[ale] next stupid ipchains question

Joe Knapka jknapka at earthlink.net
Thu Sep 7 14:15:50 EDT 2000


Wandered Inn wrote:
> 
> Joe Knapka wrote:
> >
> > That's... interesting. In that case I'd bet that it's a route
> > problem. Do all the machines on both subnets have a default
> > route pointed at the firewall? If not, they need routes
> > telling them to reach the other subnet via the firewall.
> 
> I don't see how changing it from masq to accept would stop the
> communication all together.  I would expect that if there is a routing
> problem, it would cause problems either way.

Now that I think about it, I don't either. If the firewall
machine was the default gateway for both subnets, it should
work either way.

My reasoning was that (in your setup, anyway) MASQ packets will
always appear to come from an address on the local subnet -
the firewall's address. But when the firewall just accepts and
forwards, machines on one subnet will see packets originating
on the other subnet, and thus need to know how to return
replies to the other subnet. But I neglected the fact that
even in the MASQ case, machines on both subnets need to know
to send packets to the firewall to reach the other subnet, so
routing should not be an issue either way.
 
> $IPCHAINS -A forward -j ACCEPT
> $IPCHAINS -A forward -j DENY -l
> 
> No communication through the through the router.  No logging at all.

OK, that means that either:

(a) packets are being accepted by the first rule, or
(b) packets are never getting to the forward chain at all.

Since it works with -j MASQ I'd say (b) is not the
case, so the firewall is accepting the packet but some other
factor is preventing communication. You can confirm that by
adding -l to the first rule to log that packets are
being accepted.

> Then:
> 
> $IPCHAINS -A forward -j MASQ
> $IPCHAINS -A forward -j DENY -l
> 
> Communication through the router successful, still no logging.
> 
> $IPCHAINS -A forward -j MASQ -l
> $IPCHAINS -A forward -j DENY -l
> 
> Communication through the router, the forwarded masq packets are logged.

All as expected. I confess to being rather mystified. We have
to be missing something blindingly obvious...

*** Joseph Knapka ***
In any formula, constants (especially those obtained from handbooks)
are to be treated as variables.
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list