[ale] ipfwadm won't forward packets thru firewall rules

Scott Thomason scott at 2tp.com
Mon Jul 12 17:17:56 EDT 1999


I hope someone can help me before I go crazy. I'm having trouble getting
ipfwadm to forward masqueraded packets from our internal network thru the
firewall input/output rules.

Specifically, I can use the following mini-firewall to telnet out from the
firewall machine, but telnet fails to connect from any other machine on our
network. The packets arrive on eth0 on the firewall machine, but never get
sent out on ppp0 (as illustrated by the tcpdump output below).

When I disable firewalling (ipfwadm -I/O -p accept), everything works fine
from any machine on the network, so I know it's not a
hardware/wiring/NIC/routing issue.

Here's the setup:

My firewall machine is running a more-or-less clean install of RedHat 5.2,
kernel 2.0.36. I've installed diald 0.16.5 for on-demand dialing for the ppp
connection to the internet. It also has an ethernet card for connection to
the internal network. This NIC is eth0 at IP address 192.168.2.1.

I have another linux machine running as a gateway/server. It uses the same
RedHat distribution. It runs SAMBA, Sendmail, DHCP, BIND, etc., and is our
main office server. It has two NICS: one configured as eth0 at IP address
192.168.2.2 for connection to the firewall machine, and the other configured
as eth1 at IP address 192.168.1.1 for connection to the rest of our LAN.

As you can probably tell, the idea is that the LAN traffic stays on net
192.168.1.0/24, and is routed to the firewall machine only when it needs to
get out to the internet. Network 192.168.2.0/24 consists only of the two
previously described machines joined by a cross-over cable.

As a side note: I'd sure like to know why I never see any deny/reject
messages on the log! Kinda makes debugging hard. . . .

Thanks in advance,
---scott <mailto:scott at 2tp.com>
Copious debugging output follows. . . .



<--- Small firewall script invoked from within /etc/ppp/ip-up.local --->
#!/bin/sh
ipfwadm -If
ipfwadm -Of
ipfwadm -Ff
ipfwadm -Ip deny
ipfwadm -Op deny
ipfwadm -Fp deny
ipfwadm -Fa masq -S 192.168.0.0/16 -D any/0
ipfwadm -Fa reject -o -W eth0
ipfwadm -Fa reject -o -W ppp0
ipfwadm -Ia acc -P icmp -S any/0 -D any/0
ipfwadm -Oa acc -P icmp -S any/0 -D any/0
ipfwadm -Oa acc -P tcp -S 192.168.0.0/16 1024:65535 -D any/0 23
ipfwadm -Oa acc -P tcp -S $IPLOCAL 1024:65535 -D any/0 23
ipfwadm -Ia acc -P tcp -k -S any/0 23 -D 192.168.0.0/16 1024:65535
ipfwadm -Ia acc -P tcp -k -S any/0 23 -D $IPLOCAL 1024:65535



<--- Environment printed from /etc/ppp/ip-up.local --->
Parm 1:ppp0
Parm 2:/dev/cua1
Parm 3:115200
Parm 4:200.90.100.198
Parm 5:200.90.100.98
Env IFNAME:ppp0
Env HOSTTYPE:i386
Env DEVICE:/dev/cua1
Env SPEED:0
Env UID:0
Env OSTYPE:Linux
Env IPLOCAL:200.90.100.198
Env IPREMOTE:200.90.100.98
Env TERM:dumb
Env SHELL:/bin/bash
Env SHLVL:1
Env PATH:/sbin:/usr/sbin:/bin:/usr/bin
Env _:/etc/ppp/ip-up.local



<--- Output from "ifconfig" on firewall machine --->
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Bcast:127.255.255.255  Mask:255.0.0.0
          UP BROADCAST LOOPBACK RUNNING  MTU:3584  Metric:1
          RX packets:3018 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3018 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0

eth0      Link encap:Ethernet  HWaddr 00:A0:24:D2:EA:35
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:95793 errors:0 dropped:0 overruns:0 frame:0
          TX packets:81149 errors:0 dropped:0 overruns:0 carrier:0
          collisions:9
          Interrupt:10 Base address:0xff00

sl0       Link encap:Serial Line IP
          inet addr:192.168.2.1  P-t-P:200.90.100.1  Mask:255.255.255.0
          UP POINTOPOINT RUNNING  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2301 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0

ppp0      Link encap:Point-to-Point Protocol
          inet addr:200.90.100.198  P-t-P:200.90.100.98  Mask:255.255.255.0
          UP POINTOPOINT RUNNING  MTU:1500  Metric:1
          RX packets:7 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0
          Memory:1030038-1030c04



<--- Output of "route -nv" command on firewall machine --->
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
255.255.255.255 0.0.0.0         255.255.255.255 UH    0      0        0 eth0
200.90.100.1    0.0.0.0         255.255.255.255 UH    1      0        1 sl0
200.90.100.98   0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0      513 eth0
192.168.1.0     192.168.2.2     255.255.255.0   UG    0      0      180 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0       10 lo
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        1 ppp0
0.0.0.0         0.0.0.0         0.0.0.0         U     1      0      633 sl0



