[Firewall] Problem with INET_FORWARD_IP

Lonnie Abelbeck lists at lonnie.abelbeck.com
Sun Sep 4 15:31:49 CEST 2016


Hi KA,

Your rule: (INET_FORWARD_xxx was added in AIF 2.0.0)
--
INET_FORWARD_IP="10.0.3.209>192.168.123.141~1"
--
should allow ICMP as you are asking.

Your setup looks good to my eye (thanks for all the detail), are you using AIF version 2.0.0 or later ?


Debug: see if you are getting packet hits in the EXT_FORWARD_IN_CHAIN for "icmp"
--
iptables -nvL EXT_FORWARD_IN_CHAIN
--
 0     0 ACCEPT     icmp --  eth0   !eth0   10.0.3.209           192.168.123.141

Lonnie


On Sep 3, 2016, at 10:11 PM, K. Workman <workmanka at gmail.com> wrote:

> All,
> 
> Any help would be appreciated for the problem presented below:
> 
> Thanks, 
> 
> KA
> 
> >>>>>>
> 
> Problem: I can't get an external client system to ping a protected client system, through arno-iptables-firewall not using NAT. Note, I'm using Ubuntu LXC/LXD containers to prototype firewall testing. So, each of the three systems identified below are actually containers. See Note 6 below.
> 
> Details:
> 
> arno configuration:
> -------------------
> 
> EXT_IF="eth0"
> EXT_IF_DHCP_IP=1
> OPEN_TCP="22"
> OPEN_UDP=""
> OPEN_IP="1"
> OPEN_ICMP=1
> INET_FORWARD_TCP="10.0.3.209>192.168.123.141~22"
> INET_FORWARD_IP="10.0.3.209>192.168.123.141~1"
> HOST_OPEN_ICMP="10.0.3.209"
> HOST_OPEN_IP="10.0.3.209~1"
> FULL_ACCESS_HOSTS="10.0.3.209"
> INT_IF="eth1"
> NAT=0
> INTERNAL_NET="192.168.123.0/24"
> NAT_INTERNAL_NET="192.168.123.0/24"
> 
> Network configuration:
> ----------------------
> 
> Bridges = lxcbr0, prtbr0
> 
> ExternalClient1 (10.0.3.209) <==> lxcbr0 <==> (10.0.3.102) fw2 (192.168.123.253) <==> prtbr0 <==> (192.168.123.141) ProtectedClient1
> 
> Note: 
> 
> 1) ExternalClient1 (10.0.3.209) can ping the external interface of fw2 (10.0.3.102)
> 2) fw2 (10.0.3.102) can ping ExternalClient1 (10.0.3.209)
> 3) fw2 (192.168.123.253) can ping ProtectedClient1 (192.168.123.141)
> 4) ProtectedClient1 (192.168.123.141) can ping the internal interface of fw2 (192.168.123.253)
> 5) ProtectedClient1 CAN ping ExternalClient1 (10.0.3.209)
> 6) ExternalClient1 (10.0.3.209) can NOT ping ProtectedClient1 (192.168.123.141)
> 
> ExternalClient1 -
> 
> 	Single Interface - 10.0.3.209
> 	Routing Table
> 	-------------
> root at ExternalClient1:~# route -n
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> 10.0.3.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
> 192.168.123.0   10.0.3.102      255.255.255.0   UG    0      0        0 eth0
> 
> 
> fw2 - 	
> 
> 	External Interface - 10.0.3.102
> 	Internal Interface - 192.168.123.253
> 	Routing Table
> 	-------------
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> 10.0.3.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
> 10.1.1.0        0.0.0.0         255.255.255.0   U     0      0        0 eth2
> 192.168.123.0   0.0.0.0         255.255.255.0   U     0      0        0 eth1
> 
> 
> ProtectedClient1 - 
> 
> 	Single Interface - 192.168.123.141
> 	Routing Table
> 	-------------
> root at ProtectedClient1:~# route -n
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> 0.0.0.0         192.168.123.253 0.0.0.0         UG    0      0        0 eth0
> 192.168.123.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
> 
> 
> 0 New
> 
> Reply
> 
> 
> 
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl



More information about the Firewall mailing list