80 access (http)
PORT80=""

# IP addresses of hosts on protected network  allowed port 443 access (https)
PORT443=""

# IP addresses of hosts and networks not to be communicated with.
SHUN=""

# The following assignments should not generally need to be changed

BADIP="$EXTBASE $EXTBCAST $INTBASE $INTBCAST 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.0.2.0/24 224.0.0.0/4 240.0.0.0/5 255.255.255.255"

IPT=/sbin/iptables

LOGOPT="--log-level=info -m limit --limit 3/minute --limit-burst 3"

SYNOPT="-m limit --limit 5/second --limit-burst 10"

############################################################################
# Server Specifc Setings
############################################################################

# FTPSERVER - External Development FTP Site

FTPSERVEREXT="$EXTIP_FTPSERVER"
FTPSERVERINT="bbb.bbb.bbb.200"

# Shophie should be allowed to FTP access in from any Host
# and VNC traffice from codie's address only

FTPSERVERFTP="Yes"

FTPSERVERVNC="RESTRICTED"
FTPSERVERVNCSRV="xxx.xxx.xxx.5 xxx.xxx.xxx.15"

############################################################################
# Clear the existing firewall rules
[ $VERBOSE -gt 0 ] && echo "Clear the existing firewall rules"
############################################################################

if [ ! -x $IPTABLES ]
then
	die "firewall : can't execute $IPTABLES"
fi

$IPT -P INPUT DROP		#	Set default policy to DROP
$IPT -P OUTPUT DROP		#	Set default policy to DROP
$IPT -P FORWARD DROP		#	Set default policy to DROP
$IPT -F				#	Flush all chains
$IPT -X				#	Delete all chains

for table in filter nat mangle
do
	$IPT -t $table -F	#	Delete the table's rules
	$IPT -t $table -X	#	Delete the table's chains
	$IPT -t $table -Z	#	Zero the table's counters
done

############################################################################
# Bad TCP Flags
[ $VERBOSE -gt 0 ] && echo "Bad TCP Flags"
############################################################################

$IPT -N BADFLAGS
$IPT -A BADFLAGS -j LOG --log-prefix "IPT BADFLAGS: " $LOGOPT
$IPT -A BADFLAGS -j DROP

############################################################################
# TCP Flag Validation
[ $VERBOSE -gt 0 ] && echo "TCP Flag Validation"
############################################################################

$IPT -N TCP_FLAGS
$IPT -A TCP_FLAGS -p tcp --tcp-flags ACK,FIN FIN		-j BADFLAGS
$IPT -A TCP_FLAGS -p tcp --tcp-flags ACK,PSH PSH		-j BADFLAGS
$IPT -A TCP_FLAGS -p tcp --tcp-flags ACK,URG URG		-j BADFLAGS
$IPT -A TCP_FLAGS -p tcp --tcp-flags FIN,RST FIN,RST		-j BADFLAGS
$IPT -A TCP_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN		-j BADFLAGS
$IPT -A TCP_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST		-j BADFLAGS
$IPT -A TCP_FLAGS -p tcp --tcp-flags ALL ALL			-j BADFLAGS
$IPT -A TCP_FLAGS -p tcp --tcp-flags ALL NONE			-j BADFLAGS
$IPT -A TCP_FLAGS -p tcp --tcp-flags ALL FIN,PSH,URG		-j BADFLAGS
$IPT -A TCP_FLAGS -p tcp --tcp-flags ALL SYN,FIN,PSH,URG	-j BADFLAGS
$IPT -A TCP_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG	-j BADFLAGS

############################################################################
# SYN Flood Protection
[ $VERBOSE -gt 0 ] && echo "SYN Flood Protection"
############################################################################

