Find the answer to your Linux question:
Results 1 to 6 of 6
hi all, I have a firewall with 3 NICs, 1 to local network, 1 to local DMZ, 1 to the public. eth0 1.1.1.1 (public ip 1) eth0:1 1.1.1.2 (public ip ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux User
    Join Date
    Feb 2005
    Posts
    290

    routing problem ?


    hi all,

    I have a firewall with 3 NICs, 1 to local network, 1 to local DMZ, 1 to the public.

    eth0 1.1.1.1 (public ip 1)
    eth0:1 1.1.1.2 (public ip 2)
    eth0:2 1.1.1.3 (public ip 3)
    eth1 192.168.0.100
    eth1:1 192.168.0.106
    eth2 172.16.0.1

    [root@fw root]# route
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    1.1.1.0 * 255.255.255.248 U 0 0 0 eth0
    192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
    172.16.0.0 * 255.255.0.0 U 0 0 0 eth2
    127.0.0.0 * 255.0.0.0 U 0 0 0 lo
    default 1.1.1.1 0.0.0.0 UG 0 0 0 eth0
    default 1.1.1.1 0.0.0.0 UG 1 0 0 eth0
    default 1.1.1.1 0.0.0.0 UG 1 0 0 eth0

    now: i tried to sftp something from the firewall to a host in DMZ (say 172.16.0.3) the speed is somehow limited by the speed of my ADSL, i.e. the speed is something 50KB/s instead of 100Mbps like what it "should" be.

    any idea please?

    thanks

  2. #2
    Linux Enthusiast
    Join Date
    Feb 2005
    Location
    SE, Stockholm
    Posts
    512
    This sounds in a sence kind of strange.
    What speed do you reach if you try to "sftp" from the DMZ host into the firewall?
    Your firewall, did you just use "simple" iptables settings or have you used some pre-compiled firewall? Because some "free" firewalls have implemented some simple traffic-shaping/bandwith controlling. You should check that out. And, do a extra check that both your FW and your DMZ host are setup on the same speed and duplex.

  3. #3
    Linux User
    Join Date
    Feb 2005
    Posts
    290
    hi swemic,

    first of all, thanks for your reply, i did a little experiment like what you said and here is what i got: (this is done from the machine in DMZ)


    Uploading nullfile to /tmp/nullfile
    100% 17MB 421.0KB/s 00:42

    Fetching /tmp/nullfile to nullfile
    1% 224KB 50.9KB/s 05:42 ETA


    This doesn't look like two machines linked with a 100Mbps switch, because an sftp between 172.16.0.x gives:

    sftp> put nf
    Uploading nf to /tmp/nf
    nf 100% 7680KB 3.8MB/s 00:02
    sftp>




    btw, the problem occurs between firewall (192.168.0.100 / 172.16.0.1) and 172.16.0.x, and the firewall script, ya, here it is:

    Code:
    IPT=/sbin/iptables
    $IPT -t nat -F POSTROUTING
    
    ISP_NIC=eth0
    PRIV_NIC=eth1
    DMZ_NIC=eth2
    
    DMZ="172.16.0.2 172.16.0.3"
    #some local machines are allowed to go thru the firewall
    PRIV="192.168.0.102 192.168.0.106 192.168.0.131 192.168.0.230"
    
    for NET in $DMZ; do
       $IPT -t nat -A POSTROUTING -s $NET -o $ISP_NIC -j MASQUERADE
    done
    
    for NET in $PRIV; do
       $IPT -t nat -A POSTROUTING -s $NET -o $ISP_NIC -j MASQUERADE
    done
    
    echo "1" > /proc/sys/net/ipv4/ip_forward
    
    $IPT -t nat -F PREROUTING
    $IPT -t nat -A PREROUTING -j DNAT -i $ISP_NIC -d 1.1.1.2 -p tcp --dport 12673 --to 172.16.0.1:22
    $IPT -t nat -A PREROUTING -j DNAT -i $ISP_NIC -d 1.1.1.2 -p tcp --dport 81 --to 172.16.0.2:81
    
    $IPT -t nat -A PREROUTING -j DNAT -i $ISP_NIC -p tcp -d 1.1.1.2 --dport 80 --to 172.16.0.3:80
    
    $IPT -t nat -A PREROUTING -j DNAT -i $ISP_NIC -p tcp --dport 80 --to 172.16.0.2:80
    $IPT -t nat -A PREROUTING -j DNAT -i $ISP_NIC -p tcp --dport 22 --to 172.16.0.2:22
    $IPT -t nat -A PREROUTING -j DNAT -i $ISP_NIC -p tcp --dport 21 --to 172.16.0.2:21
    $IPT -t nat -A PREROUTING -j DNAT -i $ISP_NIC -p udp --dport 21 --to 172.16.0.2:21
    $IPT -t nat -A PREROUTING -j DNAT -i $ISP_NIC -p udp --dport 20 --to 172.16.0.2:20
    $IPT -t nat -A PREROUTING -j DNAT -i $ISP_NIC -p tcp --dport 7200 --to 172.16.0.2:7200
    $IPT -t nat -A PREROUTING -j DNAT -i $ISP_NIC -p tcp --dport 7210 --to 172.16.0.2:7210
    $IPT -t nat -A PREROUTING -j DNAT -i $ISP_NIC -p tcp --dport 7777 --to 172.16.0.2:7777
    
    #172.16.0.3 used to be 192.168.0.106, so make firewall listens on 106 and route the traffic to it
    $IPT -t nat -A PREROUTING -j DNAT -i $PRIV_NIC -d 192.168.0.106 --to 172.16.0.3
    and it is started thru /etc/rc.d/rc.local


    thanks again for the help

  4. $spacer_open
    $spacer_close
  5. #4
    Linux User
    Join Date
    Feb 2005
    Posts
    290
    *bump*

  6. #5
    Just Joined!
    Join Date
    Mar 2004
    Posts
    4
    Not sure what the problem could be.. I'm about to implement something very similar to this as I run game servers, and need to put them on a DMZ away from my network (this way I don't royally scrwe things up..)

    Will let ya know if this works for me or not.

  7. #6
    Linux User
    Join Date
    Feb 2005
    Posts
    290
    hi, thanks for the reply. For your information, the server has been giving me problem recently, in the middle of usage it simply reboots the machine without any notice... ha, guess that's hardware problem...

    but later i upgrade it to CentOS 4.1 (minimum version, no X, no compiler, no nothing) with the same network configuration & firewall script, it works the way it should be !!!!


    thanks again

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •