[Firewall] Problem with INET_FORWARD_IP

K. Workman workmanka at gmail.com
Sun Sep 4 05:11:49 CEST 2016


All,

Any help would be appreciated for the problem presented below:

Thanks,

KA

>>>>>>

Problem: I can't get an external client system to ping a protected client
system, through arno-iptables-firewall not using NAT. Note, I'm using
Ubuntu LXC/LXD containers to prototype firewall testing. So, each of the
three systems identified below are actually containers. See Note 6 below.

Details:

arno configuration:
-------------------

EXT_IF="eth0"
EXT_IF_DHCP_IP=1
OPEN_TCP="22"
OPEN_UDP=""
OPEN_IP="1"
OPEN_ICMP=1
INET_FORWARD_TCP="10.0.3.209>192.168.123.141~22"
INET_FORWARD_IP="10.0.3.209>192.168.123.141~1"
HOST_OPEN_ICMP="10.0.3.209"
HOST_OPEN_IP="10.0.3.209~1"
FULL_ACCESS_HOSTS="10.0.3.209"
INT_IF="eth1"
NAT=0
INTERNAL_NET="192.168.123.0/24"
NAT_INTERNAL_NET="192.168.123.0/24"

Network configuration:
----------------------

Bridges = lxcbr0, prtbr0

ExternalClient1 (10.0.3.209) <==> lxcbr0 <==> (10.0.3.102) fw2
(192.168.123.253) <==> prtbr0 <==> (192.168.123.141) ProtectedClient1

Note:

1) ExternalClient1 (10.0.3.209) can ping the external interface of fw2
(10.0.3.102)
2) fw2 (10.0.3.102) can ping ExternalClient1 (10.0.3.209)
3) fw2 (192.168.123.253) can ping ProtectedClient1 (192.168.123.141)
4) ProtectedClient1 (192.168.123.141) can ping the internal interface of
fw2 (192.168.123.253)
5) ProtectedClient1 CAN ping ExternalClient1 (10.0.3.209)
6) ExternalClient1 (10.0.3.209) can NOT ping ProtectedClient1
(192.168.123.141)

ExternalClient1 -

Single Interface - 10.0.3.209
Routing Table
-------------
root at ExternalClient1:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
10.0.3.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.123.0   10.0.3.102      255.255.255.0   UG    0      0        0 eth0


fw2 -

External Interface - 10.0.3.102
Internal Interface - 192.168.123.253
Routing Table
-------------
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
10.0.3.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.1.1.0        0.0.0.0         255.255.255.0   U     0      0        0 eth2
192.168.123.0   0.0.0.0         255.255.255.0   U     0      0        0 eth1


ProtectedClient1 -

Single Interface - 192.168.123.141
Routing Table
-------------
root at ProtectedClient1:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
0.0.0.0         192.168.123.253 0.0.0.0         UG    0      0        0 eth0
192.168.123.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0


0 New
Reply
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20160904/fb64fea6/attachment.html>


More information about the Firewall mailing list