Yes, of course, there are a crossover cable between eth2 firewall --> eth0 server...

Well (or bad... ) I tested all you asked and:

---- With rules ACCEPT on firewall that you asked
- pinging from firewall (192...111.1) to server 192...222.22, OK, reply to pinging is right.
- ping from server (192...222.22) to firewall eth2 (192.168.222.21) NOTHING, blank....
Also, ping INTO SAME firewall (192....111.1) to NIC eth2 (192...222.21) NOTHING...

Later, I disconected eth0 on firewall and I clean all chains and rules, after I set ALL ACCEPT chains without any rule, the pinging to eth2, TOO get NOTHING...

ifconfig WEBSERVER 192.168.222.22 (I deleted MAC add)

eth0 Link encap:Ethernet HWaddr xxxxxxxxxxx
inet addr:192.168.222.22 Bcast:192.168.222.255 Mask:255.255.255.0
inet6 addr: fe80::230:84ff:fe0b:5119/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:588 errors:0 dropped:0 overruns:0 frame:0
TX packets:1326 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:55897 (54.5 KiB) TX bytes:1421403 (1.3 MiB)
Interrupt:12 Base address:0xe400

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:78 errors:0 dropped:0 overruns:0 frame:0
TX packets:78 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:5712 (5.5 KiB) TX bytes:5712 (5.5 KiB)

--------------------
IPTABLES on webserver
iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Zeta:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

----------------------------

Ifconfig on FIREWALL SERVER 192.168.111.1 (I deleted MAC and changed IP eth0)

ifconfig
eth0 Link encap:Ethernet HWaddr xxxxxxxxxxxxxxx
inet addr:190.xxx.xxx.xx7 Bcast:255.255.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:576 Metric:1
RX packets:13911226 errors:0 dropped:0 overruns:0 frame:0
TX packets:1280099 errors:1 dropped:0 overruns:0 carrier:1
collisions:0 txqueuelen:1000
RX bytes:2899083089 (2.6 GiB) TX bytes:123077570 (117.3 MiB)

eth1 Link encap:Ethernet HWaddr xxxxxxxxxxxxxx
inet addr:192.168.111.1 Bcast:192.168.111.255 Mask:255.255.255.0
inet6 addr: fe80::250:8bff:fe60:49ea/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1146914 errors:0 dropped:0 overruns:0 frame:0
TX packets:1638965 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:126869177 (120.9 MiB) TX bytes:2067189408 (1.9 GiB)

eth2 Link encap:Ethernet HWaddr xxxxxxxxxxxxx
inet addr:192.168.222.21 Bcast:192.168.222.255 Mask:255.255.255.0
inet6 addr: fe80::250:8bff:fe5a:a9e5/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1380 errors:0 dropped:0 overruns:0 frame:0
TX packets:663 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1429473 (1.3 MiB) TX bytes:58997 (57.6 KiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:210172 errors:0 dropped:0 overruns:0 frame:0
TX packets:210172 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:52832709 (50.3 MiB) TX bytes:52832709 (50.3 MiB)
---------------------------------

I changed my post.

Can you please post exact outputs for ping on firewall:
1. ping 192.168.111.1
2. ping 192.168.222.21

Then do:
route del -net 0.0.0.0 gw 192.168.111.1
route del -net 0.0.0.0 gw 192.168.222.21
route add -net 127.0.0.0 netmask 255.0.0.0 gw 0.0.0.0 lo
ifconfig eth1 192.168.111.1 up
ifconfig eth2 192.168.222.21 up

And try to ping again

Thanks

1 members found this post helpful.

1. ping 192.168.111.1 --> Nothing
2. ping 192.168.222.21 --> Nothing

route del -net 0.0.0.0 gw 192.168.111.1 --> OK
route del -net 0.0.0.0 gw 192.168.222.21 --> OK
route add -net 127.0.0.0 netmask 255.0.0.0 gw 0.0.0.0 lo --> "SIOCADDRT: invalid argument

ifconfig eth1 192.168.111.1 up --> OK
ifconfig eth2 192.168.222.21 up --> OK

Thanks

Feliz Navidad.
Merry Christmas.

