Firewall & Routing - help!
Kevin F. Berrien
kblists at comcast.net
Thu Jun 10 21:18:14 UTC 2004
Answering my own questions a bit. When I boot, my routing table is:
Destination Gateway Genmask Flags Metric Ref Use
Iface
172.20.5.0 * 255.255.255.0 U 0 0 0 eth1
192.168.5.0 * 255.255.255.0 U 0 0 0 eth1
192.168.50.0 * 255.255.255.0 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 192.168.50.1 0.0.0.0 UG 0 0 0 eth0
I can get out to the internet with this table, and I'm assuming its the
default route. I need to remove the 172.20.5.0, 169.254.0.0 so they are
gone after reboot.
I don't seem to have any /etc/sysconfig/static-route or
/etc/sysconfig/network-scripts/route-eth0 (from reading around), so
where are whese routes stored? I'll need to change all this after
testing, before I got live as my REAL subnets are 172.20.5x, 172.20.50.x
so I'll need to know how to change this.
Thanks for the help from everyone.... now I'll go back to cleaning up my
firewall script.
Kevin F. Berrien wrote:
> Thanks for the reponses by everyone. I've combined the ideas, done
> the following with the following results.
>
> > a) make a route in 192.168.50.1 that routes traffic for 192.168.5.0 to
> > your IP of 192.168.50.48... This will allow your gateway server/router
> > to route packets to this additional network properly.
>
> Done, set a route on 50.1 to 5.0 (test environ is a linksys BEFSR41,
> live will be Symantec/Raptor fw).
>
> > And you need to turn on packet forwarding on the box that is routing
> between subnets to do that.
> > Edit /etc/sysctl.conf changing ip_forward on:
> > net.ipv4.ip_forward = 1
> > Then apply the change with the following command:
> > sysctl -p
>
> Ok, edited the value of net.ipv4.ip_forward to true. Please note,
> when I execute a network restart I see the following...
>
> Shutting down interface eth0: [ OK ]
> Shutting down interface eth1: [ OK ]
> Shutting down loopback interface: [ OK ]
> Disabling IPv4 packet forwarding: [ OK ]
>
> I'm not sure where the IPv4 packet forwarding dissable is comming from.
>
> > When you have multiple devices like this, each device should have
> its gateway for the local network (or no gateway if *it*
>
>> is the gateway)
>
>
> Edited eth1 with gateway blank.
>
> > then you should have a statement like this in your
> /etc/sysconfig/network file:
> > GATEWAYDEV=eth0
>
> Added.
>
> > NOW, try pinging 192.168.5.200 from 192.168.50.48... You should get
> > responses back. If so, try 192.168.5.3 next.
>
> ******** I've turned off the fw to test the routing.
>
> Ok, I can ping from the firewall both ways, machine from one subnet to
> the other, and vice versa.
> I can access my internal web server just fine. I get dns results from
> internal dns server etc.... so I'm bridging the subnets now.
>
> I however, CAN NOT get out of my 50.x subnet to the internet from the
> firewall, and from the machine at 5.3.
>
> [root at choke root]# ping www.groklaw.net
> connect: Network is unreachable
>
> Also, where are the default routes, etc.. stored in RH/FC1? When I
> first boot, I've got some crazy routes from playing around before....
>
> btw, here is my routing table
>
> Destination Gateway Genmask Flags Metric Ref
> Use Iface
> 172.20.5.0 * 255.255.255.0 U 0 0
> 0 eth1
> 192.168.5.0 * 255.255.255.0 U 0 0
> 0 eth1
> 192.168.50.0 * 255.255.255.0 U 0 0
> 0 eth0
> 169.254.0.0 * 255.255.0.0 U 0 0
> 0 eth1
> 127.0.0.0 * 255.0.0.0 U 0 0
> 0 lo
> [root at choke root]#
>
> Dunno what hte 169.254 is, or where its comming from.
>
>
> My route on the bastion fw (50.1) appears to be ok.
>
>
> All most there! Thanks!
>
>
>
More information about the fedora-list
mailing list