Solved

ipfwadm not forwarding past 2nd if!

Posted on 1997-06-19
5
279 Views
Last Modified: 2010-03-17
I can't get ipfwadm to forward past the 2nd interface.I am having trouble determining if my rule set is screwed or my configuration is. This probably requires repeated counsel so I am betting all my points and more.
thx
-art
0
Comment
Question by:leenix
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 1

Expert Comment

by:strobert
ID: 1584947
could you put up output of an ifconfig and what your rule sets are?  also do you have ipforwarding compiled in in your kernel?
0
 

Author Comment

by:leenix
ID: 1584948
I do not have ipforwarding compiled in the kernal, the docs said not too. here is the rule set and ifconfig
=====================================================
   LOCALHOST="gw.foo.com"
   IFEXTERN="192.168.22.15"
   IFINTERN="192.168.37.1"
   LOCALNET="192.168.37.0/24"
   ANYWHERE="0.0.0.0/0"
   UNPRIVPORTS="1024:65535"

   # ====== Basic rules.

   # Sure we're paranoid, but are we paranoid enough?
   ipfwadm -I -p deny
   ipfwadm -O -p deny
   ipfwadm -F -p deny

   # Handle spoofed packets.
   ipfwadm -I -a deny -V $IFEXTERN -S $LOCALNET -D ANYWHERE
   ipfwadm -I -a deny -V $IFEXTERN -S $IFEXTERN -D ANYWHERE

   # Unlimited traffic within the local network.
   ipfwadm -I -a accept -V $IFINTERN -S $ANYWHERE -D $ANYWHERE
   ipfwadm -O -a accept -V $IFINTERN -S $ANYWHERE -D $ANYWHERE

   # Unlimited ICMP traffic (not recommended).
   ipfwadm -I -a accept -P icmp -S $ANYWHERE -D $ANYWHERE
   ipfwadm -O -a accept -P icmp -S $ANYWHERE -D $ANYWHERE
   ipfwadm -F -a accept -P icmp -S $ANYWHERE -D $ANYWHERE

   # ====== External use of our system.

   # Public access for e-mail, ftp, WWW, and DNS.
   ipfwadm -I -a accept -P tcp \
           -S $ANYWHERE -D $LOCALHOST smtp ftp www domain
   ipfwadm -I -a accept -P udp \
           -S $ANYWHERE -D $LOCALHOST domain
   ipfwadm -I -a accept -k -P tcp \
           -S $ANYWHERE -D $LOCALHOST ftp-data
   ipfwadm -O -a accept -P tcp -S $LOCALHOST smtp ftp \
              ftp-data www domain -D $ANYWHERE
   ipfwadm -O -a accept -P udp \
           -S $LOCALHOST domain -D $ANYWHERE

   # ====== Internal use of the Internet.

   # Outgoing packets.
   ipfwadm -O -a accept -P tcp -S $LOCALNET $UNPRIVPORTS \
           -D $ANYWHERE smtp ftp ftp-data www telnet gopher \
              z3950 domain
   ipfwadm -O -a accept -P tcp -S $IFEXTERN $UNPRIVPORTS \
           -D $ANYWHERE smtp ftp ftp-data www telnet gopher \
              z3950 domain
   ipfwadm -O -a accept -P udp -S $LOCALNET $UNPRIVPORTS \
           -D $ANYWHERE z3950
   ipfwadm -O -a accept -P udp -S $LOCALHOST $UNPRIVPORTS \
           -D $ANYWHERE z3950 domain
   ipfwadm -F -a accept -P tcp -S $LOCALNET $UNPRIVPORTS \
           -D $ANYWHERE ftp ftp-data www telnet gopher z3950
   ipfwadm -F -a accept -P udp -S $LOCALNET $UNPRIVPORTS \
           -D $ANYWHERE z3950

