On Sat, 21 May 2011 13:23 +0200, "Pascal Hambourg" <pascal.mail@xxxxxxxxxxxxxxx> wrote: > Hello, > > netfilter@xxxxxxxxxxxxxx a écrit : > > I have a firewall router box that I'm trying to write a ruleset for that > > accepts/blocks traffic from Network A to Network B. I'm testing the > > rules on 3 virtual machines and will eventually deploy to production > > hardware: > > > > Net A Machine Eth0 <-> Eth0 Firewall/Router Eth1 <-> Eth0 Net B Machine > > 192.168.99.1 192.168.99.2 10.10.10.1 10.10.10.2 > > > > I have the the following rules on the Firewall/Router as a test before I > > write rules with http, ssh etc: > > > > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > iptables -A FORWARD -i eth0 -o eth1 -p icmp --icmp-type echo-request -s > > 192.168.99.0/24 -d 10.10.10.0/24 -m state --state NEW -j ACCEPT > > iptables -A FORWARD -p icmp --icmp-type echo-request -m state --state > > NEW -j LOG --log-prefix "ICMP: " > > > > When I ping from 192.168.99.1 to 10.10.10.2 it does not work. The log > > rule logs the packet as IN=ETH1 OUT=ETH1. > > > Can you describe the virtual network architecture ? > Are all the three machines above virtual guests on a same physical host > or is one of them the physical host ? > > Also, can you provide the routing table on the firewall/router as > reported by route -n or ip route ? > Based on the comments left so far, it seems that my logic is correct in the way I view the interfaces in the forward chain. I guess unless there is a reason I am missing I will assume that the issue has to do with the way the virtual machines are setup. As the other poster suggested, I can develop the ruleset with out the references to the interfaces and add them when the real hardware is in place and hopefully it will behave as I think it should. At least I'll be able to get a start on on the rules since it will be fast turnaround when the hardware is in place. As far as the virtual machines. All three test systems are virtual. They run RH5 using Mac with parallels. The routing tables are below. Keep in mind that this was thrown together just to test the rules. I manually added the GW on Net A and B machines and got ping to work from A to B via the firewall/router with just forwarding enabled (/proc/net/sys . . ). Once ping worked with just forwarding enabled I started writing the FORWARD rules as outlined above and got the unexpected interface behavior as outlined in the original post. Network A Machine- Dest Gateway Genmask Iface 192.168.99.0 0.0.0.0 255.255.255.0 eth1 0.0.0.0 198.168.99.2 0.0.0.0 eth1 Firewall/Router Machine: Dest Gateway Genmask Iface 10.10.10.0 0.0.0.0 255.255.255.0 eth1 192.168.99.0 0.0.0.0 255.255.255.0 eth0 Netowork B Machine Dest Gateway Genmask Iface 10.10.10.0 0.0.0.0 255.255.255.0 eth0 0.0.0.0 10.10.10.1 0.0.0.0 eth0 -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
