leenix
asked on
ipfwadm not forwarding past 2nd if!
I can't get ipfwadm to forward past the 2nd interface.I am having trouble determining if my rule set is screwed or my configuration is. This probably requires repeated counsel so I am betting all my points and more.
thx
-art
thx
-art
could you put up output of an ifconfig and what your rule sets are? also do you have ipforwarding compiled in in your kernel?
ASKER
I do not have ipforwarding compiled in the kernal, the docs said not too. here is the rule set and ifconfig
========================== ========== ========== =======
LOCALHOST="gw.foo.com"
IFEXTERN="192.168.22.15"
IFINTERN="192.168.37.1"
LOCALNET="192.168.37.0/24"
ANYWHERE="0.0.0.0/0"
UNPRIVPORTS="1024:65535"
# ====== Basic rules.
# Sure we're paranoid, but are we paranoid enough?
ipfwadm -I -p deny
ipfwadm -O -p deny
ipfwadm -F -p deny
# Handle spoofed packets.
ipfwadm -I -a deny -V $IFEXTERN -S $LOCALNET -D ANYWHERE
ipfwadm -I -a deny -V $IFEXTERN -S $IFEXTERN -D ANYWHERE
# Unlimited traffic within the local network.
ipfwadm -I -a accept -V $IFINTERN -S $ANYWHERE -D $ANYWHERE
ipfwadm -O -a accept -V $IFINTERN -S $ANYWHERE -D $ANYWHERE
# Unlimited ICMP traffic (not recommended).
ipfwadm -I -a accept -P icmp -S $ANYWHERE -D $ANYWHERE
ipfwadm -O -a accept -P icmp -S $ANYWHERE -D $ANYWHERE
ipfwadm -F -a accept -P icmp -S $ANYWHERE -D $ANYWHERE
# ====== External use of our system.
# Public access for e-mail, ftp, WWW, and DNS.
ipfwadm -I -a accept -P tcp \
-S $ANYWHERE -D $LOCALHOST smtp ftp www domain
ipfwadm -I -a accept -P udp \
-S $ANYWHERE -D $LOCALHOST domain
ipfwadm -I -a accept -k -P tcp \
-S $ANYWHERE -D $LOCALHOST ftp-data
ipfwadm -O -a accept -P tcp -S $LOCALHOST smtp ftp \
ftp-data www domain -D $ANYWHERE
ipfwadm -O -a accept -P udp \
-S $LOCALHOST domain -D $ANYWHERE
# ====== Internal use of the Internet.
# Outgoing packets.
ipfwadm -O -a accept -P tcp -S $LOCALNET $UNPRIVPORTS \
-D $ANYWHERE smtp ftp ftp-data www telnet gopher \
z3950 domain
ipfwadm -O -a accept -P tcp -S $IFEXTERN $UNPRIVPORTS \
-D $ANYWHERE smtp ftp ftp-data www telnet gopher \
z3950 domain
ipfwadm -O -a accept -P udp -S $LOCALNET $UNPRIVPORTS \
-D $ANYWHERE z3950
ipfwadm -O -a accept -P udp -S $LOCALHOST $UNPRIVPORTS \
-D $ANYWHERE z3950 domain
ipfwadm -F -a accept -P tcp -S $LOCALNET $UNPRIVPORTS \
-D $ANYWHERE ftp ftp-data www telnet gopher z3950
ipfwadm -F -a accept -P udp -S $LOCALNET $UNPRIVPORTS \
-D $ANYWHERE z3950
# Incoming packets.
ipfwadm -I -a accept -k -P tcp \
-S $ANYWHERE ftp www telnet gopher z3950 domain \
-D $LOCALNET $UNPRIVPORTS
ipfwadm -I -a accept -k -P tcp \
-S $ANYWHERE ftp www telnet gopher z3950 domain \
-D $IFEXTERN $UNPRIVPORTS
ipfwadm -I -a accept -P tcp \
-S $ANYWHERE ftp-data -D $LOCALNET $UNPRIVPORTS
ipfwadm -I -a accept -P tcp \
-S $ANYWHERE ftp-data -D $IFEXTERN $UNPRIVPORTS
ipfwadm -I -a accept -P udp \
-S $ANYWHERE z3950 -D $LOCALNET $UNPRIVPORTS
ipfwadm -I -a accept -P udp -S $ANYWHERE z3950 domain \
-D $LOCALHOST $UNPRIVPORTS
ipfwadm -F -a accept -k -P tcp \
-S $ANYWHERE ftp www telnet gopher z3950 \
-D $LOCALNET $UNPRIVPORTS
ipfwadm -F -a accept -P tcp \
-S $ANYWHERE ftp-data -D $LOCALNET $UNPRIVPORTS
ipfwadm -F -a accept -P udp \
-S $ANYWHERE z3950 -D $LOCALNET $UNPRIVPORTS
.......................
