Re: [Fwd: Re: [Fwbuilder-discussion] can not get trough firewall even though last rule is any any any permit is last rule]

[Vadim K. /r/ <va...@vk...>]

On Tuesday, October 28, 2003, at 03:06  PM, Jim wrote:

> "A" has a 10.x.x.x address and its defualt gateway is the "fw" with one
> nic at 10.x.x.x and another nic with 161.x.x.x the ip that we are
> telneting from is a 10.x.x.1 and we can not do this from "A" altlough 
> we
> can telnet to "C" from "fw".
>
>

do you use NAT on your firewall to translate address 10.x.x.x ?

the reason I am asking is that if you do not translate, then the host 
on 161.x.x.x needs to know how to route to 10.x.x.x

--vk



>
> Jim
>
>
> On Tue, 2003-10-28 at 15:30, Vadim Kurland /r/ wrote:
>> On Tuesday, October 28, 2003, at 01:53  PM, Jim wrote:
>>
>>>
>>> I am trying to telnet from a workstation with an internal IP through
>>> the
>>> firewall to an IP with a external address through the firewall 
>>> although
>>> I think that the server I am telnetting into does not like the format
>>> of
>>> basically proxying the telnet session; is this possible, NOT sure if
>>> that is the problem.
>>>
>>>
>>> I can telnet directly from the firewall to the given external IP
>>> although I can not telnet from another workstation that is using the
>>> firewall as its default gateway.
>>>
>>> When I run traceroute from the firewall I resolve the IP and the 
>>> given
>>> hops when I run traceroute from the workstation I resolve only the
>>> gateway and it does not resolve it all the way to the requested IP.
>>>
>>
>>
>> lets distinguish between name resolution and an ability to access the
>> network node. When you say it resolves only gateway, what do you mean 
>> ?
>> Do you get IP addresses of the subsequent hops beyond the firewall
>> (indicates lack of DNS name resolution) or you get stars for all
>> subsequent hops (indicates lack of connectivity) ?
>>
>>
>>
>>
>>> In reality this firewall is between what is considered an internal 
>>> and
>>> and is considered external network neither of which are the Internet.
>>>
>>
>>
>> Here is your setup how I understand it:
>>
>>
>> host A   ----------  fw  ------------ host B
>>
>> you are trying to connect from host A to host B. Do you use NAT ? You
>> never mentioned that, so I suppose you don't. In this case host B sees
>> connection coming from the IP address of host A. Does host B have a
>> routing to that address ? The route should point through the firewall.
>> The same applies to host A, it needs routing to the network where host
>> B is located and the route should point at the firewall. It may be 
>> that
>> at least on one side (A or B) the firewall is a default gateway, that
>> would suffice.
>>
>> --vk
>>
>>>
>>>
>>> Jim
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>>
>>>>
>>>> On Tue, 2003-10-28 at 13:21, Vadim Kurland /r/ wrote:
>>>>> On Tuesday, October 28, 2003, at 11:58  AM, Jim wrote:
>>>>>
>>>>>> I used make menuconfig and below are the options I selected.
>>>>>>
>>>>>> I have the following under Networking Options
>>>>>> Y Packet Socket
>>>>>> Y Network packet filtering (replaces ipchains)
>>>>>> Y Unix domain sockets
>>>>>> Y TCP/IP networking
>>>>>>
>>>>>> Under IP Netfilter Configuation I compiled everthing in "Y" not 
>>>>>> sure
>>>>>> what else I need to compile in or do I need to use modules?
>>>>>>
>>>>>
>>>>> this should be fine, the problem must be somewhere else. Do you see
>>>> any
>>>>> records in the log indicating that packets get dropped ? Try to
>>>>> change
>>>>> the last rule to deny and log rather than accept, then see what 
>>>>> gets
>>>>> logged. If nothing is in the log still, then check your syslog
>>>> settings
>>>>> (see FAQ for that). Once you get records of dropped packets in the
>>>> log,
>>>>> that should give you a clue if you need to adjust your rules.
>>>>>
>>>>> --vk
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>> Jim
>>>>>>
>>>>>>
>>>>>> On Tue, 2003-10-28 at 12:54, Vadim Kurland /r/ wrote:
>>>>>>> On Tuesday, October 28, 2003, at 11:42  AM, Jim wrote:
>>>>>>>
>>>>>>>> I checked and packet forwarding is enabled.  My last rule is any
>>>> any
>>>>>>>> any
>>>>>>>> accept, so nothing should be denied correct?
>>>>>>>>
>>>>>>>
>>>>>>> correct, provided iptables uses connection tracking module.
>>>>>>>
>>>>>>>
>>>>>>>> Below is the output I recieve when I execute the script, I do 
>>>>>>>> not
>>>>>>>> think
>>>>>>>> this would stop the script from working or is this the root of 
>>>>>>>> the
>>>>>>>> problem?  What else should I check to see why I can not get 
>>>>>>>> from a
>>>>>>>> workstation on the internal side to the external side.
>>>>>>>>
>>>>>>>>
>>>>>>>> Nothing to flush.
>>>>>>>> ./health.fw: cd: /lib/modules/2.4.22/kernel/net/ipv4/netfilter/:
>>>> No
>>>>>>>> such
>>>>>>>> file or directory
>>>>>>>> ls: *_conntrack_*: No such file or directory
>>>>>>>>
>>>>>>>
>>>>>>> yes, this might be a problem. Did you recompile your kernel
>>>> yourself ?
