<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: Re: A few questions
From: Dragos <dragos.delcea,AT,farmexim,DOT,ro>
Date: Thu, 3 Jan 2002 08:13:54 +0100
In-reply-to: <Pine.LNX.4.43.0112281338230.4307-100000@hanhet.loew.washington.edu>

On Friday 28 December 2001 11:51 pm, K. David Prince wrote:
> Well, I just tried one more thing: I changed the policy on the OUTPUT,
> FORWARD, & INPUT chains to ACCEPT.  Then, I flushed out all the firewall
> rules.  Still, no ping returns.  This is puzzling because there were no
> rules whatsoever on either firewalls, and they were both set to accept
> anything.  When the cipe interfaces come up, they appear to be exchanging
> messages according to syslog.  I'm beginning to wonder if there is an
> issue regarding the kernel (2.4.17), iptables (1.2.4-3), and cipe
> (1.5.2free-4) versions from Debian/Woody.  Something needs to be tweeked.
> I just don't know what.  The cipe info documentation doesn't have any
> trouble shooting hints.  Ideas?  -kdp
>
> On Fri, 28 Dec 2001, K. David Prince wrote:
> > Thanks Scott for the explaination (cipe packets pass through the chains
> > twice) and the suggested iptables commands.  Here's what I tried to test
> > your rule suggestions:
> >
> > 1.  Inserted (-I) the rules you suggested making sure the accept rule
> > came before the drop rule.  Result: No ping returns.
> >
> > 2.  On each rejected ping, syslog records:
> >
> > Dec 28 13:00:38 fw02 kernel: IN= OUT=cipcb0 SRC=192.168.2.100
> > DST=192.168.1.100 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP
> > TYPE=8 CODE=0 ID=40449 SEQ=0
> >
> > Should there be rules on the OUTPUT chain?
> >
> > Note: fw02 protects LAN 192.168.2.0/24.  LAN 192.168.1.0/24 is behind
> > fw01.
> >
> > Syslog also shows what appears to be a good startup for the cipe
> > interface:
> >
> > Dec 28 12:56:33 fw02 kernel: cipcb: CIPE driver vers 1.5.2 (c) Olaf Titz
> > 1996-2000, 100 channels, debug=1 Dec 28 12:56:33 fw02 kernel: cipcb:
> > rtnl_lock() at ../cipe/device.c:625 Dec 28 12:56:33 fw02 kernel: cipcb:
> > cipe_alloc_dev 0
> > Dec 28 12:56:33 fw02 kernel: cipcb: rtnl_unlock() at ../cipe/device.c:627
> > Dec 28 12:56:33 fw02 kernel: cipcb0: alloc
> > Dec 28 12:56:33 fw02 kernel: cipcb: read_lock(&tasklist_lock) at
> > ../cipe/device.c:216 Dec 28 12:56:33 fw02 kernel: cipcb:
> > read_unlock(&tasklist_lock) at ../cipe/device.c:225 Dec 28 12:56:33 fw02
> > kernel: cipcb0: setpar
> > Dec 28 12:56:33 fw02 kernel: cipcb0: setpar 0.0.0.0:0 1000 60000 0200 0
> > Dec 28 12:56:33 fw02 kernel: cipcb0: setkey
> > Dec 28 12:56:33 fw02 kernel: cipcb0: attach
> > Dec 28 12:56:33 fw02 kernel: cipcb0: opened
> > Dec 28 12:56:33 fw02 kernel: cipcb0: cipe_sendmsg
> > Dec 28 12:56:33 fw02 kernel: cipcb0: cipe_recvmsg
> > Dec 28 12:56:33 fw02 kernel: cipcb0: cipe_recvmsg
> > Dec 28 12:56:37 fw02 kernel: cipcb0: cipe_sendmsg
> > Dec 28 12:56:37 fw02 kernel: cipcb0: cipe_recvmsg
> >
> > Is it necessary to have OUTPUT rules similar to the INPUT rules you
> > suggested?  In this case, udp packets through the OUTPUT chain?  Also,
> > ACCEPT packets from cipcb0 on the OUTPUT chain?
> >
> > Thanks for your help!
> >
> > Dave
> >
> > On Fri, 28 Dec 2001 SBNelson,AT,thermeon,DOT,com wrote:
> > > > > > 2. Can CIPE be bound to 1 and only 1 device?
> > > > >
> > > > >       I don't know for sure but I don't think so.  Since CIPE's
> > > > > transports its data using UDP,  it simply uses the OS's routing
> > > > > features to route
> > > >
> > > > the
> > > >
> > > > > packets.  So, if you want that to happen, you will have to do that
> > > >
> > > > outside
> > > >
> > > > > of CIPE (using iproute2 software and/or ipchains/iptables??)
> > > >
> > > >                                                    ========
> > > > Scott, do you have example iptable commands that do this?  I'm still
> > > > learning firewall chains and I can't seem to get packets to pass
> > > > through the cipe interface.  Everything is up and running.
> > >
> > > Remember that CIPE data passes through your firewall rules twice: first
> > > the encrypted UDP transport packet arrives through your connection to
> > > the internet, and second, the unencrypted data appears at the cipcb0
> > > interface. So, you need rules to allow the UDP packets to come from the
> > > internet and you need to allow as much as you want via the CIPE
> > > interface.
> > >
> > > Here are some isolated examples that might help.  It assumes eth0 is
> > > your internet connection, eth1 is the LAN, this machine is
> > > host1.example.com, the other side is host2.example.com, and we are
> > > using port 7777 to transport the CIPE data.  You will need a lot more
> > > rules than this to make a firewall.
> > >
> > > ...
> > > iptables -A INPUT -i eth0 -p udp -d host1.example.com 7777 -s
> > > host2.example.com 7777 -j ACCEPT
> > > iptables -A INPUT -i eth0 -p udp -d host1.example.com 7777 -j DROP
> > > iptables -A INPUT -i cipcb0 -j ACCEPT
> > > ...
> > > iptables -A FORWARD -i cipcb0 -o eth1 -j ACCEPT
hello,
there must be some routing involved here that you missed if you say that you 
have no firewall and still can't ping; it happened to me once when the ip of 
the cipe interface was the same (or in the same net) as one of the ethx 
devices; I had 4 ethernet cards and missed that one...

hope it helps,
dragos





<< | Thread Index | >> ]    [ << | Date Index | >> ]