lo Link encap:Local Loopback
inet addr:127.0.0.0 Bcast:127.255.255.255 Mask:255.0.0.0
UP BROADCAST LOOPBACK RUNNING MTU:3584 Metric:1
RX packets:1620 errors:0 dropped:0 overruns:0
TX packets:1620 errors:0 dropped:0 overruns:0
eth0 Link encap:10Mbps Ethernet HWaddr 00:00:09:85:AC:55
inet addr:199.1.2.10 Bcast:199.1.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0
TX packets:0 errors:0 dropped:0 overruns:0
Interrupt:12 Base address:0x310
eth1 Link encap:10Mbps Ethernet HWaddr 00:00:09:80:1E:D7
inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0
TX packets:0 errors:0 dropped:0 overruns:0
Interrupt:15 Base address:0x350
.
==========================
LOCALHOST="gw.foo.com"
IFEXTERN="192.168.22.15"
IFINTERN="192.168.37.1"
LOCALNET="192.168.37.0/24"
ANYWHERE="0.0.0.0/0"
UNPRIVPORTS="1024:65535"
# ====== Basic rules.
# Sure we're paranoid, but are we paranoid enough?
ipfwadm -I -p deny
ipfwadm -O -p deny
ipfwadm -F -p deny
# Handle spoofed packets.
ipfwadm -I -a deny -V $IFEXTERN -S $LOCALNET -D ANYWHERE
ipfwadm -I -a deny -V $IFEXTERN -S $IFEXTERN -D ANYWHERE
# Unlimited traffic within the local network.
ipfwadm -I -a accept -V $IFINTERN -S $ANYWHERE -D $ANYWHERE
ipfwadm -O -a accept -V $IFINTERN -S $ANYWHERE -D $ANYWHERE
# Unlimited ICMP traffic (not recommended).
ipfwadm -I -a accept -P icmp -S $ANYWHERE -D $ANYWHERE
ipfwadm -O -a accept -P icmp -S $ANYWHERE -D $ANYWHERE
ipfwadm -F -a accept -P icmp -S $ANYWHERE -D $ANYWHERE
# ====== External use of our system.
# Public access for e-mail, ftp, WWW, and DNS.
ipfwadm -I -a accept -P tcp \
-S $ANYWHERE -D $LOCALHOST smtp ftp www domain
ipfwadm -I -a accept -P udp \
-S $ANYWHERE -D $LOCALHOST domain
ipfwadm -I -a accept -k -P tcp \
-S $ANYWHERE -D $LOCALHOST ftp-data
ipfwadm -O -a accept -P tcp -S $LOCALHOST smtp ftp \
ftp-data www domain -D $ANYWHERE
ipfwadm -O -a accept -P udp \
-S $LOCALHOST domain -D $ANYWHERE
# ====== Internal use of the Internet.
# Outgoing packets.
ipfwadm -O -a accept -P tcp -S $LOCALNET $UNPRIVPORTS \
-D $ANYWHERE smtp ftp ftp-data www telnet gopher \
z3950 domain
ipfwadm -O -a accept -P tcp -S $IFEXTERN $UNPRIVPORTS \
-D $ANYWHERE smtp ftp ftp-data www telnet gopher \
z3950 domain
ipfwadm -O -a accept -P udp -S $LOCALNET $UNPRIVPORTS \
-D $ANYWHERE z3950
ipfwadm -O -a accept -P udp -S $LOCALHOST $UNPRIVPORTS \
-D $ANYWHERE z3950 domain
ipfwadm -F -a accept -P tcp -S $LOCALNET $UNPRIVPORTS \
-D $ANYWHERE ftp ftp-data www telnet gopher z3950
ipfwadm -F -a accept -P udp -S $LOCALNET $UNPRIVPORTS \
-D $ANYWHERE z3950
# Incoming packets.
ipfwadm -I -a accept -k -P tcp \
-S $ANYWHERE ftp www telnet gopher z3950 domain \
-D $LOCALNET $UNPRIVPORTS
ipfwadm -I -a accept -k -P tcp \
-S $ANYWHERE ftp www telnet gopher z3950 domain \
-D $IFEXTERN $UNPRIVPORTS
ipfwadm -I -a accept -P tcp \
-S $ANYWHERE ftp-data -D $LOCALNET $UNPRIVPORTS
ipfwadm -I -a accept -P tcp \
-S $ANYWHERE ftp-data -D $IFEXTERN $UNPRIVPORTS
ipfwadm -I -a accept -P udp \
-S $ANYWHERE z3950 -D $LOCALNET $UNPRIVPORTS
ipfwadm -I -a accept -P udp -S $ANYWHERE z3950 domain \
-D $LOCALHOST $UNPRIVPORTS
ipfwadm -F -a accept -k -P tcp \
-S $ANYWHERE ftp www telnet gopher z3950 \
-D $LOCALNET $UNPRIVPORTS
ipfwadm -F -a accept -P tcp \
-S $ANYWHERE ftp-data -D $LOCALNET $UNPRIVPORTS
ipfwadm -F -a accept -P udp \
-S $ANYWHERE z3950 -D $LOCALNET $UNPRIVPORTS
.......................
lo Link encap:Local Loopback
inet addr:127.0.0.0 Bcast:127.255.255.255 Mask:255.0.0.0
UP BROADCAST LOOPBACK RUNNING MTU:3584 Metric:1
RX packets:1620 errors:0 dropped:0 overruns:0