$IPT -N SYN_FLOOD
$IPT -A SYN_FLOOD	-p   tcp	--syn $SYNOPT		-j RETURN
$IPT -A SYN_FLOOD	-p ! tcp				-j RETURN
$IPT -A SYN_FLOOD	-p   tcp	! --syn			-j RETURN
$IPT -A SYN_FLOOD -j LOG --log-prefix "IPT SYN_FLOOD: " $LOGOPT
$IPT -A SYN_FLOOD -j DROP

############################################################################
# Bad IP Chain
[ $VERBOSE -gt 0 ] && echo "Bad IP Chain"
############################################################################

$IPT -N BAD_IP
$IPT -A BAD_IP -j LOG --log-prefix "IPT BAD-IP: " $LOGOPT
$IPT -A BAD_IP -j DROP

###########################################################################
# Shunned Hosts
[ $VERBOSE -gt 0 ] && echo "Shunned Hosts"
############################################################################

$IPT -N SHUN
for ip in $SHUN; do
	$IPT -A SHUN -s $ip -j BAD_IP
	$IPT -A SHUN -d $ip -j BAD_IP
done

############################################################################
# Inbound IP Checks
[ $VERBOSE -gt 0 ] && echo "Inbound IP Checks"
############################################################################

$IPT -N IN_IP_CHECK
for sip in $BADIP; do
	$IPT -A IN_IP_CHECK -s $sip -j BAD_IP
done

$IPT -A IN_IP_CHECK -i $EXTDEV -s $EXTIP -j BAD_IP
$IPT -A IN_IP_CHECK -i $EXTDEV -s $EXTIP_FTPSERVER -j BAD_IP
$IPT -A IN_IP_CHECK -i $EXTDEV -s $INTNET -j BAD_IP
$IPT -A IN_IP_CHECK -i $INTDEV -s $EXTIP -j BAD_IP
$IPT -A IN_IP_CHECK -i $INTDEV -s $EXTIP_FTPSERVER -j BAD_IP


############################################################################
# Outbound IP Checks
[ $VERBOSE -gt 0 ] && echo "Outbound IP Checks"
############################################################################

$IPT -N OUT_IP_CHECK
for dip in $BADIP
do
	$IPT -A OUT_IP_CHECK -d $dip -j BAD_IP
done

$IPT -A OUT_IP_CHECK -o $EXTDEV -s $EXTIP -j RETURN
$IPT -A OUT_IP_CHECK -o $EXTDEV -s $EXTIP_FTPSERVER -j RETURN
$IPT -A OUT_IP_CHECK -o $INTDEV -s $INTIP -j RETURN
$IPT -A OUT_IP_CHECK -j BAD_IP

############################################################################
# Inbound ICMP
[ $VERBOSE -gt 0 ] && echo "Inbound ICMP"
############################################################################

$IPT -N IN_ICMP
for sip in $PING; do
	$IPT -A IN_ICMP -p icmp --icmp-type echo-request -s $sip -j ACCEPT
	$IPT -A IN_ICMP -p icmp --icmp-type echo-reply -s $sip -j ACCEPT
done

$IPT -A IN_ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPT -A IN_ICMP -p icmp --icmp-type source-quench -j ACCEPT
$IPT -A IN_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
$IPT -A IN_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT
$IPT -A IN_ICMP -j LOG --log-prefix "IPT In ICMP: " $LOGOPT
$IPT -A IN_ICMP -j DROP

############################################################################
# Outbound ICMP
[ $VERBOSE -gt 0 ] && echo "Outbound ICMP"
############################################################################

$IPT -N OUT_ICMP
for dip in $PING; do
	$IPT -A OUT_ICMP -p icmp --icmp-type echo-request -d $dip -j ACCEPT
	$IPT -A OUT_ICMP -p icmp --icmp-type echo-reply -d $dip -j ACCEPT
done

# For a less courteous -- but potentially more secure -- firewall.
# replace destination-unreachable by fragmentation-needed in the
# following rule.

