On Friday, August 1, 2003, at 05:13 AM, Vincenzo Arena wrote:
> =A0
>
> =A0Hi,
> I'v got the following strange ( for me at least ) problem: I have this =
=20
> network setup
> =A0
> =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 =20
> =
------------=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=
=A0=A0=A0=A0=A0=A0-------=20
> -----
> =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 - ext Fw - eth0 ----------- net =
172.16.30.0 ----- - int Fw =20
> - ---net 192.168.68.0 --
> =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 ------------=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=
=A0=A0=A0=A0=A0-- host 172.16.30.25=A0=A0=A0=A0=A0=A0=A0 =20
> ------------=A0=A0=A0=A0=A0=A0=A0=A0 client 192.168.68.8
> =A0
>
>
>
> the host 172.16.30.25 has its default route to 172.16.30.253 ( eth0 of =
=20
> the ext fw )
>
> I have one role that permits 172.16.30.0 to any
>
> and rule 22 ( the last one ) deny all
>
> If I try to ping from 192.168.68.8 to 172.16.30.25 i get on the ext =
fw:
>
> =A0RULE 22 -- DENY IN=3Deth0 OUT=3Deth0 SRC=3D172.16.30.25 =
DST=3D192.168.68.8 =20
> LEN=3D84 TOS=3D0x00 PREC=3D0x00 TTL=3D63 ID=3D49298 PROTO=3DICMP =
TYPE=3D0 CODE=3D0 =20
> ID=3D22582 SEQ=3D768
>
> fwbuilder-1.0.10-1=A0 -- kernel 2.4.18-3 ( RH ) -- iptables-1.2.5-3
>
> The problem is that I cannot find any rule that permits redirection .. =
=20
> any idea?
so, you ping from the host on the network behind internal firewall, but =20=
see echo reply in the log of the external firewall, right ?
You need a route on the host 172.16.30.5 to send packets headed for =20
192.168.8.0/24 through internal firewall. Currently these packets just =20=
follow default route, that is why you see them hit external firewall.
--vk
|