>>>>>>> The netfilter code needs to be either compiled as modules, or 
>>>>>>> built
>>>> in
>>>>>>> the kernel. Since directory
>>>>>>> "/lib/modules/2.4.22/kernel/net/ipv4/netfilter/" does not exist, 
>>>>>>> it
>>>> is
>>>>>>> obviously not compiled as a module.
>>>>>>>
>>>>>>> --vk
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> Also below is the output from ifconfig: not sure what eth1:FWB1
>>>>>>>> means?
>>>>>>>>
>>>>>>>> ifconfig
>>>>>>>> eth0      Link encap:Ethernet  HWaddr 00:50:DA:5B:86:4F
>>>>>>>>           inet addr:10.10.1.110  Bcast:10.10.255.255
>>>>>>>> Mask:255.255.0.0
>>>>>>>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>>>>>>>           RX packets:30647 errors:0 dropped:0 overruns:1 frame:0
>>>>>>>>           TX packets:5432 errors:0 dropped:0 overruns:0 
>>>>>>>> carrier:0
>>>>>>>>           collisions:0 txqueuelen:100
>>>>>>>>           RX bytes:2798972 (2.6 MiB)  TX bytes:1595198 (1.5 MiB)
>>>>>>>>           Interrupt:11 Base address:0x1400
>>>>>>>>
>>>>>>>> eth1      Link encap:Ethernet  HWaddr 00:04:5A:7D:BB:43
>>>>>>>>           inet addr:161.223.4.161  Bcast:161.223.4.255
>>>>>>>> Mask:255.255.255.128
>>>>>>>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>>>>>>>           RX packets:11940 errors:0 dropped:0 overruns:0 frame:0
>>>>>>>>           TX packets:0 errors:548 dropped:0 overruns:0
>>>> carrier:1096
>>>>>>>>           collisions:0 txqueuelen:100
>>>>>>>>           RX bytes:2363159 (2.2 MiB)  TX bytes:0 (0.0 b)
>>>>>>>>           Interrupt:11 Base address:0x1000
>>>>>>>>
>>>>>>>> eth1:FWB1 Link encap:Ethernet  HWaddr 00:04:5A:7D:BB:43
>>>>>>>>           inet addr:161.223.4.183  Bcast:161.223.4.255
>>>>>>>> Mask:255.255.255.128
>>>>>>>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>>>>>>>           Interrupt:11 Base address:0x1000
>>>>>>>>
>>>>>>>> lo        Link encap:Local Loopback
>>>>>>>>           inet addr:127.0.0.1  Mask:255.0.0.0
>>>>>>>>           UP LOOPBACK RUNNING  MTU:16436  Metric:1
>>>>>>>>           RX packets:8 errors:0 dropped:0 overruns:0 frame:0
>>>>>>>>           TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
>>>>>>>>           collisions:0 txqueuelen:0
>>>>>>>>           RX bytes:560 (560.0 b)  TX bytes:560 (560.0 b)
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Jim
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Tue, 2003-10-28 at 12:21, Vadim Kurland /r/ wrote:
>>>>>>>>> On Tuesday, October 28, 2003, at 10:23  AM, Jim wrote:
>>>>>>>>>
>>>>>>>>>> I have created a firewall script with fwbuilder and I have 
>>>>>>>>>> some
>>>>>>>>>> clients
>>>>>>>>>> on my internal network that need to telnet and have http 
>>>>>>>>>> acccess
>>>>>>>>>> through
>>>>>>>>>> the external network.  I can not telnet to the IP I want to 
>>>>>>>>>> nor
>>>>>>>>>> can I
>>>>>>>>>> ping the host.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Although I can ping the IP in question directly from the
>>>> firewall.
>>>>>>>>>>
>>>>>>>>>> Do I need to do something to enable routing from one nic to 
>>>>>>>>>> the
>>>>>>>>>> other?
>>>>>>>>>>> From one network to the other?
>>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> one thing to check is whether ip forwarding is turned on. There
>>>> is a
>>>>>>>>> GUI control for it in the "Network" tab of the firewall object
>>>>>>>>> dialog.
>>>>>>>>>
>>>>>>>>> there is a brief list of things to check here:
>>>>>>>>> http://www.fwbuilder.org/archives/cat_troubleshooting.html
>>>>>>>>>
>>>>>>>>> --vk
>>>>>>>>>
>>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> -------------------------------------------------------
>>>>> This SF.net email is sponsored by: SF.net Giveback Program.
>>>>> Does SourceForge.net help you be more productive?  Does it
>>>>> help you create better code?   SHARE THE LOVE, and help us help
>>>>> YOU!  Click Here: http://sourceforge.net/donate/
>>>>> _______________________________________________
>>>>> Fwbuilder-discussion mailing list
>>>>> Fwb...@li...
>>>>> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion
>>>
>>>
>>>
>>> -------------------------------------------------------
>>> This SF.net email is sponsored by: SF.net Giveback Program.
>>> Does SourceForge.net help you be more productive?  Does it
>>> help you create better code?   SHARE THE LOVE, and help us help
>>> YOU!  Click Here: http://sourceforge.net/donate/
>>> _______________________________________________
>>> Fwbuilder-discussion mailing list
>>> Fwb...@li...
>>> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion
>>
>>
>>
>> -------------------------------------------------------
>> This SF.net email is sponsored by: SF.net Giveback Program.
>> Does SourceForge.net help you be more productive?  Does it
>> help you create better code?   SHARE THE LOVE, and help us help
>> YOU!  Click Here: http://sourceforge.net/donate/
>> _______________________________________________
>> Fwbuilder-discussion mailing list
>> Fwb...@li...
>> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion