> From: "Luciano Eicke" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Subject: Re: DoS - routing... next.. firewall! UPDATED > Date: Tue, 1 Oct 2002 19:50:47 -0300 > Reply-To: [EMAIL PROTECTED] > > Things were not so easy. > > My current route table is: > > Destination Gateway Genmask Flags Metric Ref > Use Iface > 192.168.0.0 * 255.255.255.252 U 0 0 > 0 eth1 > 200.199.99.192 * 255.255.255.192 U 0 0 > 0 eth0 > 127.0.0.0 * 255.0.0.0 U > 0 0 0 lo > default 192.168.0.1 0.0.0.0 UG 0 > 0 0 eth1 > > The router is 192.168.0.1 > > Eth1 is 192.168.0.2 > Eth0 is 200.199.99.193, with 200.199.99.195 as alias > > Problem is I am no longer able to ping from this server to anybody outside. > Everybody outside can "see" the server - it is receiving mail, and serving > www and ftp. > Also, any incoming and outgoing traffic from other servers are properly > routed through this server, but the server itself can't originate any > connections. > > I spent most of the day trying to figure out why sendmail was "deferring" > all outgoing mail and looking for a misconfigured entry in IPChains, then I > realized the problem was not in IPChains. It seems whenever I try to send > something from this server outside my network, the system chooses eth1 to do > it. > > I tried > > ipchains -A forward -s 192.168.0.2 -d 0/0 -i eth0 -j MASQ > > but it didn't work. > > Fortunately sendmail has a ClientPortOptions parameter that allowed me to > override the system chosen network device, but what about other services > that must initiate connections ? > > Any ideas ? > > Luciano Eicke > Web Garage S/C Ltda
Yes, I think I see the problem. 192.168.x.x is a local network address (i.e. not a public address). You have assigned a public IP address to eth0, and a private one to eth1. This is fine. BUT, when you want to send stuff out to the wide internet, it should be coming FROM your PUBLIC IP address (eth0), but your default route (gateway) is directed to your internal private network (eth1). You want to plug your public IP address into your "router" (DSL/cable/T1/whatever). The router itself will have one or more network address(es) on your side (LAN). The netmask of these must match the netmask of the ethernet card you have plugged into it. On the other side (WAN - to your ISP) the router will have some possibly completely different IP address, with a netmask that matches your ISP's. (a) make sure you connect your PUBLIC IP address/ethernet card (eth0) to the external router. (b) connect your PRIVATE IP address/card (eth1) into your internal network (hub/router/other in-house machine(s)). (c) make the public IP/card (eth0) your default route. (d) make sure the netmask on eth0 matches the internal (LAN) side of your router. You may have to reconfigure your router to get it all to work right. Your ISP should be able to assist with this. Jim Roberts _______________________________________________ Seawolf-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/seawolf-list