<--- Output of "tcpdump -ntvvi eth0" on firewall machine --->
tcpdump: listening on eth0
192.168.2.2.53 > 128.9.128.127.53: 41536 (33) (ttl 64, id 46062)
192.168.2.2.8738 > 169.207.7.238.23: S 3684009120:3684009120(0) win 512 <mss
1460> [tos 0x10] (ttl 64, id 46063)
192.168.2.2.8738 > 169.207.7.238.23: S 3684009120:3684009120(0) win 32120
<mss 1460> [tos 0x10] (ttl 64, id 46068)
192.168.2.2.53 > 207.159.77.19.53: 41537 (33) (ttl 64, id 46069)

4 packets received by filter
0 packets dropped by kernel



<--- Output of "tcpdump -ntvvi ppp0" on firewall machine --->
tcpdump: listening on ppp0

0 packets received by filter
0 packets dropped by kernel



<--- Relevant parts of kernel .config on firewall machine --->
#
# Networking options
#
CONFIG_FIREWALL=y
CONFIG_NET_ALIAS=y
CONFIG_INET=y
CONFIG_IP_FORWARD=y
CONFIG_IP_MULTICAST=y
CONFIG_SYN_COOKIES=y
CONFIG_IP_FIREWALL=y
CONFIG_IP_FIREWALL_VERBOSE=y
CONFIG_IP_MASQUERADE=y

#
# Protocol-specific masquerading support will be built as modules.
#
# CONFIG_IP_MASQUERADE_IPAUTOFW is not set
CONFIG_IP_MASQUERADE_ICMP=y
CONFIG_IP_TRANSPARENT_PROXY=y
CONFIG_IP_ALWAYS_DEFRAG=y
CONFIG_IP_ACCT=y
CONFIG_IP_ROUTER=y
# CONFIG_NET_IPIP is not set
CONFIG_IP_MROUTE=y
CONFIG_IP_ALIAS=y

#
# (it is safe to leave these untouched)
#
# CONFIG_INET_PCTCP is not set
CONFIG_INET_RARP=y
# CONFIG_NO_PATH_MTU_DISCOVERY is not set
CONFIG_IP_NOSR=y
CONFIG_SKB_LARGE=y

# CONFIG_IPX is not set
# CONFIG_ATALK is not set
# CONFIG_AX25 is not set
# CONFIG_BRIDGE is not set
# CONFIG_NETLINK is not set
#
# Network device support
#
CONFIG_NETDEVICES=y
CONFIG_DUMMY=m
# CONFIG_EQUALIZER is not set
# CONFIG_DLCI is not set
# CONFIG_PLIP is not set
CONFIG_PPP=y

#
# CCP compressors for PPP are only built as modules.
#
CONFIG_SLIP=y
CONFIG_SLIP_COMPRESSED=y
CONFIG_SLIP_SMART=y
# CONFIG_SLIP_MODE_SLIP6 is not set
# CONFIG_NET_RADIO is not set
CONFIG_NET_ETHERNET=y
CONFIG_NET_VENDOR_3COM=y
# CONFIG_EL1 is not set
# CONFIG_EL2 is not set
# CONFIG_ELPLUS is not set
# CONFIG_EL16 is not set
# CONFIG_EL3 is not set
# CONFIG_3C515 is not set
CONFIG_VORTEX=m
# CONFIG_NET_VENDOR_SMC is not set
CONFIG_NET_PCI=y
# CONFIG_PCNET32 is not set
# CONFIG_EEXPRESS_PRO100B is not set
# CONFIG_DE4X5 is not set
CONFIG_DEC_ELCP=m
# CONFIG_DGRS is not set
CONFIG_NE2K_PCI=m
# CONFIG_YELLOWFIN is not set
# CONFIG_RTL8139 is not set
# CONFIG_EPIC is not set
# CONFIG_TLAN is not set
# CONFIG_VIA_RHINE is not set
# CONFIG_NET_ISA is not set
# CONFIG_NET_EISA is not set
# CONFIG_NET_POCKET is not set
# CONFIG_TR is not set
# CONFIG_FDDI is not set
# CONFIG_ARCNET is not set
# CONFIG_SHAPER is not set



<--- Output of "ifconfig" on server/gateway machine --->
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Bcast:127.255.255.255  Mask:255.0.0.0
          UP BROADCAST LOOPBACK RUNNING  MTU:3584  Metric:1
          RX packets:61937 errors:0 dropped:0 overruns:0 frame:0
          TX packets:61937 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0

eth0      Link encap:Ethernet  HWaddr 00:10:5A:14:A5:29
          inet addr:192.168.2.2  Bcast:192.168.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:81173 errors:0 dropped:0 overruns:0 frame:0
          TX packets:95918 errors:0 dropped:0 overruns:0 carrier:0
          collisions:10
          Interrupt:10 Base address:0xdc00

eth1      Link encap:Ethernet  HWaddr 00:10:4B:11:E7:74
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1093501 errors:1 dropped:0 overruns:0 frame:1
          TX packets:997691 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0
          Interrupt:11 Base address:0xd800



<--- Output of "route -nv" on server/gateway machine --->
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
255.255.255.255 0.0.0.0         255.255.255.255 UH    0      0        1 eth1
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0      237 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0       22 eth1
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0       20 lo
0.0.0.0         192.168.2.1     0.0.0.0         UG    0      0     2135 eth0






More information about the Ale mailing list