Testing Your Network

Start by using the ifconfig and route commands. If you have two network cards ifconfig should look something like:

  #ifconfig
  lo        Link encap:Local Loopback
            inet addr:127.0.0.1  Mask:255.0.0.0
            UP LOOPBACK RUNNING  MTU:3924  Metric:1
            RX packets:1620 errors:0 dropped:0 overruns:0
            TX packets:1620 errors:0 dropped:0 overruns:0
            collisions:0 txqueuelan:0

  eth0      Link encap:10Mbps Ethernet  HWaddr 00:00:09:85:AC:55
            inet addr:24.94.1.123 Bcast:24.94.1.255  Mask:255.255.255.0
            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
            RX packets:1000 errors:0 dropped:0 overruns:0
            TX packets:1100 errors:0 dropped:0 overruns:0
            collisions:0 txqueuelan:0
            Interrupt:12 Base address:0x310

  eth1      Link encap:10Mbps Ethernet  HWaddr 00:00:09:80:1E:D7
            inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
            RX packets:1110 errors:0 dropped:0 overruns:0
            TX packets:1111 errors:0 dropped:0 overruns:0
            collisions:0 txqueuelan:0
            Interrupt:15 Base address:0x350

and your route table should look like:

  #route -n
  Kernel routing table
  Destination     Gateway         Genmask         Flags MSS    Window Use Iface
  24.94.1.0       *               255.255.255.0   U     1500   0       15 eth0
  192.168.1.0     *               255.255.255.0   U     1500   0        0 eth1
  127.0.0.0       *               255.0.0.0       U     3584   0        2 lo
  default         24.94.1.123     *               UG    1500   0       72 eth0

Note: 24.94.1.0 is the Internet side of this firewall and 192.168.1.0 is the private (LAN) side.

You should start by making sure every computer on your LAN can ping the inside address of your firewall system. (192.168.1.1 in this example) If not, go over the NET-2 HOWTO again and work on the network some more.

Next, from the firewall, try to ping a Internet system. I use www.internic.net as my test point. If it doesn't work, try a server at your ISP. If this doesn't work some part of your Internet connection is wrong. You should be able to connect to the anywhere on the Internet from the firewall. Try looking at your default gateway setting. If you are using a dialup connection double check your user ID and Password. Reread the Net-2 HOWTO, and try again.

Now try to ping the outside address of the firewall (24.94.1.123) from a computer on your LAN. This shouldn't work. If it does, you have masquerading or IP Forwarding turned on, or you already have some packet filtering set. Turn them off and try again. You need to know the filtering is in place.

For kernels newer then 2.1.102 you can issue the command;

    echo "0" > /proc/sys/net/ipv4/ip_forward

If you are using an older kernel (WHY) you will need to re-compile your kernel with forwarding turned off. (Just upgrade.)

Try pinging the outside address of the firewall (24.94.1.123) again. It shouldn't work.

Now turn on IP forwarding and/or masquerading. You should be able to ping the anywhere on the Internet from any system on your LAN.

    echo "1" > /proc/sys/net/ipv4/ip_forward

BIG NOTE: If you are using "REAL" IP addresses on your LAN (not 192.168.1.*) and you can't ping the internet but you CAN ping the Internet side of your firewall, make sure your ISP is routing packets for your private network address.

A test for this problem is to have someone else on the Internet (say a friend using a local provider) use traceroute to your network. If the trace stops at your providers router, then they are not forwarding your traffic.

It works? Great. The hard part is done. :-)