Hi again, Marco, : I made every new try a ipchains -F - there was no other chain(s). Got it. : Okay, it seems there is a problem. In this DENY chain I get after every : ping 4 more packets (one ping - 4 tries). : It seems ipchains deny the incoming icmp packets on eth2. But why? : I tried also to specify the source ip with some other chains, and it is : the packet, that comes from the host 62.154.89.102 - exactly the packet : I am waiting for. : : A ipchains -nML shows a open masq connection to the host, I ping'd: : : IP masquerading entries : prot expire source destination ports : ICMP 00:57.85 192.168.0.31 62.154.89.102 512 (61009) -> 8 All is well. : 0: from all lookup local : 32765: from all fwmark 2 lookup 10 : 32766: from all lookup main : 32767: from all lookup 253 : : there is a timeout. It shows me, the marking of packets works and the ip : rules can see the marked packets. Looks right. : >By the way, you are using "ip route flush cache" every time you make : >changes to the routing tables/RPDB, right? : : Yes, i do. This is just a common problem--so I wanted to ask. : >Aigh! I think I may have spotted the problem. : >Your routing table number 10 doesn't know anything about 192.168.0.0/24 : >does it? : >Make sure that each routing table has routes for the destinations it is : >supposed to be able to reach! : > : ipchains -A input -p icmp -s 192.168.0.0/24 -m 2 : > : ip ru add fwmark 2 table 10 : > : ip route add default via x.x.x.x dev eth2 table 10 : > : ipchains -A forward -s 192.168.0.0/24 -j MASQ : > : * x.x.x.x is the default gateway! : Well, if I look into the rules table I see: : 0: from all lookup local : 32765: from all fwmark 2 lookup 10 : 32766: from all lookup main : 32767: from all lookup 253 <I snipped much of your mail with which I agree> : But okay. This is not the problem. : It seems, ipchains DENY this packet. But why? : : Here a ipchains -L: : Chain input (policy ACCEPT): : target prot opt source destination : ports : - icmp ------ 192.168.0.0/24 anywhere any : -> any : DENY all ----l- anywhere anywhere n/a : Chain forward (policy DENY): : target prot opt source destination : ports : MASQ all ------ 192.168.0.0/24 anywhere n/a : Chain output (policy ACCEPT): I was suggesting the "ipchains -A input -j DENY -l" chain to make sure that any packet passing through is explicitly logged and dropped instead of implicitly. I'm sure you'll see lots of DENY traffic in your /var/log/messages when using this rule, and things definitely won't work. Sorry if that was at all unclear--this was intended as a diagnosing tool. : The deny chain, is your chain to monitor :) : Without it (the deny chain) it is exactly the same siduation. : Wth denys ipchains this incoming packet on eth2? It doesn't look to me like the input chain is your problem, but rather your forward chain. The default policy is deny. Try changing that to allow specifically what you want to allow. You could always try that very same diagnosing ipchains rule in your forward chain, i.e. "ipchains -A forward -j DENY -l". Then you'll see that the de-masqueraded packet is denied passing through the forward chain. (At least that's my guess....) This, of course, is the beauty of using iptables--much less worrying with iptables rules than with ipchains rules (in general), but you are using kernel 2.2.19, I believe, so iptables is not an option for you. Let us know how you fare, -Martin -- Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