Try:

route add -net 127.0.0.0

Then please post output for:
route -n

Turn off firewall and try to ping again:

1. ping 192.168.111.1
2. ping 192.168.222.21
This is your local interfaces, they have to be pinged.

And after this:

2. ping 192.168.222.22

1 members found this post helpful.

Merry Christmas

For this testing, are you talking about your firewall script, NOT about the firewall script preloaded on my server?

I am talking about computer with 3 ethernet cards, I do not know how do you call it.
And I've asked you to do ping on it.

1 members found this post helpful.

route add -net 127.0.0.0 --> "SIOCADDRT: invalid argument"


There is a pattern that repeats in the testing, whatever the firewall script that is active, or when was iptables -F, iptables -X at the moment of testing.

That is: on server firewalled with 3 NIC only two ping commands gets answer:

ping 192.168.222.22 (IP of webserver DMZ)

ping yahoo.com (or either world outside)

OTHERS ALL ping (127.0.0.1 192.168.111.1 192.168.222.21 ...) gets null replies or (when firewall script original preloaded is active) the reply is "SENDMSG: OPERATION NOT PERMITED".

Same happens after I run a script:

/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X
/sbin/iptables -t nat -Z
/sbin/iptables -t mangle -F
/sbin/iptables -t mangle -X
/sbin/iptables -t mangle -Z


$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

The ping reply es null, except ping 192.168.222.22 or ping outside (like yahoo.com etc)....

Thanks

Do please, on computer with 3 NIC do:
1. Disconnect cable from Eth0
2. Turn OFF firewall
3. Do ifconfig eth1 | grep inet, post output
4. Do ifconfig eth2 | grep inet, post output
3. ping 192.168.111.1
2. ping 192.168.222.21

Please post EXACT output of these ping, I want to know how they looks like
Example:
bbb@linux-xmc2:> ping 192.168.1.125
PING 192.168.1.125 (192.168.1.125) 56(84) bytes of data.

Additionally, what inside of /etc/hosts ?

Thanks.

1 members found this post helpful.

1. Disconnect cable from Eth0 --> DONE

2. Turn OFF firewall --> DONE (in Debian there are not turn off or stop, must be script like this:
-----------------------------------------
IPTABLES=/sbin/iptables

$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

#
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X
/sbin/iptables -t nat -Z
/sbin/iptables -t mangle -F
/sbin/iptables -t mangle -X
/sbin/iptables -t mangle -Z
-----------------------------------------

3. Do ifconfig eth1 | grep inet, post output --> file if1.txt

4. Do ifconfig eth2 | grep inet, post output --> file if2.txt

3. ping 192.168.111.1 --> file ping111.txt

2. ping 192.168.222.21 --> file ping222.txt

Hosts.txt go in follow post (more 3 files cannot send)

Thanks

Attached Files

	if1.txt (138 Bytes, 8 views)
	if2.txt (139 Bytes, 13 views)
	ping111.txt (162 Bytes, 7 views)

File hosts.txt

Attached Files

hosts.txt (396 Bytes, 19 views)

It lacks:

ping 192.168.222.21 --> file ping222.txt

Attached Files

ping222.txt (165 Bytes, 10 views)

I do not understand why can't ping of local NIC be done.
May be others in this forum will give some thoughts about it.

Never mined,
Leave the same firewall script and from computer with 3 NIC do:
1. ping 192.168.222.22
2. ping any of 192.168.111.2-10

Send exact outputs please.

Thanks.

1 members found this post helpful.

Me too... I never has come to understand ... Why do you think I've titled this post I've gone crazy with this problem?

Send output:

ping 192.168.222.22 --> pingz.txt

ping 192.168.111.3 (a LAN client) --> ping1113.txt

Thanks and thanks

Attached Files

	pingz.txt (708 Bytes, 14 views)
	ping1113.txt (767 Bytes, 18 views)