| View previous topic :: View next topic |
| Author |
Message |
beacher
n00b
Joined: 11 Mar 2003
Posts: 30
Location: Atlanta
|
 Posted: Sun Dec 05, 2004 1:25 pm Post subject: Help - NAT & Masq & 3 NICs cannot communicate betw. |
 |
|
Good morning,
I'm on the fence as to what i should do - here's my problem: Both interfaces work fine to and from the internet but I cannot ping across my eth1 and wlan0 subnets! (You'll see references to 192.168.34.X that was the start of my bridge - reference to BLAHBLAH are my ISP/IP dhcpclient info and blanked out)
I'd like to be able to go between subnets without any major hassles... I'm trying to decide if I need to use bridging but I want to make sure that I've exhausted all of my options before that - reconfiguring everything sounds like a pain . My kernel is compiled with bridge support, so that may be a viable option...
Here's the details
I have my firewall (2.4.20-gentoo-r7) acting in NAT/MASQ mode as well. I have 3 NICS inside this machine - | Code: |
eth0 - inet addr:(BLAHBLAH) Bcast:255.255.255.255 Mask:255.255.248.0
eth1 - inet addr:192.168.32.1 Bcast:192.168.32.255 Mask:255.255.255.0
wlan0 - inet addr:192.168.33.1 Bcast:192.168.33.255 Mask:255.255.255.0 |
eth1 & wlan0 are running as dhcp servers
/etc/dhcp/dhcpd.conf - (BLANK_Unused works and controls wlan0 Internal_NET controls eth1)
| Code: |
Internal_NET
subnet 192.168.32.0 netmask 255.255.255.0 {
range 192.168.32.2 192.168.32.100;
# option ip-forwarding off;
option domain-name-servers 192.168.32.1, 204.127.202.19, 216.148.227.79
option routers 192.168.32.1;
option broadcast-address 192.168.32.255;
option subnet-mask 255.255.255.0; }
# BLANK_Unused
subnet 192.168.33.0 netmask 255.255.255.0 {
range 192.168.33.3 192.168.33.3;
max-lease-time 2592000;
default-lease-time 192800;
# option ip-forwarding off;
option domain-name-servers 204.127.202.19, 216.148.227.79;
option routers 192.168.33.1;
option broadcast-address 192.168.33.255;
option subnet-mask 255.255.255.0;
}
|
Kernel IP routing table
| Code: |
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.32.0 * 255.255.255.0 U 0 0 0 eth1
192.168.33.0 * 255.255.255.0 U 0 0 0 wlan0
(BLAH FROM ISP) * 255.255.248.0 U 0 0 0 eth0
loopback localhost 255.0.0.0 UG 0 0 0 lo
default (BLAHBLAH) 0.0.0.0 UG 0 0 0 eth0
|
I'm running MonMotha as my firewall -
/etc/monmotha/monmotha
| Code: | IPTABLES="/sbin/iptables" # set to your iptables location, must be set
TCP_ALLOW="113 22" # TCP ports to allow port<LOCIP)
UDP_ALLOW="22" # UDP ports to allow (port<LOCIP)
INET_IFACE="eth0" # the interface your internet's on (one only), must be set
LAN_IFACE="eth1 wlan0"
#LAN_IFACE="eth1 wlan0" # the interface(s) your LAN is on
INTERNAL_LAN="192.168.32.0/24 192.168.33.3 192.168.34.1" # The internal LAN (including DMZs but not censored hosts)
MASQ_LAN="192.168.32.0/24 192.168.33.3 192.168.34.1" # the internal network(s) to be masqueraded (this is overridden by M$
SNAT_LAN="" # Internal networks/hosts to use static NAT (format is <internal ip or networ$
DROP="LTREJECT" # What to do with packets we don't want: DROP, REJECT, TREJECT (Reject with t$
DENY_ALL="" # Internet hosts to explicitly deny from accessing your system at all; format$
DENY_HOSTWISE_TCP="" # Specific hosts to deny access to specific TCP ports; format is "IP>PORT<LOC$
DENY_HOSTWISE_UDP="" # Specific hosts to deny access to specific UDP ports; format is "IP>PORT<LOC$
BLACKHOLE="210.52.66.56 210.90.89.112 211.240.41.212 10.239.136.1" # People you don't want to have anything to $
BLACKHOLE_DROP="DROP" # What to do for the blackholes (same options as DROP directive above)
ALLOW_HOSTWISE_TCP="" # Specific hosts allowed access to specific TCP ports; format is "IP>PORT<LOC$
ALLOW_HOSTWISE_UDP="" # Specific hosts allowed access to specific UDP ports; format is "IP>PORT<LOC$
TCP_FW="" # TCP port forwards, form is "SPORT:DPORT>DESTIP<LOCIP" <LOCIP may be omitted
UDP_FW="" # UDP port forwards, form is "SPORT:DPORT>DESTIP<LOCIP" <LOCIP may be omitted
MANGLE_TOS_OPTIMIZE="FALSE" # TOS "optimizations" on or off (TRUE/FALSE toggle)
DHCP_SERVER="TRUE" # Set to true if you run a DHCP server. DHCP clients do not need this. This a$
BAD_ICMP="5 9 10 15 16 17 18" # ICMP messages to NOT allow in from internet
ENABLE="Y" # Set to 'Y' when it's configured; this is for your own safety
# Flood Params. You will still recieve the packets and the bandwidth will be used, but this will cause floods to be ignored $
LOG_FLOOD="2/s" # Limit on logging (for LTREJECT, LREJECT and LDROP, the packet will always t$
SYN_FLOOD="20/s" # GLOBAL limit on SYN packets (servers will probably need even higher sustain$
PING_FLOOD="1/s" # GLOBAL limit on ICMP echo-requests to reply to
# Outbound filters
ALLOW_OUT_TCP="" # Internal hosts allowed to be forwarded out on TCP (do not put this/these ho$
