<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: Success!
From: "K. David Prince" <kdp,AT,hanhet,DOT,loew,DOT,washington,DOT,edu>
Date: Tue, 1 Jan 2002 04:41:16 +0100
In-reply-to: <9097D3905570D111947E00207810DFE15E6111@WINTRIX.thermeon.com>

I now have the cipe package running properly on two Debian/Woody firewalls.
Here are the iptable commands I've come up with that makes it all work:

iptables -I INPUT -i eth1 -p udp -d fw1 --dport 379 -j DROP
iptables -I INPUT -i eth1 -p udp -d fw1 --dport 379 -s fw2 --sport 379 -j 
ACCEPT

iptables -I FORWARD -o cipcb0 -i eth0 -s 192.168.1.0/25 -d 192.168.2.0/24 -j 
ACCEPT
iptables -I FORWARD -i cipcb0 -o eth0 -d 192.168.1.0/25 -s 192.168.2.0/24 -j 
ACCEPT

iptables -t mangle -I PREROUTING -i eth0 -d 192.168.2.0/24 -s 192.168.1.0/24 
-j ACCEPT
iptables -t mangle -I PREROUTING -i cipcb0 -s 192.168.2.0/24 -d 
192.168.1.0/24 -j ACCEPT

iptables -t nat -I PREROUTING -i eth0 -d 192.168.2.0/24 -s 192.168.1.0/24 -j 
ACCEPT
iptables -t nat -I POSTROUTING -o cipcb0 -d 192.168.2.0/24 -s 192.168.1.0/24 
-j ACCEPT

iptables -I INPUT -i cipcb0 -j ACCEPT
iptables -I OUTPUT -o cipcb0 -j ACCEPT

eth0=internal LAN
eth1=internet

I put these commands at the end of the /etc/cipe/ip-up script.  I was able
to work these commands out partially with the generous help of SBNelson,
and with the rc.flush-iptables.txt and rc.test-iptables.txt from "iptables
Tutorial 1.1.6, by Oskar Andreasson" (with some minor edits and made into
executables).  I HIGHLY recommend this tutorial: It cleared up numerous
questions for me, and it gave me the tools I needed to figure out the
exact iptables commands I needed to get packets to flow properly!  I was
actually able to make everything work after my first analytical pass with
Andreasson's scripts.  Powerful stuff there.

Thanks all!

Dave





<< | Thread Index | >> ]    [ << | Date Index | >> ]