$IPT -A OUT_ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPT -A OUT_ICMP -p icmp --icmp-type source-quench -j ACCEPT

# For a less courteous -- but potentially more secure -- firewall.
# delete the following parameter-problem rule.

$IPT -A OUT_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT
$IPT -A OUT_ICMP -j LOG --log-prefix "IPT Out ICMP: " $LOGOPT
$IPT -A OUT_ICMP -j DROP

############################################################################
# Destination NAT
[ $VERBOSE -gt 0 ] && echo "Destination NAT"
############################################################################

case $FTPSERVERFTP in
	YES|Yes|RESTRICTED|RES*|Res*|res*)
	$IPT -t nat -A PREROUTING -p tcp -d $EXTIP_FTPSERVER --dport ftp -j DNAT --to-destination $FTPSERVERINT
	$IPT -t nat -A PREROUTING -p tcp -d $EXTIP_FTPSERVER --dport ftp-data -j DNAT --to-destination $FTPSERVERINT
	;;
esac

case $FTPSERVERVNC in
	YES|Yes|RESTRICTED|RES*|Res*|res*)
	$IPT -t nat -A PREROUTING -p tcp -d $EXTIP_FTPSERVER --dport 5900 -j DNAT --to-destination $FTPSERVERINT
	$IPT -t nat -A PREROUTING -p tcp -d $EXTIP_FTPSERVER --dport 5800:5899 -j DNAT --to-destination $FTPSERVERINT
	;;
esac

############################################################################
# Source NAT
[ $VERBOSE -gt 0 ] && echo "Source NAT"
############################################################################

$IPT -t nat -A POSTROUTING -s $FTPSERVERINT -o $EXTDEV -j SNAT --to-source $FTPSERVEREXT
$IPT -t nat -A POSTROUTING -s $INTNET -o $EXTDEV -j SNAT --to-source $EXTIP

############################################################################
# Inbound traffic to protected network
[ $VERBOSE -gt 0 ] && echo "Inbound traffic to protected network"
############################################################################

$IPT -N IN_NETWORK
$IPT -A IN_NETWORK -p icmp -j IN_ICMP
$IPT -A IN_NETWORK -p tcp -j TCP_FLAGS
$IPT -A IN_NETWORK -p tcp --syn -j SYN_FLOOD
$IPT -A IN_NETWORK -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A IN_NETWORK -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT

case $FTPSERVERFTP in
	YES|Yes|Y*|y*)
	$IPT -A IN_NETWORK -p tcp --syn -d $FTPSERVERINT --dport ftp -j ACCEPT
	[ $VERBOSE -gt 0 ] && echo -e "\tAdding non restrictive FTPSERVER FTP Rules"
	;;
	RESTRICTED|RES*|Res*|res*)
	for sip in $FTPSERVERFTPSRV
	do
		$IPT -A IN_NETWORK -p tcp --syn -s $sip -d $FTPSERVERINT --dport ftp -j ACCEPT
		[ $VERBOSE -gt 0 ] && echo -e "\tAdding $sip restrictive FTPSERVER FTP Rules"
	done
	;;
esac

case $FTPSERVERVNC in
	YES|Yes|Y*|y*)
	$IPT -A IN_NETWORK -i $EXTDEV -p tcp --syn -d $FTPSERVERINT --dport 5900 -j ACCEPT
	$IPT -A IN_NETWORK -i $EXTDEV -p tcp --syn -d $FTPSERVERINT --dport 5800:5899 -j ACCEPT
	[ $VERBOSE -gt 0 ] && echo -e "\tAdding non restrictive VNC rules"
	;;
	RESTRICTED|RES*|Res*|res*)
	for sip in $FTPSERVERVNCSRV
	do
		$IPT -A IN_NETWORK -i $EXTDEV -p tcp --syn -s $sip -d $FTPSERVERINT --dport 5900 -j ACCEPT
		$IPT -A IN_NETWORK -i $EXTDEV -p tcp --syn -s $sip -d $FTPSERVERINT --dport 5800:5899 -j ACCEPT
		[ $VERBOSE -gt 0 ] && echo -e "\tAdding $sip restrictive VNC rules"
	done
	;;
esac