PROXY="" # Redirect for Squid or other TRANSPARENT proxy. Syntax to specify the proxy $
# Below here is experimental (please report your successes/failures)
MAC_MASQ="" # MAC addresses permitted to use masquerading, leave blank to not use
MAC_SNAT="" # MAC addresses permitted to use static NAT, leave blank to not use (format i$
TTL_SAFE="" # How many hops packets need to make once they get on your LAN (null disables$
USE_SYNCOOKIES="FALSE" # TCP SynCookies on or off (TRUE/FALSE toggle)
RP_FILTER="TRUE" # Turns rp_filter on or off on all interfaces (TRUE/FALSE toggle)
ACCEPT_SOURCE_ROUTE="FALSE" # Turns accept_source_route on or off on all interfaces (TRUE/FALSE toggle)
SUPER_EXEMPT="" # Hosts which get to bypass the packet filter entirely (be REALLY careful wit$
BRAINDEAD_ISP="FALSE" # Force no fragments, useful if your ISP has a broken firewall or if you are $
ALLOW_HOSTWISE_PROTO="" # Specific hosts allowed access on specific IP protocols; format is "IP>PROTO$
# Only touch these if you're daring (PREALPHA stuff, as in basically non-functional)
DMZ_IFACE="" # Interface your DMZ is on (leave blank if you don't have one)
|
I can dump iptables -L if needed.
So how do I get get eth1 and wlan0 to ping each other? The gateway can ping both but my clients cannot.... (also you'll notice ssh & identd is open - fakeidentd is handling requests on that identd)
Thanks in advance! |
|
| Back to top |
|
 |
beacher
n00b
Joined: 11 Mar 2003
Posts: 30
Location: Atlanta
|
| Posted: Sun Dec 05, 2004 2:19 pm Post subject: Attempt # 1 |
|
|
Changed all netmasks to 255.255.0.0 and reloaded interfaces, monmotha and dhcpd
| Code: |
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
(BLAHBLAH)* 255.255.248.0 U 0 0 0 eth0
192.168.0.0 * 255.255.0.0 U 0 0 0 eth1
192.168.0.0 * 255.255.0.0 U 0 0 0 wlan0
loopback localhost 255.0.0.0 UG 0 0 0 lo
default (BLAHBLAH) 0.0.0.0 UG 0 0 0 eth0
|
dhcpd.conf
| Code: |
# Internal_NET
subnet 192.168.32.0 netmask 255.255.0.0 {
range 192.168.32.2 192.168.32.100;
# option ip-forwarding off;
option domain-name-servers 192.168.32.1, 204.127.202.19, 216.148.227.79;
option routers 192.168.32.1;
option broadcast-address 192.168.32.255;
option subnet-mask 255.255.0.0;
}
# BLANK_Unused
subnet 192.168.33.0 netmask 255.255.0.0 {
range 192.168.33.3 192.168.33.3;
# option ip-forwarding off;
option domain-name-servers 204.127.202.19, 216.148.227.79;
option routers 192.168.33.1;
option broadcast-address 192.168.33.255;
option subnet-mask 255.255.0.0;
}
|
monmotha script change
| Code: |
INTERNAL_LAN="192.168.0.0/16 192.168.34.1" # The internal LAN (including DMZs but not censored hosts)
MASQ_LAN="192.168.0.0/16 " # the internal network(s) to be masqueraded (this is overridden by MAC_MASQ)
|
Neither subnet works now.. I had to back out all of those changes - |
|
| Back to top |
|
|
beacher
n00b
Joined: 11 Mar 2003
Posts: 30
Location: Atlanta
|
| Posted: Sun Dec 05, 2004 2:48 pm Post subject: Think it's iptables at this point |
|
|
iptables -L
| Code: |
Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- 210.52.66.56 anywhere
DROP all -- 210.90.89.112 anywhere
DROP all -- 211.240.41.212 anywhere
DROP all -- 10.239.136.1 anywhere
INETIN all -- anywhere anywhere
ACCEPT all -- 192.168.32.0/24 anywhere
ACCEPT all -- 192.168.33.0/24 anywhere
ACCEPT all -- 192.168.34.1 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT udp -- anywhere anywhere udp dpt:bootps
Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- 210.52.66.56 anywhere
DROP all -- anywhere 210.52.66.56
DROP all -- 210.90.89.112 anywhere
DROP all -- anywhere 210.90.89.112
DROP all -- 211.240.41.212 anywhere
DROP all -- anywhere 211.240.41.212
DROP all -- 10.239.136.1 anywhere
DROP all -- anywhere 10.239.136.1
INETIN all -- anywhere anywhere
INETIN all -- anywhere anywhere
INETOUT all -- anywhere anywhere
INETOUT all -- anywhere anywhere
ACCEPT all -- 192.168.32.0/24 anywhere
ACCEPT all -- 192.168.33.0/24 anywhere
ACCEPT all -- 192.168.34.1 anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere 210.52.66.56
DROP all -- anywhere 210.90.89.112
DROP all -- anywhere 211.240.41.212
DROP all -- anywhere 10.239.136.1
INETOUT all -- anywhere anywhere
Chain DMZIN (0 references)
target prot opt source destination
Chain DMZOUT (0 references)
target prot opt source destination
Chain INETIN (3 references)
target prot opt source destination
LTREJECT all -- anywhere anywhere state INVALID
LTREJECT icmp -- anywhere anywhere icmp redirect
LTREJECT icmp -- anywhere anywhere icmp router-advertisement
LTREJECT icmp -- anywhere anywhere icmp router-solicitation
LTREJECT icmp -- anywhere anywhere icmp type 15
LTREJECT icmp -- anywhere anywhere icmp type 16
LTREJECT icmp -- anywhere anywhere icmp address-mask-request
