<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: RE: A few questions
From: "K. David Prince" <kdp,AT,hanhet,DOT,loew,DOT,washington,DOT,edu>
Date: Fri, 28 Dec 2001 22:32:12 +0100
In-reply-to: <9097D3905570D111947E00207810DFE15E6109@WINTRIX.thermeon.com>

Thanks Scott for the explaination (cipe packets pass through the chains
twice) and the suggested iptables commands.  Here's what I tried to test
your rule suggestions:

1.  Inserted (-I) the rules you suggested making sure the accept rule
came before the drop rule.  Result: No ping returns.

2.  On each rejected ping, syslog records:

Dec 28 13:00:38 fw02 kernel: IN= OUT=cipcb0 SRC=192.168.2.100
DST=192.168.1.100 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP
TYPE=8 CODE=0 ID=40449 SEQ=0

Should there be rules on the OUTPUT chain?

Note: fw02 protects LAN 192.168.2.0/24.  LAN 192.168.1.0/24 is behind
fw01.

Syslog also shows what appears to be a good startup for the cipe
interface:

Dec 28 12:56:33 fw02 kernel: cipcb: CIPE driver vers 1.5.2 (c) Olaf Titz 
1996-2000, 100 channels, debug=1
Dec 28 12:56:33 fw02 kernel: cipcb: rtnl_lock() at ../cipe/device.c:625
Dec 28 12:56:33 fw02 kernel: cipcb: cipe_alloc_dev 0
Dec 28 12:56:33 fw02 kernel: cipcb: rtnl_unlock() at ../cipe/device.c:627
Dec 28 12:56:33 fw02 kernel: cipcb0: alloc
Dec 28 12:56:33 fw02 kernel: cipcb: read_lock(&tasklist_lock) at 
../cipe/device.c:216
Dec 28 12:56:33 fw02 kernel: cipcb: read_unlock(&tasklist_lock) at 
../cipe/device.c:225
Dec 28 12:56:33 fw02 kernel: cipcb0: setpar
Dec 28 12:56:33 fw02 kernel: cipcb0: setpar 0.0.0.0:0 1000 60000 0200 0
Dec 28 12:56:33 fw02 kernel: cipcb0: setkey
Dec 28 12:56:33 fw02 kernel: cipcb0: attach
Dec 28 12:56:33 fw02 kernel: cipcb0: opened
Dec 28 12:56:33 fw02 kernel: cipcb0: cipe_sendmsg
Dec 28 12:56:33 fw02 kernel: cipcb0: cipe_recvmsg
Dec 28 12:56:33 fw02 kernel: cipcb0: cipe_recvmsg
Dec 28 12:56:37 fw02 kernel: cipcb0: cipe_sendmsg
Dec 28 12:56:37 fw02 kernel: cipcb0: cipe_recvmsg

Is it necessary to have OUTPUT rules similar to the INPUT rules you
suggested?  In this case, udp packets through the OUTPUT chain?  Also,
ACCEPT packets from cipcb0 on the OUTPUT chain?

Thanks for your help!

Dave

On Fri, 28 Dec 2001 SBNelson,AT,thermeon,DOT,com wrote:

> > > > 2. Can CIPE be bound to 1 and only 1 device?
> > >   I don't know for sure but I don't think so.  Since CIPE's transports
> > > its data using UDP,  it simply uses the OS's routing features to route
> > the
> > > packets.  So, if you want that to happen, you will have to do that
> > outside
> > > of CIPE (using iproute2 software and/or ipchains/iptables??)
> >                                                    ========
> > Scott, do you have example iptable commands that do this?  I'm still
> > learning firewall chains and I can't seem to get packets to pass through
> > the cipe interface.  Everything is up and running.
> >
> Remember that CIPE data passes through your firewall rules twice: first the
> encrypted UDP transport packet arrives through your connection to the
> internet, and second, the unencrypted data appears at the cipcb0 interface.
> So, you need rules to allow the UDP packets to come from the internet and
> you need to allow as much as you want via the CIPE interface.
>
> Here are some isolated examples that might help.  It assumes eth0 is your
> internet connection, eth1 is the LAN, this machine is host1.example.com, the
> other side is host2.example.com, and we are using port 7777 to transport the
> CIPE data.  You will need a lot more rules than this to make a firewall.
>
> ...
> iptables -A INPUT -i eth0 -p udp -d host1.example.com 7777 -s
> host2.example.com 7777 -j ACCEPT
> iptables -A INPUT -i eth0 -p udp -d host1.example.com 7777 -j DROP
> iptables -A INPUT -i cipcb0 -j ACCEPT
> ...
> iptables -A FORWARD -i cipcb0 -o eth1 -j ACCEPT
> ...
>
>





<< | Thread Index | >> ]    [ << | Date Index | >> ]