############################################################################
# Outbound traffic from protected network
[ $VERBOSE -gt 0 ] && echo "Outbound traffic from protected network"
############################################################################

$IPT -N OUT_NETWORK
$IPT -A OUT_NETWORK -p icmp -j OUT_ICMP
$IPT -A OUT_NETWORK -p tcp -j TCP_FLAGS
$IPT -A OUT_NETWORK -m state --state ESTABLISHED,RELATED -j ACCEPT

# The following six rules enable clients running on the protected network
# to connect to remote servers. Add and delete rules to customize the
# authorized services.

for dip in $PORTALL; do
	$IPT -A OUT_NETWORK -s $dip -m state --state NEW -j ACCEPT
done

for dip in $PORT21; do
	$IPT -A OUT_NETWORK -s $dip -m state --state NEW -p tcp --dport 21 -j ACCEPT	#	ftp
done

for dip in $PORT22; do
	$IPT -A OUT_NETWORK -s $dip -m state --state NEW -p tcp --dport 22 -j ACCEPT	#	ssh
done

for dip in $PORT25; do
	$IPT -A OUT_NETWORK -s $dip -m state --state NEW -p tcp --dport 25 -j ACCEPT	#	smtp
done

for dip in $PORT80; do
	$IPT -A OUT_NETWORK -s $dip -m state --state NEW -p tcp --dport 80 -j ACCEPT	#	http
done

for dip in $PORT443; do
	$IPT -A OUT_NETWORK -s $dip -m state --state NEW -p tcp --dport 443 -j ACCEPT	#	https
done

for dip in $PORT53; do
	$IPT -A OUT_NETWORK -s $dip -m state --state NEW -p udp --dport 53 -j ACCEPT	#	domain
done

############################################################################
# Inbound traffic to firewall host
[ $VERBOSE -gt 0 ] && echo "Inbound traffic to firewall host"
############################################################################

$IPT -N IN_FIREWALL
$IPT -A IN_FIREWALL -p icmp -j IN_ICMP
$IPT -A IN_FIREWALL -p tcp -j TCP_FLAGS
$IPT -A IN_FIREWALL -p tcp --syn -j SYN_FLOOD
$IPT -A IN_FIREWALL -j IN_IP_CHECK
$IPT -A IN_FIREWALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A IN_FIREWALL -m state --state ESTABLISHED,RELATED -j ACCEPT

for sip in $SSH
do
	$IPT -A IN_FIREWALL -p tcp -s $sip --dport 22 -m state --state NEW -j ACCEPT
done

for sip in $FTP
do
	$IPT -A IN_FIREWALL -p tcp -s $sip --dport 21 -m state --state NEW -j ACCEPT
done

for sip in $SMTP
do
	$IPT -A IN_FIREWALL -p tcp -s $sip --dport 25 -m state --state NEW -j ACCEPT
done

#
# Add additional rules authorizing traffic inbound to firewall
# host here.
#
# $IPT -A IN_FIREWALL -i $INTDEV -o $EXTDEV -j ACCEPT

$IPT -A IN_FIREWALL -j LOG --log-prefix "IPT IN_FIREWALL: " $LOGOPT
$IPT -A IN_FIREWALL -j DROP

############################################################################
# Outbound traffic from firewall host
[ $VERBOSE -gt 0 ] && echo "Outbound traffic from firewall host"
############################################################################