LTREJECT icmp -- anywhere anywhere icmp address-mask-reply
ACCEPT icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5
LTREJECT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp !echo-request
TCPACCEPT tcp -- anywhere anywhere tcp dpt:auth
TCPACCEPT tcp -- anywhere anywhere tcp dpt:ssh
UDPACCEPT udp -- anywhere anywhere udp dpt:ssh
ACCEPT all -- anywhere anywhere state ESTABLISHED
TCPACCEPT tcp -- anywhere anywhere tcp dpts:1024:65535 state RELATED
UDPACCEPT udp -- anywhere anywhere udp dpts:1024:65535 state RELATED
LTREJECT all -- anywhere anywhere
Chain INETOUT (3 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain LDROP (0 references)
target prot opt source destination
LOG tcp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level info prefix `TCP Dropped '
LOG udp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level info prefix `UDP Dropped '
LOG icmp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level info prefix `ICMP Dropped '
LOG all -f anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `FRAGMENT Dropped '
DROP all -- anywhere anywhere
Chain LREJECT (0 references)
target prot opt source destination
LOG tcp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level info prefix `TCP Rejected '
LOG udp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level info prefix `UDP Rejected '
LOG icmp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level info prefix `ICMP Rejected '
LOG all -f anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `FRAGMENT Rejected '
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain LTREJECT (13 references)
target prot opt source destination
LOG tcp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level info prefix `TCP Rejected '
LOG udp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level info prefix `UDP Rejected '
LOG icmp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level info prefix `ICMP Rejected '
LOG all -f anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `FRAGMENT Rejected '
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
DROP icmp -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain TCPACCEPT (3 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 20/sec burst 5
LOG tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 2/sec burst 5 LOG level warning prefix `Possible SynFlood '
LTREJECT tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN
LOG all -- anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `Mismatch in TCPACCEPT '
LTREJECT all -- anywhere anywhere
Chain TREJECT (0 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
DROP icmp -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain UDPACCEPT (2 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `Mismatch on UDPACCEPT '
LTREJECT all -- anywhere anywhere
Chain ULDROP (0 references)
target prot opt source destination
ULOG tcp -- anywhere anywhere limit: avg 2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LDROP_TCP' queue_threshold 1
ULOG udp -- anywhere anywhere limit: avg 2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LDROP_UDP' queue_threshold 1
ULOG icmp -- anywhere anywhere limit: avg 2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LDROP_ICMP' queue_threshold 1
ULOG all -f anywhere anywhere limit: avg 2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LDROP_FRAG' queue_threshold 1
DROP all -- anywhere anywhere
Chain ULREJECT (0 references)
target prot opt source destination
ULOG tcp -- anywhere anywhere limit: avg 2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LREJECT_TCP' queue_threshold 1
ULOG udp -- anywhere anywhere limit: avg 2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LREJECT_UDP' queue_threshold 1
ULOG icmp -- anywhere anywhere limit: avg 2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LREJECT_UDP' queue_threshold 1
ULOG all -f anywhere anywhere limit: avg 2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LREJECT_FRAG' queue_threshold 1
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain ULTREJECT (0 references)
target prot opt source destination
ULOG tcp -- anywhere anywhere limit: avg 2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LTREJECT_TCP' queue_threshold 1
ULOG udp -- anywhere anywhere limit: avg 2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LTREJECT_UDP' queue_threshold 1
ULOG icmp -- anywhere anywhere limit: avg 2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LTREJECT_ICMP' queue_threshold 1
ULOG all -f anywhere anywhere limit: avg 2/sec burst 5 ULOG copy_range 0 nlgroup 1 prefix `LTREJECT_FRAG' queue_threshold 1
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
DROP icmp -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
|
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
