[Firewall] Problem with INET_FORWARD_IP

K. Workman workmanka at gmail.com
Tue Sep 6 23:48:41 CEST 2016


Lonnie,

Your response is very much appreciated! Thank you!

To answer your questions:

1) Yes, I'm running 2.0.1.e-1

2)

==> Before ping:

root at fw2:~# iptables -Z
root at fw2:~# iptables -nvL EXT_FORWARD_IN_CHAIN
Chain EXT_FORWARD_IN_CHAIN (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 VALID_CHK  all  --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 ACCEPT     tcp  --  eth0   !eth0   10.0.3.209
192.168.123.141      tcp dpt:22
    0     0 ACCEPT     icmp --  eth0   !eth0   10.0.3.209
192.168.123.141

==> After ping:

root at fw2:~# iptables -nvL EXT_FORWARD_IN_CHAIN
Chain EXT_FORWARD_IN_CHAIN (1 references)
 pkts bytes target     prot opt in     out     source
destination
   10   840 VALID_CHK  all  --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 ACCEPT     tcp  --  eth0   !eth0   10.0.3.209
192.168.123.141      tcp dpt:22
    0     0 ACCEPT     icmp --  eth0   !eth0   10.0.3.209
192.168.123.141



On Sun, Sep 4, 2016 at 9:32 AM Lonnie Abelbeck <lists at lonnie.abelbeck.com>
wrote:

> Hi KA,
>
> Your rule: (INET_FORWARD_xxx was added in AIF 2.0.0)
> --
> INET_FORWARD_IP="10.0.3.209>192.168.123.141~1"
> --
> should allow ICMP as you are asking.
>
> Your setup looks good to my eye (thanks for all the detail), are you using
> AIF version 2.0.0 or later ?
>
>
> Debug: see if you are getting packet hits in the EXT_FORWARD_IN_CHAIN for
> "icmp"
> --
> iptables -nvL EXT_FORWARD_IN_CHAIN
> --
>  0     0 ACCEPT     icmp --  eth0   !eth0   10.0.3.209
>  192.168.123.141
>
> Lonnie
>
>
> On Sep 3, 2016, at 10:11 PM, K. Workman <workmanka at gmail.com> wrote:
>
> > All,
> >
> > Any help would be appreciated for the problem presented below:
> >
> > Thanks,
> >
> > KA
> >
> > >>>>>>
> >
> > Problem: I can't get an external client system to ping a protected
> client system, through arno-iptables-firewall not using NAT. Note, I'm
> using Ubuntu LXC/LXD containers to prototype firewall testing. So, each of
> the three systems identified below are actually containers. See Note 6
> below.
> >
> > Details:
> >
> > arno configuration:
> > -------------------
> >
> > EXT_IF="eth0"
> > EXT_IF_DHCP_IP=1
> > OPEN_TCP="22"
> > OPEN_UDP=""
> > OPEN_IP="1"
> > OPEN_ICMP=1
> > INET_FORWARD_TCP="10.0.3.209>192.168.123.141~22"
> > INET_FORWARD_IP="10.0.3.209>192.168.123.141~1"
> > HOST_OPEN_ICMP="10.0.3.209"
> > HOST_OPEN_IP="10.0.3.209~1"
> > FULL_ACCESS_HOSTS="10.0.3.209"
> > INT_IF="eth1"
> > NAT=0
> > INTERNAL_NET="192.168.123.0/24"
> > NAT_INTERNAL_NET="192.168.123.0/24"
> >
> > Network configuration:
> > ----------------------
> >
> > Bridges = lxcbr0, prtbr0
> >
> > ExternalClient1 (10.0.3.209) <==> lxcbr0 <==> (10.0.3.102) fw2
> (192.168.123.253) <==> prtbr0 <==> (192.168.123.141) ProtectedClient1
> >
> > Note:
> >
> > 1) ExternalClient1 (10.0.3.209) can ping the external interface of fw2
> (10.0.3.102)
> > 2) fw2 (10.0.3.102) can ping ExternalClient1 (10.0.3.209)
> > 3) fw2 (192.168.123.253) can ping ProtectedClient1 (192.168.123.141)
> > 4) ProtectedClient1 (192.168.123.141) can ping the internal interface of
> fw2 (192.168.123.253)
> > 5) ProtectedClient1 CAN ping ExternalClient1 (10.0.3.209)
> > 6) ExternalClient1 (10.0.3.209) can NOT ping ProtectedClient1
> (192.168.123.141)
> >
> > ExternalClient1 -
> >
> >       Single Interface - 10.0.3.209
> >       Routing Table
> >       -------------
> > root at ExternalClient1:~# route -n
> > Kernel IP routing table
> > Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface
> > 10.0.3.0        0.0.0.0         255.255.255.0   U     0      0        0
> eth0
> > 192.168.123.0   10.0.3.102      255.255.255.0   UG    0      0        0
> eth0
> >
> >
> > fw2 -
> >
> >       External Interface - 10.0.3.102
> >       Internal Interface - 192.168.123.253
> >       Routing Table
> >       -------------
> > Kernel IP routing table
> > Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface
> > 10.0.3.0        0.0.0.0         255.255.255.0   U     0      0        0
> eth0
> > 10.1.1.0        0.0.0.0         255.255.255.0   U     0      0        0
> eth2
> > 192.168.123.0   0.0.0.0         255.255.255.0   U     0      0        0
> eth1
> >
> >
> > ProtectedClient1 -
> >
> >       Single Interface - 192.168.123.141
> >       Routing Table
> >       -------------
> > root at ProtectedClient1:~# route -n
> > Kernel IP routing table
> > Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface
> > 0.0.0.0         192.168.123.253 0.0.0.0         UG    0      0        0
> eth0
> > 192.168.123.0   0.0.0.0         255.255.255.0   U     0      0        0
> eth0
> >
> >
> > 0 New
> >
> > Reply
> >
> >
> >
> > _______________________________________________
> > Firewall mailing list
> > Firewall at rocky.eld.leidenuniv.nl
> > http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> > Arno's (Linux IPTABLES Firewall) Homepage:
> > http://rocky.eld.leidenuniv.nl
>
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20160906/2d080d45/attachment.html>


More information about the Firewall mailing list