TX packets:1620 errors:0 dropped:0 overruns:0
eth0 Link encap:10Mbps Ethernet HWaddr 00:00:09:85:AC:55
inet addr:199.1.2.10 Bcast:199.1.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0
TX packets:0 errors:0 dropped:0 overruns:0
Interrupt:12 Base address:0x310
eth1 Link encap:10Mbps Ethernet HWaddr 00:00:09:80:1E:D7
inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0
TX packets:0 errors:0 dropped:0 overruns:0
Interrupt:15 Base address:0x350
.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
try this first set of changes first:
from ifconfig, I see:
1) IFEXTERN should be 199.1.2.10
2) IFINTERN should be 192.168.2.1
3) LOCALNET should be "192.168.2.0/24"
if that doesn't work...
as for ip forwarding, you may need to have it on for ip masquerading to work correctly (which may be so in your case since your internal ip's are in the 192.168.0.0/16 range). This is the same type of setup I am using, and we have ip forawrding on with no ill affects (I haven't been able to spoof pass the firewall). the ipfwadm rules should still protect you.
which it looks like you are not using the -m flag at all which if you want the "bogus" ip's internally to be able to see outside, that is the easiest (and only if you are not running a proxy server) to do it.
to do so, on your outbound ipfwadm -F commands, add the -m flag
see if this fixes the problems, if so, I lemme know, I have some additional comments about some of the rules (some could be tighter), but first lets get the problems with it not working.
if it doesn't get you going, time for more debug (which a bump of your routing table might be the next info needed)
from ifconfig, I see:
1) IFEXTERN should be 199.1.2.10
2) IFINTERN should be 192.168.2.1
3) LOCALNET should be "192.168.2.0/24"
if that doesn't work...
as for ip forwarding, you may need to have it on for ip masquerading to work correctly (which may be so in your case since your internal ip's are in the 192.168.0.0/16 range). This is the same type of setup I am using, and we have ip forawrding on with no ill affects (I haven't been able to spoof pass the firewall). the ipfwadm rules should still protect you.
which it looks like you are not using the -m flag at all which if you want the "bogus" ip's internally to be able to see outside, that is the easiest (and only if you are not running a proxy server) to do it.
to do so, on your outbound ipfwadm -F commands, add the -m flag
see if this fixes the problems, if so, I lemme know, I have some additional comments about some of the rules (some could be tighter), but first lets get the problems with it not working.
if it doesn't get you going, time for more debug (which a bump of your routing table might be the next info needed)
Hi
I tried nearly the same, with a equal result but i found a workaround.
Set your input and output rules un accept and start the routed.
(without the accept defaults the router stops working after some minutes)
If you are not connected to a real network with dynamic routers routers you neednt turn the I and F rules to accept.
Maybe it will help
Greetings Michael
PS.: If anyone has a better solution please let me know.
I tried nearly the same, with a equal result but i found a workaround.
Set your input and output rules un accept and start the routed.
(without the accept defaults the router stops working after some minutes)
If you are not connected to a real network with dynamic routers routers you neednt turn the I and F rules to accept.
Maybe it will help
Greetings Michael
PS.: If anyone has a better solution please let me know.