On Di, 2016-09-27 at 07:35 -0500, Lonnie Abelbeck wrote: ...
> > I've made the suggested changes, but still no joy! > > I'm seeing the traffic arriving with tcpdump, but the chain > > 'EXT_INPUT_CHAIN' doesn't show the packet. > > Please be more precise, from what source IP are you trying to reach > which destination IP using which service (SSH, SIP, etc.). Precisely > what Firewall rule is defined to allow that on the external interface > ? I'm trying to reach 192.168.60.6 (EXTIP) from 192.168.10/24 or 192.168.50/24 on tcp port ssh and tcp port sip. Excerpt from "arno-iptables-firewall status EXT_INPUT_CHAIN" >0 0 ACCEPT udp -- + * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 >0 0 ACCEPT tcp - + * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5060 > > From a 192.168.10.0/24 or 192.168.50.0/24 network does "ssh > > root@192.168.40.6" work ? Yup - that's fine! > Without NAT_FOREIGN_NETWORK your 192.168.10.0/24 and 192.168.50.0/24 > networks could not ping www.google.com (upstream from eth0), does > that work now ? ping google.com goes a different route - I'm afraid! I want to do a simple ping 192.168.60.6 from 192.168.10/24 or 192.168.50/24. I'm able to see them arriving on eth0 with tcpdump! Do these packets need to pass EXT_INT_CHAIN? Does EXTIF allow any "private" addresses? My assumption is as follow - they'll be processed within iptables and won't be discarded. > Also, it would seem your layer-3 switch is providing DHCP to the > 192.168.10.0/24 and 192.168.50.0/24 networks, is the switch's gateway > (default route) set to 192.168.40.6 ? The 192.168.10/24 and 192.168.50/24 aren't handled by dhcp - they have static IP addresses. > > > > > > BTW - Does 'IP_FORWARDING=0' disable the whole FORWARD chain? > > That would disable all interface routing, we set that automatically, > leave IP_FORWARDING alone. This would I've imagine :) Thanks for clarification! Armin. ------------------------------------------------------------------------------ _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
