Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

routing/iptables: traffic blocked when routed back over same interface

Status
Not open for further replies.
peterve

peterve

IS-IT--Management
Mar 19, 2000
1,348
NL
Hi all,

I have a fedora (core 6) box running iptables (1.3.8), acting as a firewall/router
The server is connected to the internet, and behind the fedora box, there are 2 subnets

Internet – Firewall – Subnet1 – Router – Subnet 2

Subnet1 = 192.168.0.0/24, Firewall : 192.168.0.1, Router = 192.168.0.254
Subnet2 = 192.168.3.0/24, Router : 192.168.3.254

On the firewall, I have created a route to 192.168.3.0/24, pointing to the Router between Subnet1 and Subnet2

Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.3.0 192.168.0.254 255.255.255.0 U 0 0 0 eth0

I have a rule in iptables, allowing all traffic from 192.168.0.0/24 towards 192.168.3.0/24

When clients from 192.168.0.0/24 try to connect to hosts in 192.168.3.0/24, the packet is sent to their default gateway (which is the firewall).
I would have expected the firewall to forward the packet to the router between 192.168.0.0 and 192.168.3.0
But all I can see in the log is a “DENY in=eth0 out=eth0 ”

So when the traffic is routed back out over the same interface, traffic appears to be blocked

How can I solve this ?

Thanks

c













--------------------------------------------------------------------
How can I believe in God when just last week I got my tongue caught in the roller of an electric typewriter?
---------------------------------------------------------------------
---------------------------------------------------------------
 
Sort by date Sort by votes
You need to clarify a few more details...

In the firewall, is eth0 the internet facing NIC or the private network facing NIC? You do have TWO NICs right?

Have you enabled ip_forwarding?

Does traffic flow correctly from the firewall CLI (e.g. pings)

D.E.R. Management - IT Project Management Consulting
 
Upvote 0 Downvote
ok, I figured it out


when packet is sent from subnet2 to subnet1, it is delivered to the host in subnet1 directly( via the router between subnet1 and subnet2)
The returning packets (from subnet1 going back to subnet2) first goes to the firewall. The firewall did not find an open session, so it drops the packet

Solution : either set a static route to subnet2 on all hosts in subnet1 (too much work),
or create a rule in the firewall that allows traffic from subnet1 to subnet2, without checking the state (stateless rule)

works fine now



--------------------------------------------------------------------
How can I believe in God when just last week I got my tongue caught in the roller of an electric typewriter?
---------------------------------------------------------------------
---------------------------------------------------------------
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

krabban
  • Locked
  • Question
Dirvish for backup
Replies
0
Views
222
krabban
krabban
msk69
  • Locked
  • Question
OVA backup
Replies
4
Views
292
msk69
msk69
KannaChan
  • Locked
  • Question
TLS1.2 and TLS1.0 proxy in same Virtualhost
Replies
1
Views
183
ChrisHirst
ChrisHirst
Agent0007
  • Locked
  • Question
HELP Traffic Control of IP
Replies
2
Views
131
Agent0007
Agent0007
henzen
  • Locked
  • Question
Using mod_sed on both in/out filtering on same site
Replies
1
Views
130
feherke
feherke

Part and Inventory Search

Sponsor

Back
Top