Solved

Routing question

Posted on 1999-01-21
7
211 Views
Last Modified: 2010-03-18

I have Thre machines. A, B, C

A and B are connected directly to internet.

Both A and B have 2 networkcards and are connected to C on a local
network.

A is running ipmasquerading So machine C can reach internet.
(Machine B is also running ipmasqueradeing but machine C has machine A as
default gw)

It looks like this:

Machine A: eth1 130.X.Y.Z eth0 10.0.0.2
Machine B: eth0 130.X.V.W eth1 10.0.0.3
Machine C                 eth0 10.0.0.4

The network works fine. But I have one problem.

If I try to forward some ports from Machine A to Machine C it works fine.
(/usr/sbin/ipmasqadm portfw -a -P tcp -L 130.X.Y.Z 80 -R 10.0.0.4 80 -p
1)

But It does't work to forward the port to Machine B (10.0.0.3)
I have a www-server running and working on port 80 at Machine B and I can
reach it from Machine A.

It doesn't work To forward port 80 from Machine B to Machine C.

If I try to telnet to port 23 on machine B from machine A I get
connection, but If I do a
/usr/sbin/ipmasqadm portfw -a -P tcp -L 130.X.V.W 25 -R 10.0.0.4 25
-p 1
If I use the same command from Machine A I can telnet to port 25 from
machine B and get forward to Machine C and port 25.

Machine A and B are using the same Kernel and has the same Network and
IP-Masquerading configurations .Someone told me that the problem can be that  The packets from B to the world don't go through A,
so they cannot be properly "demasqueraded".

I've heard that mabe It can be solved like this:

Assign another 10.x.x.x IP address to the machine C and forward
(possilbly more) ports from machine B to this new IP address of machine
C. And then setup "routing-by-source" on machine C, which says that the
packets which have the new local IP addres should be routed via machine
B instead of machine A, which is the default gateway otherwise.


How can I set up this routing by source?? Can someone help me??
0
Comment
Question by:hulken
  • 4
  • 2
7 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 1588197
> Machine A and B are using the same Kernel and has the same Network and
    IP-Masquerading configurations .
If this is really true, you may run into problems.
They must be different in forwarding or you have a loop somewhere.
Or they block each other, somehow.

Without having the cmplete rules it might difficult to point out the problem.
0
 

Author Comment

by:hulken
ID: 1588198
OK! Here is My rules on machine 1.

The only differens from machine 1 to machine 2 is this:

INSIDE=10.0.0.3
INSIDE_DEVICE=eth1
DEVICE=eth0
IPADDR=130.X.V.W/24
And the row about ping
ipchains -A input -s 130.X.Y.Z echo-request -p icmp -j ACCEPT

But I like to know how to set up routing by sourse also...


#!/bin/sh -x

echo 1 > /proc/sys/net/ipv4/ip_forward  

PATH=/sbin:/usr/bin:/bin

#//--|------------------------------------------------------------------------
#//--| Default timeouts
#//--|------------------------------------------------------------------------

ipchains -M -S 3600 3600 3600


#//--|------------------------------------------------------------------------
#//--| Internal interface
#//--|------------------------------------------------------------------------

INSIDE=10.0.0.2
INSIDE_DEVICE=eth0

#//--|------------------------------------------------------------------------
#//--| External interface
#//--|------------------------------------------------------------------------
DEVICE=eth1
IPADDR=130.X.Y.Z/24

PRIVATE_NETWORK=10.0.0.0/8


#//--|------------------------------------------------------------------------
#//--| Defaul policy is deny. Flush all chains.
#//--|------------------------------------------------------------------------
ipchains -P input DENY
ipchains -P output DENY
ipchains -P forward DENY
ipchains -F


#//--|------------------------------------------------------------------------
#//--| Ignore noise on uplink device.
#//--|------------------------------------------------------------------------

ipchains -A input -i $DEVICE -d ! $IPADDR -j DENY


#//--|------------------------------------------------------------------------
#//--| Count SYN packets, total packets, packets on each interface
#//--|------------------------------------------------------------------------

ipchains -A input -p tcp -y -l
ipchains -A output -p tcp -y -l
ipchains -A input
ipchains -A output
ipchains -A input -i lo
ipchains -A output -i lo
ipchains -A input -i eth0
ipchains -A output -i eth0
ipchains -A input -i eth1
ipchains -A output -i eth1