$IPT -N OUT_FIREWALL
$IPT -A OUT_FIREWALL -p icmp -j OUT_ICMP
$IPT -A OUT_FIREWALL -p tcp -j TCP_FLAGS
$IPT -A OUT_FIREWALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUT_FIREWALL -j OUT_IP_CHECK
#
# The following six rules enable clients running on the firewall host to
# connect to remote servers. Add and delete rules to customize the
# authorized services .
#
$IPT -A OUT_FIREWALL -m state --state NEW -p tcp --dport 21 -j ACCEPT	#	ftp
$IPT -A OUT_FIREWALL -m state --state NEW -p tcp --dport 22 -j ACCEPT	#	ssh
$IPT -A OUT_FIREWALL -m state --state NEW -p tcp --dport 25 -j ACCEPT	#	smtp
# $IPT -A OUT_FIREWALL -m state --state NEW -p tcp --dport 80 -j ACCEPT	#	http
# $IPT -A OUT_FIREWALL -m state --state NEW -p tcp --dport 443 -j ACCEPT	#	https

$IPT -A OUT_FIREWALL -m state --state NEW -p udp --dport 53 -j ACCEPT	#	domain

$IPT -A OUT_FIREWALL -j LOG --log-prefix "IPT OUT_FIREWALL: " $LOGOPT

############################################################################
# Main Firewall Rules
[ $VERBOSE -gt 0 ] && echo "Main Firewall Rules"
############################################################################

$IPT -A FORWARD 		-j SHUN
$IPT -A FORWARD -i $EXTDEV	-j IN_NETWORK
$IPT -A FORWARD -i $INTDEV	-j OUT_NETWORK
$IPT -A FORWARD			-j LOG --log-prefix "IPT FORWARD: " $LOGOPT
$IPT -A FORWARD			-j DROP

$IPT -A INPUT 			-j SHUN
$IPT -A INPUT -i lo		-j ACCEPT
$IPT -A INPUT			-j IN_FIREWALL
$IPT -A INPUT			-j LOG --log-prefix "IPT INPUT: " $LOGOPT
$IPT -A INPUT			-j DROP

$IPT -A OUTPUT			-j SHUN
$IPT -A OUTPUT -o lo 		-j ACCEPT
$IPT -A OUTPUT 			-j OUT_FIREWALL
$IPT -A OUTPUT 			-j LOG --log-prefix "IPT OUTPUT: " $LOGOPT
$IPT -A OUTPUT 			-j DROP






^ permalink raw reply	[flat|nested] 6+ messages in thread
* RE: Today's Brain Teaser.
@ 2003-03-12  9:20 Jonathan Humphrey
  2003-03-12 10:31 ` Raymond Leach
  0 siblings, 1 reply; 6+ messages in thread
From: Jonathan Humphrey @ 2003-03-12  9:20 UTC (permalink / raw)
  To: Netfilter Mailing List

[-- Attachment #1: Type: text/plain, Size: 1910 bytes --]

As a company we have two t1's (greedy i know!)

the aaa.aaa.aaa.aaa address range is the external address's for one T1
xxx.xxx.xxx.xxx is the address range for the other T1

Does that make sense!

-----Original Message-----
From: Raymond Leach [mailto:raymondl@knowledgefactory.co.za]
Sent: 12 March 2003 09:09
To: Netfilter Mailing List
Subject: Re: Today's Brain Teaser.


On Wed, 2003-03-12 at 10:35, Jonathan Humphrey wrote:
> I've been struggling with this one for some time, i am currently at
> the end of my teather so if anyone has any great ideas about why this
> happens let me know.
>  
> Basically, i have a linux server that has three interfaces;
>  
>     eth1          aaa.aaa.aaa.202        External Facing network
>     eth0          bbb.bbb.bbb.254        Internal protected network
>     eth1:0       aaa.aaa.aaa.197        External IP Address for
> FTPServer
>  
> I have a device that sits on xxx.xxx.xxx.5 that cannot get to any
> service on aaa.aaa.aaa.197, however every other ip address i have
> tried can.  I suspect that if i release the real ip address of
> aaa.aaa.aaa.197 then everyone reading this list could too.
>  
> And it's on the .5 address, if i try from xxx.xxx.xxx.15 i can
> connect.
Where is xxx.xxx.xxx.5? Is it on the internal or external network?