   # Incoming packets.
   ipfwadm -I -a accept -k -P tcp \
           -S $ANYWHERE ftp www telnet gopher z3950 domain \
           -D $LOCALNET $UNPRIVPORTS
   ipfwadm -I -a accept -k -P tcp \
           -S $ANYWHERE ftp www telnet gopher z3950 domain \
           -D $IFEXTERN $UNPRIVPORTS
   ipfwadm -I -a accept -P tcp \
           -S $ANYWHERE ftp-data -D $LOCALNET $UNPRIVPORTS
   ipfwadm -I -a accept -P tcp \
           -S $ANYWHERE ftp-data -D $IFEXTERN $UNPRIVPORTS
   ipfwadm -I -a accept -P udp \
           -S $ANYWHERE z3950 -D $LOCALNET $UNPRIVPORTS
   ipfwadm -I -a accept -P udp -S $ANYWHERE z3950 domain \
           -D $LOCALHOST $UNPRIVPORTS
   ipfwadm -F -a accept -k -P tcp \
           -S $ANYWHERE ftp www telnet gopher z3950 \
           -D $LOCALNET $UNPRIVPORTS
   ipfwadm -F -a accept -P tcp \
           -S $ANYWHERE ftp-data -D $LOCALNET $UNPRIVPORTS
   ipfwadm -F -a accept -P udp \
           -S $ANYWHERE z3950 -D $LOCALNET $UNPRIVPORTS


.......................


    lo        Link encap:Local Loopback
              inet addr:127.0.0.0  Bcast:127.255.255.255  Mask:255.0.0.0
              UP BROADCAST LOOPBACK RUNNING  MTU:3584  Metric:1
              RX packets:1620 errors:0 dropped:0 overruns:0
              TX packets:1620 errors:0 dropped:0 overruns:0
 
    eth0      Link encap:10Mbps Ethernet  HWaddr 00:00:09:85:AC:55
              inet addr:199.1.2.10 Bcast:199.1.2.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0
              TX packets:0 errors:0 dropped:0 overruns:0
              Interrupt:12 Base address:0x310
 
    eth1      Link encap:10Mbps Ethernet  HWaddr 00:00:09:80:1E:D7
              inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0
              TX packets:0 errors:0 dropped:0 overruns:0
              Interrupt:15 Base address:0x350
 .



0
 
LVL 1

Accepted Solution

by:
strobert earned 1190 total points
ID: 1584949
Ok I see some problems, I'm going to lock the question, and submit the answer as comments (that way it is locked answerwise, but it will take a while to type in, and I don't want my typing to get nuked if someone else submits an answer first)
0
 
LVL 1

Expert Comment

by:strobert
ID: 1584950
try this first set of changes first:
from ifconfig, I see:
1) IFEXTERN should be 199.1.2.10
2) IFINTERN should be 192.168.2.1
3) LOCALNET should be "192.168.2.0/24"

if that doesn't work...
as for ip forwarding, you may need to have it on for ip masquerading to work correctly (which may be so in your case since your internal ip's are in the 192.168.0.0/16 range).  This is the same type of setup I am using, and we have ip forawrding on with no ill affects (I haven't been able to spoof pass the firewall).  the ipfwadm rules should still protect you.

which it looks like you are not using the -m flag at all which if you want the "bogus" ip's internally to be able to see outside, that is the easiest (and only if you are not running a proxy server) to do it.

to do so, on your outbound ipfwadm -F commands, add the -m flag

see if this fixes the problems, if so, I lemme know, I have some additional comments about some of the rules (some could be tighter), but first lets get the problems with it not working.

if it doesn't get you going, time for more debug (which a bump of your routing table might be the next info needed)
0
 
LVL 3

Expert Comment

by:handrich
ID: 1584951
Hi
I tried nearly the same, with a equal result but i found a workaround.
Set your input and output rules un accept and start the routed.
(without the accept defaults the router stops working after some minutes)
If you are not connected to a real network with dynamic routers routers you neednt turn the I and F rules to accept.

Maybe it will help

Greetings Michael

PS.: If anyone has a better solution please let me know.
0

Featured Post

Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question