Re: problem with iptables with forward drop policy.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



1) Yes, I think that all nets are on the same network segment since all them are connected on the same hub, switch.
2) I´m trying to ping based on IP´s.
3)INTIF is eth0 which is on the 192.168.1.0 network. This interface has two logical interfaces, eth0:1 on the 192.168.2.0 and eth0:2 which is on the 192.168.3.0. EXTIF is eth1 which has a only Public IP.


4)I attach you logs below. In this case 192.168.1.16 is a window machine, 192.168.3.4 too and p250, the firewall-router-gateway linux machine.


I repeat that if I change the policy of forward to ACCEPT (default is DROP), so I can make ping from every machine to all machines.


Thanks.

Sep 23 20:25:03 p250 kernel: IN=eth0 OUT=eth0 SRC=192.168.1.16 DST=192.168.3.4
LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=60753 PROTO=ICMP TYPE=8 CODE=0 ID=256
SEQ=5376
Sep 23 20:25:03 p250 kernel: IN=eth0 OUT=eth0 SRC=192.168.3.4 DST=192.168.1.16
LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=9169 PROTO=ICMP TYPE=0 CODE=0 ID=256
SEQ=5376
Sep 23 20:25:03 p250 kernel: IN=eth0 OUT=eth0 SRC=192.168.1.16 DST=192.168.3.4
LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=60753 PROTO=ICMP TYPE=8 CODE=0 ID=256
SEQ=5376
Sep 23 20:25:03 p250 kernel: IN=eth0 OUT=eth0 SRC=192.168.3.4 DST=192.168.1.16
LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=9169 PROTO=ICMP TYPE=0 CODE=0 ID=256
SEQ=5376
Sep 23 20:25:07 p250 kernel: IN=eth0 OUT=eth0 SRC=192.168.1.16 DST=192.168.3.4
LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=61521 PROTO=ICMP TYPE=8 CODE=0 ID=256
SEQ=5632
Sep 23 20:25:07 p250 kernel: IN=eth0 OUT=eth0 SRC=192.168.3.4 DST=192.168.1.16
LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=9425 PROTO=ICMP TYPE=0 CODE=0 ID=256
SEQ=5632
Sep 23 20:25:07 p250 kernel: IN=eth0 OUT=eth0 SRC=192.168.1.16 DST=192.168.3.4
LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=61521 PROTO=ICMP TYPE=8 CODE=0 ID=256
SEQ=5632
Sep 23 20:25:07 p250 kernel: IN=eth0 OUT=eth0 SRC=192.168.3.4 DST=192.168.1.16
LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=9425 PROTO=ICMP TYPE=0 CODE=0 ID=256
SEQ=5632
Sep 23 20:25:12 p250 kernel: IN=eth0 OUT=eth0 SRC=192.168.1.16 DST=192.168.3.4
LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=61777 PROTO=ICMP TYPE=8 CODE=0 ID=256
SEQ=5888
Sep 23 20:25:12 p250 kernel: IN=eth0 OUT=eth0 SRC=192.168.3.4 DST=192.168.1.16
LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=9681 PROTO=ICMP TYPE=0 CODE=0 ID=256
SEQ=5888
Sep 23 20:25:12 p250 kernel: IN=eth0 OUT=eth0 SRC=192.168.1.16 DST=192.168.3.4
LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=61777 PROTO=ICMP TYPE=8 CODE=0 ID=256
SEQ=5888
Sep 23 20:25:12 p250 kernel: IN=eth0 OUT=eth0 SRC=192.168.3.4 DST=192.168.1.16
LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=9681 PROTO=ICMP TYPE=0 CODE=0 ID=256
SEQ=5888
Sep 23 20:25:16 p250 kernel: IN=eth0 OUT=eth0 SRC=192.168.1.16 DST=192.168.3.4
LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=62033 PROTO=ICMP TYPE=8 CODE=0 ID=256
SEQ=6144
Sep 23 20:25:16 p250 kernel: IN=eth0 OUT=eth0 SRC=192.168.3.4 DST=192.168.1.16
LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=9937 PROTO=ICMP TYPE=0 CODE=0 ID=256
SEQ=6144
Sep 23 20:25:16 p250 kernel: IN=eth0 OUT=eth0 SRC=192.168.1.16 DST=192.168.3.4
LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=62033 PROTO=ICMP TYPE=8 CODE=0 ID=256
SEQ=6144
Sep 23 20:25:16 p250 kernel: IN=eth0 OUT=eth0 SRC=192.168.3.4 DST=192.168.1.16
LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=9937 PROTO=ICMP TYPE=0 CODE=0 ID=256
SEQ=6144




Daniel Chemko wrote:

1. Are these subnets on the same network segment or different network
interfaces?


2. Are you trying to ping based on hostnames or IP's?

3. INTIF/EXTIF corresponds to what network IP subnets?

4. What gets dumped to the Logs? In all likelihood it will show you
exactly what the problem is.


The ICMP pings should work the same between Linux and Windows so I don't
see the 'visibility' the firewall allows as the issue. I can only assume
that your Windows machines are not configured the same way as your Linux
machine (192.168.3.15). Could this be a subnet masking problem?


Try tracert from 192.168.1.19 to the machines tried and see if they both
take the paths that they should be.






[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux