network problem

Hello everyone.... :)

I want to dedicate a computer as a firewall for my LAN using IPTABLES.

On the firewall machine i have 2 network cards running. eth0 (internal lan) has an ip range of 192.168.30.0 and eth1 (external lan) has an ip range of 192.168.20.0

eth0 also runs a dhcp server for the machines behind the firewall and eth1 is a dhcp client from the external lan (i want to seperate my lan into 2 networks, my main gateway is a zyxel isdn router on net 192.168.20.0 which also acts as a dhcp server for the firewalls eth1)

My main problem is that even if the firewall is not started, i cannot access the external lan from the internal lan, but from the firewall box itself i can ping both networks. Can it be that is a routing problem (im not very good with routing). I run SuSE linux 7.3 kernel 2.4.16

Incase its not a routing problem, what else could it be, im really a bit lost here about this subject. Any help would be really welcome.

I apologize if my problem is not directly security related, so forgive me if my post is not in the right place, please tell me if its in the wrong place too.

If I'm not mistaken you have to compile the routing into your kernel. (ip forwarding)

For your kernel (2.4.x), you need 'network packet filtering' and TCP/IP -> 'IP: Advanced Routing', to able to You will find these modules in 'Networking options'.

You probably need to configure a simple routing table or something like that.

I think you will find a little more information when you open the HELP-menu that comes with the two modules you need to compile in the kernel.

I'm sorry that I can't help you any further, but it was a long time ago when I configured my 'router'. I'm planning on upgrading it in the near future, but for now this is all I can tell you.

I hope this will help you.

It certainly does sound like a routing problem.

Have you placed a static route on the firewall routing traffic from the internal to the external lans?

Also make sure the dhcp is sending the clients the correct default gateway address.

For your problem in question.It sounds like an Routing problem for it dont reckognize your eth0 from eth1.This is purely based on the info that you gave in your post.Linux2.x kernel by default wont do IP/Forwarding meaning setting up your gateway addresses.DHCP only handels your internal/external networks clients .DHCP & Router has to communicate with each other constantly so DHCP can service its clients with right IP chain.In your config file you have given IP parameters for Eth0 and eth1.what you need to do is to make sure that you have few files loaded in to your Kernel.load a few kernel modules using either insmod or modprobe:
/sbin/insmod ip_masq_user
/sbin/insmod ip_masq_raudio
/sbin/insmod ip_masq_ftp
/sbin/insmod ip_masq_irc
It would be wise to add these lines into one of your init scripts so they will run on every startup. There are other kernel modules related to IP masquerading; for a full list, type the command
/sbin/modprobe -l | grep ip_masq
To find out whether IP forwarding is switched on, check the contents of the file /proc/sys/net/ipv4/ip_forward. If it is 0, IP forwarding is off; if 1, it is on.

# cat /proc/sys/net/ipv4/ip_forward
0
# echo "1" > /proc/sys/net/ipv4/ip_forward
# cat /proc/sys/net/ipv4/ip_forward
1

Again, it is wise to add the line which turns on IP forwarding (the one with the echo command) to one of your init scripts.

I hope that info comes handy to your problem in question.I am not sure if the kernel2.4.16 has the same problem as 2.x.x

Hi all

Thanx alot for all the feedback. Yes, my problem is that i cannot get the eth0 to route to eth1. I have ip forwarding enabled though.

# cat /proc/sys/net/ipv4/ip_forward
1

I tried all combinations for static routing too. Im really lost.

i just cant get it to work. What else did i miss out, or can i try?

As a guess you may have a rule in IPtable that drop your packets?!

To test your config you could try to declare a default static route 0.0.0.0 through eth1 and check if packets fowarded to any net are routed!

Or you maybe have a problem of IP mask!

(even if 192 is usually classe C check with ifconfig the network your are administrating.
192.168.20.0/20 & 192.128.30.0/20 is the same network)

By the way........im trying this without iptables running, so just routing plain, meaning that the iptables are not messing it up since they are not active yet (rcfirewall stop)

Hi again.....in the mean time im getting a feeling that the problem is not directly a routing problem....ive tried out to many combinations and im pretty sure my routing tables are ok (since my linux distro sets up the routes automatically aswell as the manual routes i have setup. It just will not "route" from eth0 to eth1. Is that still a "routing" problem? Ive even tried routing daemons such as routed and zebra, but still not luck. I just cant get the 2 eth's to comunicate together. Ther are corectly installed, and i can use each eth on its own (i can ping both networks from the routing box), can it maybe be that i have to have iptables running in order to route? I cant imagine it to be so. Any advice would be very much appreciated.

also.......i just read up that it might be a bridging problem...weird thing is that its already compiled into my kernel......

What is the error message that you are getting?

what did you mean rcfirewall stop?
Is this a script ? my stop script closes the box.
You might try flushing all the rules and resetting them to the default ACCEPT , then logging EVERYTHING and see what the logs say
Does "iptables -V " show you FOWARDING is being dropped?
what does your routing table look like?

Oh, and don't forget
# Dynamic IP users: SLIP, PPP, or DHCP leave this enabled
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

ok, let me put it another way. Let us forget all about iptables and firewalling. Let us just concentrate on gettin the packages from eth0 to eth1 ! eth0 = internal LAN, eth1 = external LAN. Forget the firewalls and all the rules it has, i want to forward packages from the internal lan (ETH0) to the external LAN (ETH1), or do i HAVE to have iptables running?

And @ soggy, the error message i am getting when i ping is network unreachable or destination unreachable

can you post up your routing table?

im sorry, right now thats not possible soggybottom :( Im not near that box now. AT the moment im in a netcafe, but i promise to post that first thing in the morning along with the ifconfig settings. Thanx ever so much everyone for the feedback, this site is great.

Good night everyone, cya in the morning.

Posting an comment! after reading new post/replys added in here !

There is a few help files that will help you to get an better understanding of your problem in hands.
http://www.linux-mag.com/2001-05/routing_03.html
That site can give you more info on your Routing probelm with your eth0 internal and eth1 external problem if you cant get them to talk with each other.The other problem for your IP-masquradeing/IP Forwarding problem you can get an better picture how to set it up with this info on this site.
http://en.tldp.org/HOWTO/IP-Masquerade-HOWTO/

I think those will come handy to you when you are configureing your LAN.
Post up your Routeing table.There might be an conflict that makes one of the eth's not reckoning internal from external.

Hello everyone again..... I finally did it, and i also setup my iptables on the box and it works just fine. I installed squid on the FW box and its forwarding http, ftp via proxy (which is more secure than masq anyways). I want to thank all of you who have helped me here and have posted. Your all great peeps. Keep up the good work and thanx ever so much.
instronics :)