ipfwadm not forwarding past 2nd if!

I can't get ipfwadm to forward past the 2nd interface.I am having trouble determining if my rule set is screwed or my configuration is. This probably requires repeated counsel so I am betting all my points and more.
thx
-art
leenixAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

strobertCommented:
could you put up output of an ifconfig and what your rule sets are?  also do you have ipforwarding compiled in in your kernel?
0
leenixAuthor Commented:
I do not have ipforwarding compiled in the kernal, the docs said not too. here is the rule set and ifconfig
=====================================================
   LOCALHOST="gw.foo.com"
   IFEXTERN="192.168.22.15"
   IFINTERN="192.168.37.1"
   LOCALNET="192.168.37.0/24"
   ANYWHERE="0.0.0.0/0"
   UNPRIVPORTS="1024:65535"

   # ====== Basic rules.

   # Sure we're paranoid, but are we paranoid enough?
   ipfwadm -I -p deny
   ipfwadm -O -p deny
   ipfwadm -F -p deny

   # Handle spoofed packets.
   ipfwadm -I -a deny -V $IFEXTERN -S $LOCALNET -D ANYWHERE
   ipfwadm -I -a deny -V $IFEXTERN -S $IFEXTERN -D ANYWHERE

   # Unlimited traffic within the local network.
   ipfwadm -I -a accept -V $IFINTERN -S $ANYWHERE -D $ANYWHERE
   ipfwadm -O -a accept -V $IFINTERN -S $ANYWHERE -D $ANYWHERE

   # Unlimited ICMP traffic (not recommended).
   ipfwadm -I -a accept -P icmp -S $ANYWHERE -D $ANYWHERE
   ipfwadm -O -a accept -P icmp -S $ANYWHERE -D $ANYWHERE
   ipfwadm -F -a accept -P icmp -S $ANYWHERE -D $ANYWHERE

   # ====== External use of our system.

   # Public access for e-mail, ftp, WWW, and DNS.
   ipfwadm -I -a accept -P tcp \
           -S $ANYWHERE -D $LOCALHOST smtp ftp www domain
   ipfwadm -I -a accept -P udp \
           -S $ANYWHERE -D $LOCALHOST domain
   ipfwadm -I -a accept -k -P tcp \
           -S $ANYWHERE -D $LOCALHOST ftp-data
   ipfwadm -O -a accept -P tcp -S $LOCALHOST smtp ftp \
              ftp-data www domain -D $ANYWHERE
   ipfwadm -O -a accept -P udp \
           -S $LOCALHOST domain -D $ANYWHERE

   # ====== Internal use of the Internet.

   # Outgoing packets.
   ipfwadm -O -a accept -P tcp -S $LOCALNET $UNPRIVPORTS \
           -D $ANYWHERE smtp ftp ftp-data www telnet gopher \
              z3950 domain
   ipfwadm -O -a accept -P tcp -S $IFEXTERN $UNPRIVPORTS \
           -D $ANYWHERE smtp ftp ftp-data www telnet gopher \
              z3950 domain
   ipfwadm -O -a accept -P udp -S $LOCALNET $UNPRIVPORTS \
           -D $ANYWHERE z3950
   ipfwadm -O -a accept -P udp -S $LOCALHOST $UNPRIVPORTS \
           -D $ANYWHERE z3950 domain
   ipfwadm -F -a accept -P tcp -S $LOCALNET $UNPRIVPORTS \
           -D $ANYWHERE ftp ftp-data www telnet gopher z3950
   ipfwadm -F -a accept -P udp -S $LOCALNET $UNPRIVPORTS \
           -D $ANYWHERE z3950

   # Incoming packets.
   ipfwadm -I -a accept -k -P tcp \
           -S $ANYWHERE ftp www telnet gopher z3950 domain \
           -D $LOCALNET $UNPRIVPORTS
   ipfwadm -I -a accept -k -P tcp \
           -S $ANYWHERE ftp www telnet gopher z3950 domain \
           -D $IFEXTERN $UNPRIVPORTS
   ipfwadm -I -a accept -P tcp \
           -S $ANYWHERE ftp-data -D $LOCALNET $UNPRIVPORTS
   ipfwadm -I -a accept -P tcp \
           -S $ANYWHERE ftp-data -D $IFEXTERN $UNPRIVPORTS
   ipfwadm -I -a accept -P udp \
           -S $ANYWHERE z3950 -D $LOCALNET $UNPRIVPORTS
   ipfwadm -I -a accept -P udp -S $ANYWHERE z3950 domain \
           -D $LOCALHOST $UNPRIVPORTS
   ipfwadm -F -a accept -k -P tcp \
           -S $ANYWHERE ftp www telnet gopher z3950 \
           -D $LOCALNET $UNPRIVPORTS
   ipfwadm -F -a accept -P tcp \
           -S $ANYWHERE ftp-data -D $LOCALNET $UNPRIVPORTS
   ipfwadm -F -a accept -P udp \
           -S $ANYWHERE z3950 -D $LOCALNET $UNPRIVPORTS


.......................


    lo        Link encap:Local Loopback
              inet addr:127.0.0.0  Bcast:127.255.255.255  Mask:255.0.0.0
              UP BROADCAST LOOPBACK RUNNING  MTU:3584  Metric:1
              RX packets:1620 errors:0 dropped:0 overruns:0
              TX packets:1620 errors:0 dropped:0 overruns:0
 
    eth0      Link encap:10Mbps Ethernet  HWaddr 00:00:09:85:AC:55
              inet addr:199.1.2.10 Bcast:199.1.2.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0
              TX packets:0 errors:0 dropped:0 overruns:0
              Interrupt:12 Base address:0x310
 
    eth1      Link encap:10Mbps Ethernet  HWaddr 00:00:09:80:1E:D7
              inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0
              TX packets:0 errors:0 dropped:0 overruns:0
              Interrupt:15 Base address:0x350
 .



0
strobertCommented:
Ok I see some problems, I'm going to lock the question, and submit the answer as comments (that way it is locked answerwise, but it will take a while to type in, and I don't want my typing to get nuked if someone else submits an answer first)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
strobertCommented:
try this first set of changes first:
from ifconfig, I see:
1) IFEXTERN should be 199.1.2.10
2) IFINTERN should be 192.168.2.1
3) LOCALNET should be "192.168.2.0/24"

if that doesn't work...
as for ip forwarding, you may need to have it on for ip masquerading to work correctly (which may be so in your case since your internal ip's are in the 192.168.0.0/16 range).  This is the same type of setup I am using, and we have ip forawrding on with no ill affects (I haven't been able to spoof pass the firewall).  the ipfwadm rules should still protect you.

which it looks like you are not using the -m flag at all which if you want the "bogus" ip's internally to be able to see outside, that is the easiest (and only if you are not running a proxy server) to do it.

to do so, on your outbound ipfwadm -F commands, add the -m flag

see if this fixes the problems, if so, I lemme know, I have some additional comments about some of the rules (some could be tighter), but first lets get the problems with it not working.

if it doesn't get you going, time for more debug (which a bump of your routing table might be the next info needed)
0
handrichCommented:
Hi
I tried nearly the same, with a equal result but i found a workaround.
Set your input and output rules un accept and start the routed.
(without the accept defaults the router stops working after some minutes)
If you are not connected to a real network with dynamic routers routers you neednt turn the I and F rules to accept.

Maybe it will help

Greetings Michael

PS.: If anyone has a better solution please let me know.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.