Firewall & Routing - help!

Rick Stevens rstevens at vitalstream.com
Thu Jun 10 21:19:46 UTC 2004


Kevin F. Berrien wrote:
> Thanks for the reponses by everyone.  I've combined the ideas, done the 
> following with the following results.
> 
>  > a)  make a route in 192.168.50.1 that routes traffic for 192.168.5.0 to
>  > your IP of 192.168.50.48...  This will allow your gateway server/router
>  > to route packets to this additional network properly.
> 
> Done, set a route on 50.1 to 5.0 (test environ is a linksys BEFSR41, 
> live will be Symantec/Raptor fw).
> 
>  > And you need to turn on packet forwarding on the box that is routing 
> between subnets to do that.
>  > Edit /etc/sysctl.conf changing ip_forward on:
>  > net.ipv4.ip_forward = 1
>  > Then apply the change with the following command:
>  > sysctl -p
> 
> Ok, edited the value of net.ipv4.ip_forward to true.  Please note, when 
> I execute a network restart I see the following...
> 
>    Shutting down interface eth0:                              [  OK  ]
>    Shutting down interface eth1:                              [  OK  ]
>    Shutting down loopback interface:                          [  OK  ]
>    Disabling IPv4 packet forwarding:                          [  OK  ]
> 
> I'm not sure where the IPv4 packet forwarding dissable is comming from.
> 
>  > When you have multiple devices like this, each device should have its 
> gateway for the local network (or no gateway if *it*
> 
>>  is the gateway)
> 
> 
> Edited eth1 with gateway blank.
> 
>  > then you should have a statement like this in your 
> /etc/sysconfig/network file:
>  > GATEWAYDEV=eth0
> 
> Added.
> 
>  >  NOW, try pinging 192.168.5.200 from 192.168.50.48... You should get
>  >  responses back.  If so, try 192.168.5.3 next.
> 
> ******** I've turned off the fw to test the routing.
> 
> Ok, I can ping from the firewall both ways, machine from one subnet to 
> the other, and vice versa.
> I can access my internal web server just fine.  I get dns results from 
> internal dns server etc.... so I'm bridging the subnets now.
> 
> I however, CAN NOT get out of my 50.x subnet to the internet from the 
> firewall, and from the machine at 5.3.
> 
> [root at choke root]# ping www.groklaw.net
> connect: Network is unreachable
> 
> Also, where are the default routes, etc.. stored in RH/FC1?  When I 
> first  boot, I've got some crazy routes from playing around before....
> 
> btw, here is my routing table
> 
> Destination     Gateway         Genmask         Flags Metric Ref    Use 
> Iface
> 172.20.5.0      *               255.255.255.0   U     0      0        0 
> eth1
> 192.168.5.0     *               255.255.255.0   U     0      0        0 
> eth1
> 192.168.50.0    *               255.255.255.0   U     0      0        0 
> eth0
> 169.254.0.0     *               255.255.0.0     U     0      0        0 
> eth1
> 127.0.0.0       *               255.0.0.0       U     0      0        0 lo
> [root at choke root]#

You don't have a default route.  Put in

	route add default dev eth1

or

	route add default gw 192.168.50.1

(or whatever your firewall/gateway is).

> 
> Dunno what hte 169.254 is, or where its comming from.

That's a standard private network (called "zeroconf") and it's inserted
by the /etc/sysconfig/network-scripts/ifup script.

It's used if you're trying to use DHCP and no DHCP server is found.  The
client then sets up an address in this /16 range with a broadcast
address of 255.255.255.255 and broadcasts it's 169.254 address.  If no
one on the network complains, then that's the address that it uses.  If
someone does, it tries another one in the 169.254 range and repeats the
broacast.  This continues until no one on the net complains anymore and,
as a result, the NIC has a 169.254.x.y address.  Think of it as a self-
generating DHCP address.  It ain't pretty, but it works.

If you want the real skinny, the whole thing is being steered by the
zeroconf group of the IETF (http://www.zeroconf.org).  The details
about 169.254/16 are here:

     http://files.zeroconf.org/draft-ietf-zeroconf-ipv4-linklocal.txt

Note that 169.254/16 is NOT routable.  Treat it exactly as if it were a
192.168/16 or 10/8 network address.

> My route on the bastion fw (50.1)  appears to be ok.

Good.
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-    If Windows isn't a virus, then it sure as hell is a carrier!    -
----------------------------------------------------------------------





More information about the fedora-list mailing list