network problem

[instronics]

Hello everyone....

I want to dedicate a computer as a firewall for my LAN using IPTABLES.

On the firewall machine i have 2 network cards running. eth0 (internal lan) has an ip range of 192.168.30.0 and eth1 (external lan) has an ip range of 192.168.20.0

eth0 also runs a dhcp server for the machines behind the firewall and eth1 is a dhcp client from the external lan (i want to seperate my lan into 2 networks, my main gateway is a zyxel isdn router on net 192.168.20.0 which also acts as a dhcp server for the firewalls eth1)

My main problem is that even if the firewall is not started, i cannot access the external lan from the internal lan, but from the firewall box itself i can ping both networks. Can it be that is a routing problem (im not very good with routing). I run SuSE linux 7.3 kernel 2.4.16

Incase its not a routing problem, what else could it be, im really a bit lost here about this subject. Any help would be really welcome.

I apologize if my problem is not directly security related, so forgive me if my post is not in the right place, please tell me if its in the wrong place too.

[ruleant]

If I'm not mistaken you have to compile the routing into your kernel. (ip forwarding)

For your kernel (2.4.x), you need 'network packet filtering' and TCP/IP -> 'IP: Advanced Routing', to able to You will find these modules in 'Networking options'.

You probably need to configure a simple routing table or something like that.

I think you will find a little more information when you open the HELP-menu that comes with the two modules you need to compile in the kernel.

I'm sorry that I can't help you any further, but it was a long time ago when I configured my 'router'. I'm planning on upgrading it in the near future, but for now this is all I can tell you.

I hope this will help you.

[SoggyBottom]

It certainly does sound like a routing problem.

Have you placed a static route on the firewall routing traffic from the internal to the external lans?

[EaseZE]

Also make sure the dhcp is sending the clients the correct default gateway address.

[zip2dip]

For your problem in question.It sounds like an Routing problem for it dont reckognize your eth0 from eth1.This is purely based on the info that you gave in your post.Linux2.x kernel by default wont do IP/Forwarding meaning setting up your gateway addresses.DHCP only handels your internal/external networks clients .DHCP & Router has to communicate with each other constantly so DHCP can service its clients with right IP chain.In your config file you have given IP parameters for Eth0 and eth1.what you need to do is to make sure that you have few files loaded in to your Kernel.load a few kernel modules using either insmod or modprobe:
/sbin/insmod ip_masq_user
/sbin/insmod ip_masq_raudio
/sbin/insmod ip_masq_ftp
/sbin/insmod ip_masq_irc
It would be wise to add these lines into one of your init scripts so they will run on every startup. There are other kernel modules related to IP masquerading; for a full list, type the command
/sbin/modprobe -l | grep ip_masq
To find out whether IP forwarding is switched on, check the contents of the file /proc/sys/net/ipv4/ip_forward. If it is 0, IP forwarding is off; if 1, it is on.

# cat /proc/sys/net/ipv4/ip_forward
0
# echo "1" > /proc/sys/net/ipv4/ip_forward
# cat /proc/sys/net/ipv4/ip_forward
1

Again, it is wise to add the line which turns on IP forwarding (the one with the echo command) to one of your init scripts.

I hope that info comes handy to your problem in question.I am not sure if the kernel2.4.16 has the same problem as 2.x.x

[instronics]

Hi all

Thanx alot for all the feedback. Yes, my problem is that i cannot get the eth0 to route to eth1. I have ip forwarding enabled though.

# cat /proc/sys/net/ipv4/ip_forward
1

I tried all combinations for static routing too. Im really lost.

i just cant get it to work. What else did i miss out, or can i try?

[Networker]

As a guess you may have a rule in IPtable that drop your packets?!

To test your config you could try to declare a default static route 0.0.0.0 through eth1 and check if packets fowarded to any net are routed!

Or you maybe have a problem of IP mask!

(even if 192 is usually classe C check with ifconfig the network your are administrating.
192.168.20.0/20 & 192.128.30.0/20 is the same network)

[instronics]

By the way........im trying this without iptables running, so just routing plain, meaning that the iptables are not messing it up since they are not active yet (rcfirewall stop)

[instronics]

Hi again.....in the mean time im getting a feeling that the problem is not directly a routing problem....ive tried out to many combinations and im pretty sure my routing tables are ok (since my linux distro sets up the routes automatically aswell as the manual routes i have setup. It just will not "route" from eth0 to eth1. Is that still a "routing" problem? Ive even tried routing daemons such as routed and zebra, but still not luck. I just cant get the 2 eth's to comunicate together. Ther are corectly installed, and i can use each eth on its own (i can ping both networks from the routing box), can it maybe be that i have to have iptables running in order to route? I cant imagine it to be so. Any advice would be very much appreciated.

also.......i just read up that it might be a bridging problem...weird thing is that its already compiled into my kernel......

[SoggyBottom]

What is the error message that you are getting?