[Firehol-support] Secondary internet link fails

Daniel L. Miller dmiller at amfes.com
Fri Oct 28 19:10:15 BST 2005 

Oct 28 10:25:31 foxy OUT-unknown: IN= OUT=eth2 MAC= SRC=66.199.29.170
DST=66.199.29.169 LEN=84 TOS=00 PREC=0x00 TTL=64 ID=41 DF PROTO=ICMP
TYPE=8 CODE=0 ID=9797 SEQ=42
Oct 28 10:25:32 foxy OUT-unknown: IN= OUT=eth2 MAC= SRC=66.199.29.170
DST=66.199.29.169 LEN=84 TOS=00 PREC=0x00 TTL=64 ID=42 DF PROTO=ICMP
TYPE=8 CODE=0 ID=9797 SEQ=43
Oct 28 10:25:33 foxy OUT-unknown: IN= OUT=eth2 MAC= SRC=66.199.29.170
DST=66.199.29.169 LEN=84 TOS=00 PREC=0x00 TTL=64 ID=43 DF PROTO=ICMP
TYPE=8 CODE=0 ID=9797 SEQ=44
Oct 28 11:08:07 foxy OUT-unknown: IN= OUT=eth2 MAC= SRC=192.168.0.1
DST=66.199.29.175 LEN=78 TOS=00 PREC=0x00 TTL=64 ID=8513 DF PROTO=UDP
SPT=137 DPT=137 LEN=58

Costa Tsaousis wrote:

> Hi Daniel,
>
> Why don't you just give us a few log lines of packets being dropped?
> This will make everything clear...
>
> Costa
>
> Daniel L. Miller wrote:
>
>> Hi again.
>>
>> We just contracted with a new ISP, and I wanted to test out the 
>> connection before canceling our original one (and, just for fun, 
>> maybe experiment with multiple Internet links).
>>
>> Unfortunately, my beloved firehol configuration is preventing me from 
>> using the secondary link.  During a "firehol try", I was able to ping 
>> my secondary gateway - right up until the final stage of firehol 
>> execution.  Watching a ping session while constantly re-executing 
>> "ps", I saw the various iptables commands being executed.  Somewhere 
>> around the "forward - drop" chain being created, I was then blocked out.
>>
>> I added a new block of variables for the new interface, then copied 
>> some existing interface/router stanzas.  I'm not seeing what magic 
>> lines might be misconfigured:
>>
>> LAN_IF="eth0"
>> LAN_LAN="192.168.0.0/24"
>> LAN_IP="192.168.0.1"
>> LAN_BCAST="192.168.0.255"
>>
>> EXT_X_IF="eth2"
>> EXT_X_LAN="69.199.29.168/29"
>> EXT_X_IP="69.199.29.170"
>> EXT_X_BCAST="69.199.29.175"
>>
>> interface "${EXT_X_IF}" amfes-newisp src not "${UNROUTABLE_IPS} 
>> ${LAN_LAN}" dst "${EXT_X_IP}"
>>        protection strong 100/sec 50
>>        server ident reject with tcp-reset
>>        server ping accept log "allow ping"
>>        client all accept log "client out"
>>
>> router lan2newisp inface "${LAN_IF}" outface "${EXT_X_IF}" src 
>> "${LAN_LAN}" dst not "${UNROUTABLE_IPS}"
>>        route all accept log "route lan2newisp"
>>
>> Unless "UNROUTABLE_IPS" is somehow including my new interface?
>
>
Daniel

More information about the Firehol-support mailing list