#//--|------------------------------------------------------------------------
#//--| Allow only localhost and local IP addresses on loopback.
#//--| Localnet addresses should not appear anywhere else.  
#//--|------------------------------------------------------------------------

ipchains -A input -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
ipchains -A input -i lo -s $IPADDR -d $IPADDR -j ACCEPT
ipchains -A input -i lo -s $INSIDE -d $INSIDE -j ACCEPT
ipchains -A input -i lo -j DENY -l
ipchains -A input -s 127.0.0.0/8 -d 127.0.0.0/8 -j DENY -l


#//--|------------------------------------------------------------------------
#//--| Ditto for output.
#//--|------------------------------------------------------------------------

ipchains -A output -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
ipchains -A output -i lo -s $IPADDR -d $IPADDR -j ACCEPT
ipchains -A output -i lo -s $INSIDE -d $INSIDE -j ACCEPT
ipchains -A output -i lo -j DENY -l
ipchains -A output -s 127.0.0.0/8 -d 127.0.0.0/8 -j DENY -l


#//--|------------------------------------------------------------------------
#//--| Internal network addresses only on internal side
#//--|------------------------------------------------------------------------

ipchains -A input -i $INSIDE_DEVICE -s $PRIVATE_NETWORK -j ACCEPT
ipchains -A output -i $INSIDE_DEVICE -d $PRIVATE_NETWORK -j ACCEPT


#//--|------------------------------------------------------------------------
#//--| Internal network addresses on internal network only.
#//--|------------------------------------------------------------------------

ipchains -A input -s $PRIVATE_NETWORK -j DENY -l -b
ipchains -A output -s $PRIVATE_NETWORK -j DENY -l -b


#//--|------------------------------------------------------------------------
#//--| Allow traffic from outside world.
#//--| TCP ports for local clients are defined in
#//--| /proc/sys/net/ipv4/ip_local_port_range
#//--| and are 1024:4999 by default.
#//--| 61000:65095 are for masquerade.
#//--| ICMP 0 and 8 are ping, 3 and 11 are TCP and UDP messages
#//--|------------------------------------------------------------------------



#//--|------------------------------------------------------------------------
#//--| Allow ssh and ftp
#//--|------------------------------------------------------------------------

ipchains -A input -i $DEVICE -d $IPADDR 20:22 -p tcp -j ACCEPT


#//--|------------------------------------------------------------------------
#//--| Allow connections to sendmail
#//--|------------------------------------------------------------------------

ipchains -A input -i $DEVICE -d $IPADDR 25 -p tcp -j ACCEPT


#//--|------------------------------------------------------------------------
#//--| Allow connections to my www-server
#//--|------------------------------------------------------------------------

ipchains -A input -i $DEVICE -d $IPADDR 80 -p tcp -j ACCEPT

#//--|------------------------------------------------------------------------
#//--| DNS
#//--|------------------------------------------------------------------------

ipchains -A input -i $DEVICE -d $IPADDR :53 -p tcp -j ACCEPT  
ipchains -A input -i $DEVICE -d $IPADDR :53 -p udp -j ACCEPT

#//--|------------------------------------------------------------------------
#//--| Ident
#//--|------------------------------------------------------------------------

ipchains -A input -i $DEVICE -d $IPADDR 113 -p tcp -j ACCEPT

#//--|------------------------------------------------------------------------
#//--| Samba
#//--|------------------------------------------------------------------------

ipchains -A input -i $DEVICE -d $IPADDR 137:139 -p tcp -j ACCEPT

#//--|------------------------------------------------------------------------
#//--| Tcp ports for local clients
#//--|------------------------------------------------------------------------

ipchains -A input -i $DEVICE -d $IPADDR 1024:2048 -p tcp -j ACCEPT
ipchains -A input -i $DEVICE -d $IPADDR 2050:4999 -p tcp -j ACCEPT
ipchains -A input -i $DEVICE -d $IPADDR 1024:2048 -p udp -j ACCEPT
ipchains -A input -i $DEVICE -d $IPADDR 2050:4999 -p udp -j ACCEPT