>  
> Nothing is being show as dropped in the logs either.    
>  
> Thanks,
>  
> Jonathan Humphrey
>  
> 
> **********************************************************************
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
> 
> This footnote also confirms that this email message has been swept by
> MIMEsweeper for the presence of computer viruses.
> 
> **********************************************************************

[-- Attachment #2: Type: text/html, Size: 3923 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread
* RE: Today's Brain Teaser.
@ 2003-03-12 12:28 Jonathan Humphrey
  0 siblings, 0 replies; 6+ messages in thread
From: Jonathan Humphrey @ 2003-03-12 12:28 UTC (permalink / raw)
  To: 'raymondl@knowledgefactory.co.za', Netfilter Mailing List

[-- Attachment #1: Type: text/plain, Size: 2573 bytes --]

xxx.xxx.xxx.xxx is a tottaly seprate T1, with a completly different ISP.

-----Original Message-----
From: Raymond Leach [mailto:raymondl@knowledgefactory.co.za]
Sent: 12 March 2003 10:32
To: Netfilter Mailing List
Subject: RE: Today's Brain Teaser.


On Wed, 2003-03-12 at 11:20, Jonathan Humphrey wrote:
> As a company we have two t1's (greedy i know!)
> 
> the aaa.aaa.aaa.aaa address range is the external address's for one T1
> xxx.xxx.xxx.xxx is the address range for the other T1
> 
How does the xxx.xxx.xxx.xxx connect to the linux router? eth1:1? Or are
the two t1's connected to the router (something like a Cisco 2501)? If
that's the case, then I would check the routing tables (and interfaces)
on the router first ...

> Does that make sense!
> 
> -----Original Message-----
> From: Raymond Leach [mailto:raymondl@knowledgefactory.co.za]
> Sent: 12 March 2003 09:09
> To: Netfilter Mailing List
> Subject: Re: Today's Brain Teaser.
> 
> 
> On Wed, 2003-03-12 at 10:35, Jonathan Humphrey wrote:
> > I've been struggling with this one for some time, i am currently at
> > the end of my teather so if anyone has any great ideas about why
> this
> > happens let me know.
> >  
> > Basically, i have a linux server that has three interfaces;
> >  
> >     eth1          aaa.aaa.aaa.202        External Facing network
> >     eth0          bbb.bbb.bbb.254        Internal protected network
> >     eth1:0       aaa.aaa.aaa.197        External IP Address for
> > FTPServer
> >  
> > I have a device that sits on xxx.xxx.xxx.5 that cannot get to any
> > service on aaa.aaa.aaa.197, however every other ip address i have
> > tried can.  I suspect that if i release the real ip address of
> > aaa.aaa.aaa.197 then everyone reading this list could too.
> >  
> > And it's on the .5 address, if i try from xxx.xxx.xxx.15 i can
> > connect.
> Where is xxx.xxx.xxx.5? Is it on the internal or external network?
> 
> >  
> > Nothing is being show as dropped in the logs either.    
> >  
> > Thanks,
> >  
> > Jonathan Humphrey
> >  
> > 
> >
> **********************************************************************
> > This email and any files transmitted with it are confidential and
> > intended solely for the use of the individual or entity to whom they
> > are addressed. If you have received this email in error please
> notify
> > the system manager.
> > 
> > This footnote also confirms that this email message has been swept
> by
> > MIMEsweeper for the presence of computer viruses.
> > 
> >
> **********************************************************************

[-- Attachment #2: Type: text/html, Size: 5351 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread
* RE: Today's Brain Teaser.
@ 2003-03-12 18:21 Jonathan Humphrey
  0 siblings, 0 replies; 6+ messages in thread
From: Jonathan Humphrey @ 2003-03-12 18:21 UTC (permalink / raw)
  To: 'netfilter@lists.netfilter.org'

[-- Attachment #1: Type: text/plain, Size: 3111 bytes --]

just to let you all know (in case anyone was trying to find out why...)
 
the ftp daemon that was running was listening on all interfaces.  once i
limited it to 1 its all working now....

