[Firewall] Problem with INET_FORWARD_IP

Lonnie Abelbeck lists at lonnie.abelbeck.com
Wed Sep 7 00:07:03 CEST 2016


Interesting, your ICMP packet is not making it into the FORWARD chain.

I have used INET_FORWARD_IP rules for IPv6 and it worked, should be no different in your case.

I assume AIF is not logging any packet drops ?

Nothing comes to mind where this packet is being dropped.

If you have tcpdump installed, may sure the ICMP packet is entering eth0, at this point assume nothing :-)

Lonnie


On Sep 6, 2016, at 4:48 PM, K. Workman <workmanka at gmail.com> wrote:

> Lonnie, 
> 
> Your response is very much appreciated! Thank you!
> 
> To answer your questions:
> 
> 1) Yes, I'm running 2.0.1.e-1
> 
> 2)
>  
> ==> Before ping:
> 
> root at fw2:~# iptables -Z
> root at fw2:~# iptables -nvL EXT_FORWARD_IN_CHAIN
> Chain EXT_FORWARD_IN_CHAIN (1 references)
>  pkts bytes target     prot opt in     out     source               destination
>     0     0 VALID_CHK  all  --  *      *       0.0.0.0/0            0.0.0.0/0
>     0     0 ACCEPT     tcp  --  eth0   !eth0   10.0.3.209           192.168.123.141      tcp dpt:22
>     0     0 ACCEPT     icmp --  eth0   !eth0   10.0.3.209           192.168.123.141
> 
> ==> After ping:
> 
> root at fw2:~# iptables -nvL EXT_FORWARD_IN_CHAIN
> Chain EXT_FORWARD_IN_CHAIN (1 references)
>  pkts bytes target     prot opt in     out     source               destination
>    10   840 VALID_CHK  all  --  *      *       0.0.0.0/0            0.0.0.0/0
>     0     0 ACCEPT     tcp  --  eth0   !eth0   10.0.3.209           192.168.123.141      tcp dpt:22
>     0     0 ACCEPT     icmp --  eth0   !eth0   10.0.3.209           192.168.123.141
> 
> 
> 
> On Sun, Sep 4, 2016 at 9:32 AM Lonnie Abelbeck <lists at lonnie.abelbeck.com> wrote:
> Hi KA,
> 
> Your rule: (INET_FORWARD_xxx was added in AIF 2.0.0)
> --
> INET_FORWARD_IP="10.0.3.209>192.168.123.141~1"
> --
> should allow ICMP as you are asking.
> 
> Your setup looks good to my eye (thanks for all the detail), are you using AIF version 2.0.0 or later ?
> 
> 
> Debug: see if you are getting packet hits in the EXT_FORWARD_IN_CHAIN for "icmp"
> --
> iptables -nvL EXT_FORWARD_IN_CHAIN
> --
>  0     0 ACCEPT     icmp --  eth0   !eth0   10.0.3.209           192.168.123.141
> 
> Lonnie
> 
> 
> On Sep 3, 2016, at 10:11 PM, K. Workman <workmanka at gmail.com> wrote:
> 
> > All,
> >
> > Any help would be appreciated for the problem presented below:
> >
> > Thanks,
> >
> > KA
> >
> > >>>>>>
> >
> > Problem: I can't get an external client system to ping a protected client system, through arno-iptables-firewall not using NAT. Note, I'm using Ubuntu LXC/LXD containers to prototype firewall testing. So, each of the three systems identified below are actually containers. See Note 6 below.
> >
> > Details:
> >
> > arno configuration:
> > -------------------
> >
> > EXT_IF="eth0"
> > EXT_IF_DHCP_IP=1
> > OPEN_TCP="22"
> > OPEN_UDP=""
> > OPEN_IP="1"
> > OPEN_ICMP=1
> > INET_FORWARD_TCP="10.0.3.209>192.168.123.141~22"
> > INET_FORWARD_IP="10.0.3.209>192.168.123.141~1"
> > HOST_OPEN_ICMP="10.0.3.209"
> > HOST_OPEN_IP="10.0.3.209~1"
> > FULL_ACCESS_HOSTS="10.0.3.209"
> > INT_IF="eth1"
> > NAT=0
> > INTERNAL_NET="192.168.123.0/24"
> > NAT_INTERNAL_NET="192.168.123.0/24"
> >
> > Network configuration:
> > ----------------------
> >
> > Bridges = lxcbr0, prtbr0
> >
> > ExternalClient1 (10.0.3.209) <==> lxcbr0 <==> (10.0.3.102) fw2 (192.168.123.253) <==> prtbr0 <==> (192.168.123.141) ProtectedClient1
> >
> > Note:
> >
> > 1) ExternalClient1 (10.0.3.209) can ping the external interface of fw2 (10.0.3.102)
> > 2) fw2 (10.0.3.102) can ping ExternalClient1 (10.0.3.209)
> > 3) fw2 (192.168.123.253) can ping ProtectedClient1 (192.168.123.141)
> > 4) ProtectedClient1 (192.168.123.141) can ping the internal interface of fw2 (192.168.123.253)
> > 5) ProtectedClient1 CAN ping ExternalClient1 (10.0.3.209)
> > 6) ExternalClient1 (10.0.3.209) can NOT ping ProtectedClient1 (192.168.123.141)
> >
> > ExternalClient1 -
> >
> >       Single Interface - 10.0.3.209
> >       Routing Table
> >       -------------
> > root at ExternalClient1:~# route -n
> > Kernel IP routing table
> > Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> > 10.0.3.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
> > 192.168.123.0   10.0.3.102      255.255.255.0   UG    0      0        0 eth0
> >
> >
> > fw2 -
> >
> >       External Interface - 10.0.3.102
> >       Internal Interface - 192.168.123.253
> >       Routing Table
> >       -------------
> > Kernel IP routing table
> > Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> > 10.0.3.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
> > 10.1.1.0        0.0.0.0         255.255.255.0   U     0      0        0 eth2
> > 192.168.123.0   0.0.0.0         255.255.255.0   U     0      0        0 eth1
> >
> >
> > ProtectedClient1 -
> >
> >       Single Interface - 192.168.123.141
> >       Routing Table
> >       -------------
> > root at ProtectedClient1:~# route -n
> > Kernel IP routing table
> > Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> > 0.0.0.0         192.168.123.253 0.0.0.0         UG    0      0        0 eth0
> > 192.168.123.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
> >
> >
> > 0 New
> >
> > Reply
> >
> >
> >
> > _______________________________________________
> > Firewall mailing list
> > Firewall at rocky.eld.leidenuniv.nl
> > http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> > Arno's (Linux IPTABLES Firewall) Homepage:
> > http://rocky.eld.leidenuniv.nl
> 
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl



More information about the Firewall mailing list