<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: RE: A few questions
From: "K. David Prince" <kdp,AT,hanhet,DOT,loew,DOT,washington,DOT,edu>
Date: Fri, 28 Dec 2001 23:00:35 +0100
In-reply-to: <Pine.LNX.4.43.0112281213480.4307-100000@hanhet.loew.washington.edu>

Well, I just tried one more thing: I changed the policy on the OUTPUT,
FORWARD, & INPUT chains to ACCEPT.  Then, I flushed out all the firewall
rules.  Still, no ping returns.  This is puzzling because there were no
rules whatsoever on either firewalls, and they were both set to accept
anything.  When the cipe interfaces come up, they appear to be exchanging
messages according to syslog.  I'm beginning to wonder if there is an
issue regarding the kernel (2.4.17), iptables (1.2.4-3), and cipe
(1.5.2free-4) versions from Debian/Woody.  Something needs to be tweeked.
I just don't know what.  The cipe info documentation doesn't have any
trouble shooting hints.  Ideas?  -kdp

On Fri, 28 Dec 2001, K. David Prince wrote:

> Thanks Scott for the explaination (cipe packets pass through the chains
> twice) and the suggested iptables commands.  Here's what I tried to test
> your rule suggestions:
>
> 1.  Inserted (-I) the rules you suggested making sure the accept rule
> came before the drop rule.  Result: No ping returns.
>
> 2.  On each rejected ping, syslog records:
>
> Dec 28 13:00:38 fw02 kernel: IN= OUT=cipcb0 SRC=192.168.2.100
> DST=192.168.1.100 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP
> TYPE=8 CODE=0 ID=40449 SEQ=0
>
> Should there be rules on the OUTPUT chain?
>
> Note: fw02 protects LAN 192.168.2.0/24.  LAN 192.168.1.0/24 is behind
> fw01.
>
> Syslog also shows what appears to be a good startup for the cipe
> interface:
>
> Dec 28 12:56:33 fw02 kernel: cipcb: CIPE driver vers 1.5.2 (c) Olaf Titz 
>1996-2000, 100 channels, debug=1
> Dec 28 12:56:33 fw02 kernel: cipcb: rtnl_lock() at ../cipe/device.c:625
> Dec 28 12:56:33 fw02 kernel: cipcb: cipe_alloc_dev 0
> Dec 28 12:56:33 fw02 kernel: cipcb: rtnl_unlock() at ../cipe/device.c:627
> Dec 28 12:56:33 fw02 kernel: cipcb0: alloc
> Dec 28 12:56:33 fw02 kernel: cipcb: read_lock(&tasklist_lock) at 
>../cipe/device.c:216
> Dec 28 12:56:33 fw02 kernel: cipcb: read_unlock(&tasklist_lock) at 
>../cipe/device.c:225
> Dec 28 12:56:33 fw02 kernel: cipcb0: setpar
> Dec 28 12:56:33 fw02 kernel: cipcb0: setpar 0.0.0.0:0 1000 60000 0200 0
> Dec 28 12:56:33 fw02 kernel: cipcb0: setkey
> Dec 28 12:56:33 fw02 kernel: cipcb0: attach
> Dec 28 12:56:33 fw02 kernel: cipcb0: opened
> Dec 28 12:56:33 fw02 kernel: cipcb0: cipe_sendmsg
> Dec 28 12:56:33 fw02 kernel: cipcb0: cipe_recvmsg
> Dec 28 12:56:33 fw02 kernel: cipcb0: cipe_recvmsg
> Dec 28 12:56:37 fw02 kernel: cipcb0: cipe_sendmsg
> Dec 28 12:56:37 fw02 kernel: cipcb0: cipe_recvmsg
>
> Is it necessary to have OUTPUT rules similar to the INPUT rules you
> suggested?  In this case, udp packets through the OUTPUT chain?  Also,
> ACCEPT packets from cipcb0 on the OUTPUT chain?
>
> Thanks for your help!
>
> Dave
>
> On Fri, 28 Dec 2001 SBNelson,AT,thermeon,DOT,com wrote:
>
> > > > > 2. Can CIPE be bound to 1 and only 1 device?
> > > >         I don't know for sure but I don't think so.  Since CIPE's 
>transports
> > > > its data using UDP,  it simply uses the OS's routing features to route
> > > the
> > > > packets.  So, if you want that to happen, you will have to do that
> > > outside
> > > > of CIPE (using iproute2 software and/or ipchains/iptables??)
> > >                                                    ========
> > > Scott, do you have example iptable commands that do this?  I'm still
> > > learning firewall chains and I can't seem to get packets to pass through
> > > the cipe interface.  Everything is up and running.
> > >
> > Remember that CIPE data passes through your firewall rules twice: first 
>the
> > encrypted UDP transport packet arrives through your connection to the
> > internet, and second, the unencrypted data appears at the cipcb0 
>interface.
> > So, you need rules to allow the UDP packets to come from the internet and
> > you need to allow as much as you want via the CIPE interface.
> >
> > Here are some isolated examples that might help.  It assumes eth0 is your
> > internet connection, eth1 is the LAN, this machine is host1.example.com, 
>the
> > other side is host2.example.com, and we are using port 7777 to transport 
>the
> > CIPE data.  You will need a lot more rules than this to make a firewall.
> >
> > ...
> > iptables -A INPUT -i eth0 -p udp -d host1.example.com 7777 -s
> > host2.example.com 7777 -j ACCEPT
> > iptables -A INPUT -i eth0 -p udp -d host1.example.com 7777 -j DROP
> > iptables -A INPUT -i cipcb0 -j ACCEPT
> > ...
> > iptables -A FORWARD -i cipcb0 -o eth1 -j ACCEPT
> > ...
> >
> >
>
>
> --
> Message sent by the cipe-l,AT,inka,DOT,de mailing list.
> Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body
> Other commands available with "help" in body to the same address.
> CIPE info and list archive: 
><URL:http://sites.inka.de/~bigred/devel/cipe.html>
>





<< | Thread Index | >> ]    [ << | Date Index | >> ]