I’m trying to setup a firewall machine that will forward packets only. I will not be running any services (DNS/Squid/SSHD/NAMED/etc..) on this box. I have even #’ed out the services in /etc/inetd.conf.
All I want this box to do is forward packets.
I have ip forwarding enabled. I can ping inside and outside from the firewall box. I can ping the router (216.29.167.1) and internet ip’s from the firewall box. I can ping the internal (192.168.100.49) AND external (216.29.167.225) nic’s from my pc. I CANNOT ping the router (216.29.167.1) or internet ip’s from my pc.
What am I missing? Do I have to use IPTABLES to accomplish this?
You will have to forgive me but I’m an old netware guy and I can set this up in like 10 minutes with a novell box. *opens self up to ridicule*
A little info about my setup:
--------------------------------------------------------------------------------------------------------------------
fw6:~# cat /proc/version Linux version 2.4.19 (root@fw6) (gcc version 2.95.4 20011002 (Debian prerelease)) #1 Tue Aug 6 14:50:25 EDT 2002 fw6:~#
--------------------------------------------------------------------------------------------------------------------
fw6:~# cat /etc/network/options ip_forward=yes spoofprotect=yes syncookies=no
--------------------------------------------------------------------------------------------------------------------
fw6:~# cat /proc/sys/net/ipv4/ip_forward 1 fw6:~#
---------------------------------------------------------------------------------------------------------------------
fw6:~# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface localnet * 255.255.255.0 U 0 0 0 eth0 216.29.167.0 * 255.255.255.0 U 0 0 0 eth1 default 216.29.167.1 0.0.0.0 UG 0 0 0 eth1
---------------------------------------------------------------------------------------------------------------------
fw6:~# cat /etc/network/interfaces # /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)
# The loopback interface auto lo iface lo inet loopback
# The first network card - this entry was created during the Debian installation # (network, broadcast and gateway are optional) auto eth0 iface eth0 inet static address 192.168.100.49 netmask 255.255.255.0 network 192.168.100.0 broadcast 192.168.100.255
auto eth1 iface eth1 inet static address 216.29.167.225 netmask 255.255.255.0 network 216.29.167.0 broadcast 216.29.167.255 gateway 216.29.167.1
fw6:~#
---------------------------------------------------------------------------------------------------------------------
fw6:/# cat /etc/inetd.conf # /etc/inetd.conf: see inetd(8) for further informations. # # Internet server configuration database # # # Lines starting with "#:LABEL:" or "#<off>#" should not # be changed unless you know what you are doing! # # If you want to disable an entry so it isn't touched during # package updates just comment it out with a single '#' character. # # Packages should modify this file by using update-inetd(8) # # <service_name> <sock_type> <proto> <flags> <user> <server_path> <args> # #:INTERNAL: Internal services #echo stream tcp nowait root internal #echo dgram udp wait root internal #chargen stream tcp nowait root internal #chargen dgram udp wait root internal ## discard stream tcp nowait root internal ## discard dgram udp wait root internal ## daytime stream tcp nowait root internal #daytime dgram udp wait root internal ## time stream tcp nowait root internal #time dgram udp wait root internal
#:STANDARD: These are standard services.
#:BSD: Shell, login, exec and talk are BSD protocols.
#:MAIL: Mail, news and uucp services. #disabled#smtp stream tcp nowait mail /usr/sbin/exim exim -bs
#:INFO: Info services
#:BOOT: Tftp service is provided primarily for booting. Most sites # run this only on machines acting as "boot servers."
#:RPC: RPC based services
#:HAM-RADIO: amateur-radio services
#:OTHER: Other services
fw6:/#
---------------------------------------------------------------------------------------------------------------------
From Windows: H:\>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : hostname Primary Dns Suffix . . . . . . . : mydomain.com Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : mydomain.com
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connection Physical Address. . . . . . . . . : 00-00-39-E0-61-E7 Dhcp Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.100.50 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.100.49 DNS Servers . . . . . . . . . . . : 192.168.100.11
H:\>ping 192.168.100.49
Pinging 192.168.100.49 with 32 bytes of data:
Reply from 192.168.100.49: bytes=32 time<1ms TTL=64 Reply from 192.168.100.49: bytes=32 time<1ms TTL=64 Reply from 192.168.100.49: bytes=32 time<1ms TTL=64 Reply from 192.168.100.49: bytes=32 time<1ms TTL=64
Ping statistics for 192.168.100.49: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms
H:\>ping 216.29.167.225
Pinging 216.29.167.225 with 32 bytes of data:
Reply from 216.29.167.225: bytes=32 time<1ms TTL=64 Reply from 216.29.167.225: bytes=32 time<1ms TTL=64 Reply from 216.29.167.225: bytes=32 time<1ms TTL=64 Reply from 216.29.167.225: bytes=32 time<1ms TTL=64
Ping statistics for 216.29.167.225: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms
H:\>ping 216.29.167.1
Pinging 216.29.167.1 with 32 bytes of data:
Request timed out. Request timed out. Request timed out. Request timed out.
Ping statistics for 216.29.167.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
H:\>
Thanks,
Ryan McAlister
|