#//--|------------------------------------------------------------------------
#//--| My forwarded ports
#//--|------------------------------------------------------------------------

ipchains -A input -i $DEVICE -d $IPADDR 8000 -p tcp -j ACCEPT
ipchains -A input -i $DEVICE -d $IPADDR 8020 -p tcp -j ACCEPT

#//--|------------------------------------------------------------------------
#//--| Masquradeing
#//--|------------------------------------------------------------------------

ipchains -A input -i $DEVICE -d $IPADDR 61000:65535 -p tcp -j ACCEPT
ipchains -A input -i $DEVICE -d $IPADDR 61000:65095 -p udp -j ACCEPT

#//--|------------------------------------------------------------------------
#//--| Some ports to deny
#//--|------------------------------------------------------------------------

ipchains -A input -i $DEVICE -s 0/0 -d 0/0 1433 -p tcp -j DENY
ipchains -A input -i $DEVICE -s 0/0 -d 0/0 1433 -p udp -j DENY
ipchains -A input -i $DEVICE -s 0/0 -d 0/0 2049 -p tcp -j DENY
ipchains -A input -i $DEVICE -s 0/0 -d 0/0 2049 -p udp -j DENY
ipchains -A input -i $DEVICE -s 0/0 -d 0/0 5432 -p tcp -j DENY
ipchains -A input -i $DEVICE -s 0/0 -d 0/0 5432 -p udp -j DENY




#//--|------------------------------------------------------------------------
#//--| Icq
#//--|------------------------------------------------------------------------

ipchains -A input -i $DEVICE -s 0/0 -d 0/0 4000 -p udp -j ACCEPT
ipchains -A output -i $DEVICE -s 0/0 -d 0/0 4000 -p udp -j ACCEPT

#//--|------------------------------------------------------------------------
#//--| quake world
#//--|------------------------------------------------------------------------

ipchains -A input -i $DEVICE -d $IPADDR 26000 -p udp -j ACCEPT
ipchains -A input -i $DEVICE -d $IPADDR 27500 -p udp -j ACCEPT
ipchains -A input -i $DEVICE -d $IPADDR 28000 -p udp -j ACCEPT
ipchains -A input -i $DEVICE -d $IPADDR 29000 -p udp -j ACCEPT



#//--|------------------------------------------------------------------------
#//--| ping on localnet
#//--|------------------------------------------------------------------------

ipchains -A input -s 10.0.0.0/24 echo-request -p icmp -j ACCEPT

#//--|------------------------------------------------------------------------
#//--| Ping from my other machine
#//--|------------------------------------------------------------------------

ipchains -A input -s 130.X.V.W echo-request -p icmp -j ACCEPT


#//--|------------------------------------------------------------------------
#//--| ICMP TRAFIC
#//--|------------------------------------------------------------------------

ipchains -A input -i $DEVICE -s 0/0 0 -d $IPADDR -p icmp -j ACCEPT
ipchains -A input -i $DEVICE -s 0/0 3 -d $IPADDR -p icmp -j ACCEPT
ipchains -A input -i $DEVICE -s 0/0 11 -d $IPADDR -p icmp -j ACCEPT


#//--|------------------------------------------------------------------------
#//--| Reject ping
#//--|------------------------------------------------------------------------

ipchains -A input -s 0/0 echo-request -p icmp -j REJECT

#//--|------------------------------------------------------------------------
#//--| Reject trafic to doubleclick.net
#//--|------------------------------------------------------------------------

ipchains -A output -d 199.95.207.0/24 -j REJECT
ipchains -A output -d 199.95.208.0/24 -j REJECT

