RE: Foward through FW works with one machine, not the other...Solution...Thanks!

Thu, 21 Feb 2002 06:54:10 -0800 

All;

        Thanks for all your fast replies. Mr. Pattie pointed me to what I
missed. As I suspected, it was something I sould have looked at but just
plain forgot.


->      Sounds like your default route on the internal machine 
-> is still pointing 
-> at your old firewall and not at the new one, since you said it works 
-> when you put the old box back in the mix.

        (Smacking side of head with heel of hand). Why did I know it was
something...er...simple?

        That was the problem, except for one other tweak, which brings up an
informational question.
        The old box used iptables version 1.2.4. The current uses 1.2.5.
After getting things set up on the new box with the repaired gateway, I
noticed something odd. I could access the internal system from the external
network subnet of the new box. ssh, http/https, and ftp all worked when I
tried accessing from a box on the local external network.
        However, when I tried access the internal machine through the new
box from another network (my box at home via my ISP), I couldn't get in. At
first, I thought James' suggestion wasn't the problem. Then, I noticed the
FORWARD rule for ssh to the internal system looked like this:

        $IPTABLES -A FORWARD -i ${EXTERNAL} -o ${INTERNAL} -d 192.168.1.10
-p tcp --dport 22 -j ACCEPT

        I went back to the firewall system and changed the rule to add a
source. At first, I tried just adding the dhcp-assigned IP of my home
system. Then I was able to get in. In order to make it work from anywhere, I
changed the rule to this:

        $IPTABLES -A FORWARD -p tcp -s 0/0 -i ${EXTERNAL} -o ${INTERNAL} -d
192.168.1.10  --dport 22 -j ACCEPT

        What's curious is that on the old firewall system (running 1.2.4),
the first rule worked no matter from where I tried to access it. Since the
rest of the rulesets are the same, I have to assume that something was
changed between versions, although the changelog doesn't reflect it. 
        Or maybe I'm just nuts.
        This certainly isn't a pressing issue, but I'd appreciate any
insight or comments.

cheers,
Joe

Joe Dougherty
Information Technology Systems Officer
NAVLANTMETOCFAC Jacksonville
(904) 542-2541 ext. 35 (comm)
942-2541 ext. 35 (DSN)
[EMAIL PROTECTED]
https://www.nlmof.navy.mil

"Hot dog, groat cakes again! Heavy on the 30-weight, Mom"

Reply via email to