<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: RE: Configure cipe with iptables
From: cyeo,AT,biking,DOT,org
Date: Thu, 17 Jan 2002 01:22:03 +0100

Andreas,

What I do is I have an ip-up script per connection that looks like this:

#!/bin/sh
# ip-up <interface> <myaddr> <daemon-pid> <local> <remote> <arg>
# Arguments:
#  $1 interface     the CIPE interface
#  $2 myaddr        our UDP address
#  $3 daemon-pid    the daemon's process ID
#  $4 local         IP address of our CIPE device
#  $5 remote        IP address of the remote CIPE device
#  $6 arg           argument supplied via options
umask 022
PATH=/sbin:/bin:/usr/sbin:/usr/bin

route add -net 10.0.0.0 netmask 255.255.255.0 gw $5

iptables -I INPUT -p udp -i <ext interface> -s <remote ip addr> --dport <port 
assigned in options file> -j ACCEPT
iptables -I INPUT -p all -i $1 -d <local net>/24 -j ACCEPT
iptables -I FORWARD -i $1 -s <remote net>/24 -j ACCEPT
iptables -I FORWARD -i $1 -d <remote net>/24 -j ACCEPT

Then on the ip-down script it just does the opposite where it deletes the 
route and the iptables entries.

Then my options file looks like this:

maxerr          500
ipup            /etc/cipe/ip-up.work
ipdown          /etc/cipe/ip-down.work
device          cip3b1
ptpaddr         <remote internal ip>
ipaddr          <local internal ip>
me              <external ip>:<external port>
peer            <external ip>:<external port>

Chris

 -----Original Message-----
From:   andreas [mailto:andreas,AT,dahlen,DOT,ws 
Sent:   Wednesday, January 16, 2002 2:14 PM
To:     cipe-l
Subject:        Configure cipe with iptables

Hi!

I've problem to get cipe to work with iptables.

If I have no iptables rules and sets the default iptables policy to
ACCEPT for INPUT, OUTPUT and FORWARD everything works fine. I.e. I
can comunicate over the CIPE-link.

But I don't wants to have iptables configured in such a open way.
I've tried the following (besides the some basic rules), but with
this configuration I get "ping: sendto: Operation not permitted"
when I tries to ping the cipe-address of the other gate.

Gate A:
$IPTABLES -A INPUT -p UDP -i $EXT_IF -s gateB_IP -j ACCEPT
$IPTABLES -A OUTPUT -p UDP -o $EXT_IF -d gateB_IP -j ACCEPT
$IPTABLES -A INPUT -i cipecb0 -j ACCEPT
$IPTABLES -A OUTPUT -o cipecb0 -j ACCEPT
$IPTABLES -A FORWARD -i cipecb0 -j ACCEPT
options:
me 6060
peer gateB_IP
ptpaddr 10.255.255.3
ipaddr 10.255.255.1

Gate B:
$IPTABLES -A INPUT -p UDP -i $EXT_IF -s gateA_IP -j ACCEPT
$IPTABLES -A OUTPUT -p UDP -o $EXT_IF -d gateA_IP -j ACCEPT
$IPTABLES -A INPUT -i cipecb0 -j ACCEPT
$IPTABLES -A OUTPUT -o cipecb0 -j ACCEPT
$IPTABLES -A FORWARD -i cipecb0 -j ACCEPT
options:
me 6060
peer gateA_IP
ptpaddr 10.255.255.1
ipaddr 10.255.255.3

What do I miss with the configuration of iptables?

Software used:
cipe 1.5.2
iptables 1.2.4
kernel 2.4.9 (Redhat 7.2 original) and 2.4.5 (Custumed compiled)

/Andreas

--
Message sent by the cipe-l,AT,inka,DOT,de mailing list.
Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body
Other commands available with "help" in body to the same address.
CIPE info and list archive: <URL:http://sites.inka.de/~bigred/devel/cipe.html>





<< | Thread Index | >> ]    [ << | Date Index | >> ]