#//--|------------------------------------------------------------------------
#//--| No control over outbound trafic
#//--|------------------------------------------------------------------------

ipchains -A output -i $DEVICE -s $IPADDR -j ACCEPT

#//--|------------------------------------------------------------------------
#//--| Not a gateway onto private network.  This stops an IP spoofing
#//--| attack if it somehow gets through all the filtering above.
#//--|------------------------------------------------------------------------

ipchains -A forward -s $PRIVATE_NETWORK -d $PRIVATE_NETWORK -j DENY -l


#//--|------------------------------------------------------------------------
#//--| Forward and masquerade private network to the world
#//--|------------------------------------------------------------------------

ipchains -A forward -s $PRIVATE_NETWORK -j MASQ


#//--|------------------------------------------------------------------------
#//--| ip-spoofing protection
#//--|------------------------------------------------------------------------

ipchains -A input -i eth1 -s 10.0.0.0/8 -j DENY


#//--|------------------------------------------------------------------------
#//--| Report any other packets that are denied.
#//--| Useful for debugging (-l logs these to the kernel syslog)
#//--|------------------------------------------------------------------------

ipchains -A input -j DENY # -l
ipchains -A output -j DENY # -l
ipchains -A forward -j DENY #-l


#//--|------------------------------------------------------------------------
#//--| Some portforwarding to my local machine
#//--|------------------------------------------------------------------------

/usr/sbin/ipmasqadm portfw -a -P tcp -L 130.X.Y.Z 80 -R 10.0.0.4 80 -p 1




0
 

Author Comment

by:hulken
ID: 1588199
And this is different to:
 /usr/sbin/ipmasqadm portfw -a -P tcp -L 130.X.V.W 80 -R 10.0.0.4 80 -p 1
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:hulken
ID: 1588200
Btw. Forwarding from Machine B to machine C works if I change default gateway to 10.0.0.3 so I need routing by source on machine C, which says that the
 packets which have the new local IP addres should be routed via machine
    B instead of machine A, which is the default gateway otherwise.

0
 
LVL 1

Expert Comment

by:canacar
ID: 1588201
It seems to me that the new (advanced) routing policies of the 2.2 kernel should work for you

[ unfortunately, i am using a 2.0.34 kernel so cannot test
  what I will be writing here... ]

ok, first you need kernel version > 2.1.14 (I think)
since you are using ipchains, you probably have it
else use 2.2 kernel


then you have to obtain the mentioned ip-routing package
(if you do not already have it. I think it is included in
 the debian distribution)
the original site is ftp://ftp.inr.ac.ru/ip-routing
however, I found the link ftp://linux.wauug.org/pub/net/ip-routing/
much faster.

download and compile the ip-route2-current.tar.gz
and compile it. (this I have not done! so you are on your own here...)

you should now have an 'ip' utility and
using the ip route ...
commands you can set the routing tables of your C machine.

OOPS! I nearly forgot!

first you should use the IP Alias mechanism to define two IP addresses to your machine C.  (setting up IP aliasing is described in IPAlias mini-HOWTO, basically you compile it to the kernel or as a module and insmod it)

then you can set up two IP addresses on the same ethernet card like:

  /sbin/ifconfig lo 127.0.0.1
  /sbin/ifconfig eth0 up
  /sbin/ifconfig eth0 10.0.0.4
  /sbin/ifconfig eth0:0 10.0.0.5

so you have two IP addresses on C.

with your new ip-route utility, you can configure
different gateways for these addresses...


// default gateway through A
ip rule add from 10.0.0.4\24 table 1
ip route add default table 1 via 10.0.0.2

// default gateway through B
ip rule add from 10.0.0.5\24 table 2
ip route add default table 2 via 10.0.0.5

Note: I assume that these would work (I checked the sources)
but have not tried them .
[The linux/Documentation/networking/policy-routing.txt
 gives a different syntax but the sources say otherwise!]

hope it helps ...

Can

0
 

Author Comment

by:hulken
ID: 1588202
mark the question as answerd......
0
 
LVL 1

Accepted Solution

by:
canacar earned 400 total points
ID: 1588203
I assume, then, that the setup worked :-)
I would like to know how it turned out though ...

Can

0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now