-----Original Message-----
From: Jonathan Humphrey [mailto:jhumphrey@codemasters.com]
Sent: 12 March 2003 12:29
To: 'raymondl@knowledgefactory.co.za'; Netfilter Mailing List
Subject: RE: Today's Brain Teaser.



xxx.xxx.xxx.xxx is a tottaly seprate T1, with a completly different ISP. 

-----Original Message----- 
From: Raymond Leach [ mailto:raymondl@knowledgefactory.co.za
<mailto:raymondl@knowledgefactory.co.za> ] 
Sent: 12 March 2003 10:32 
To: Netfilter Mailing List 
Subject: RE: Today's Brain Teaser. 


On Wed, 2003-03-12 at 11:20, Jonathan Humphrey wrote: 
> As a company we have two t1's (greedy i know!) 
> 
> the aaa.aaa.aaa.aaa address range is the external address's for one T1 
> xxx.xxx.xxx.xxx is the address range for the other T1 
> 
How does the xxx.xxx.xxx.xxx connect to the linux router? eth1:1? Or are 
the two t1's connected to the router (something like a Cisco 2501)? If 
that's the case, then I would check the routing tables (and interfaces) 
on the router first ... 

> Does that make sense! 
> 
> -----Original Message----- 
> From: Raymond Leach [ mailto:raymondl@knowledgefactory.co.za
<mailto:raymondl@knowledgefactory.co.za> ] 
> Sent: 12 March 2003 09:09 
> To: Netfilter Mailing List 
> Subject: Re: Today's Brain Teaser. 
> 
> 
> On Wed, 2003-03-12 at 10:35, Jonathan Humphrey wrote: 
> > I've been struggling with this one for some time, i am currently at 
> > the end of my teather so if anyone has any great ideas about why 
> this 
> > happens let me know. 
> >  
> > Basically, i have a linux server that has three interfaces; 
> >  
> >     eth1          aaa.aaa.aaa.202        External Facing network 
> >     eth0          bbb.bbb.bbb.254        Internal protected network 
> >     eth1:0       aaa.aaa.aaa.197        External IP Address for 
> > FTPServer 
> >  
> > I have a device that sits on xxx.xxx.xxx.5 that cannot get to any 
> > service on aaa.aaa.aaa.197, however every other ip address i have 
> > tried can.  I suspect that if i release the real ip address of 
> > aaa.aaa.aaa.197 then everyone reading this list could too. 
> >  
> > And it's on the .5 address, if i try from xxx.xxx.xxx.15 i can 
> > connect. 
> Where is xxx.xxx.xxx.5? Is it on the internal or external network? 
> 
> >  
> > Nothing is being show as dropped in the logs either.    
> >  
> > Thanks, 
> >  
> > Jonathan Humphrey 
> >  
> > 
> > 
> ********************************************************************** 
> > This email and any files transmitted with it are confidential and 
> > intended solely for the use of the individual or entity to whom they 
> > are addressed. If you have received this email in error please 
> notify 
> > the system manager. 
> > 
> > This footnote also confirms that this email message has been swept 
> by 
> > MIMEsweeper for the presence of computer viruses. 
> > 
> > 
> ********************************************************************** 


[-- Attachment #2: Type: text/html, Size: 6344 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2003-03-12 18:21 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-03-12  8:35 Today's Brain Teaser Jonathan Humphrey
2003-03-12  9:08 ` Raymond Leach
  -- strict thread matches above, loose matches on Subject: below --
2003-03-12  9:20 Jonathan Humphrey
2003-03-12 10:31 ` Raymond Leach
2003-03-12 12:28 Jonathan Humphrey
2003-03-12 18:21 Jonathan Humphrey

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox