Confirm: letting certain packages pass through un-natted
David Leangen
dleangen at canada.com
Mon Oct 3 06:51:41 CEST 2005
Hello!
>> +---------------+
>> | modem |
>> | (192.168.1.1) |
>> +---------------+
>> |
>> +-----------------+
>> | ppp0 |
>> | | |
>> | ...1.2 (eth0) |
>> | | |eth1
>> | ...2.1|-----192.168.2.0/24
>> | Firewall |
>> +-----------------+
>
> [SNIP]
>
>
>>Destination Gateway Genmask Iface
>>192.168.1.0 * 255.255.255.0 eth0
>>192.168.2.0 * 255.255.255.0 eth1
>>default xxx 0.0.0.0 ppp0
>
>
> [Rest snipped - probably not relevant]
>
> The only thing I can think of, is that pppd causes the problem.
> I think the following happens:
>
> 2.2 sends to 1.1
> Firewall receives on 2.1
> According to routing table firewall tries to send out on eth0
> But eth0 is now owned by pppd
> And pppd doesn't know about 1.1, he only knows about default
> gateway xxx
>
> As already said - this may be totally wrong (someone correct
> me please).
>
> I bet if you stop pppd, 2.2 can connect to 1.1 without any firewall
> rules (as long as the policies are ACCEPT and default gateway on 2.2
> points to 2.1). If this is true, the question is how to persuade
> pppd to deliver to 1.1. Sorry, I can't help you - may be
> somebody can jump in.
Hmmm... unfortunately, this does not seem to be the case...
I say this for two reasons:
1. I can still connect to 192.168.1.1 from 192.168.2.1
2. Even when I bring down ppp0, I still can't reach
192.168.1.1 from anywhere other than the machine
I mention in (1)
Unless, I didn't do the right thing. I simply did:
# ifconfig ppp0 down
Is this sufficient?
Thanks again!!
Dave
More information about the netfilter
mailing list