<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: Re: Configure cipe with iptables
From: Jochen Witte <jwitte,AT,mundwerk,DOT,de>
Date: Fri, 18 Jan 2002 10:38:20 +0100
In-reply-to: <1011212023.3c45def722346@www.dahlen.ws>

Hi,
these are my rules:
the VPN-device is cipecb0, the setup is for two networks with
firewall...hence the devices EXT and INT. REMOTE-CIPE is the IP of the
remote cipe device...

        # VPN via CIPE
        ##############
        $IPTABLES -A INPUT -i $EXT -s $REMOTE-CIPE -m state --state
NEW,ESTABLISHED,RELATED -p UDP --sport $cipe --dport $cipe -j ACCEPT
        $IPTABLES -A OUTPUT -o $EXT -d $REMOTE-CIPE -m state --state
NEW,ESTABLISHED,RELATED -p UDP --sport $cipe --dport $cipe -j ACCEPT
        $IPTABLES -A OUTPUT -o $EXT -d $REMOTE-CIPE -p ICMP -j ACCEPT
        $IPTABLES -A INPUT -i $EXT -s $REMOTE-CIPE -p ICMP -j ACCEPT
        $IPTABLES -A OUTPUT -o $VPN -d $REMOTE-NET -j ACCEPT
        $IPTABLES -A INPUT -i $VPN -s $REMOTE-NET -j ACCEPT
        $IPTABLES -A INPUT -i $INT -p ICMP -j ACCEPT
        $IPTABLES -A OUTPUT -o $INT -p ICMP -j ACCEPT

You need to allow ICMP, see  http://www.worldgate.com/~marcs/mtu/.
Perhaps this is Your problem.

Greetings

Am Mit, 2002-01-16 um 21.13 schrieb Andreas Dahlén:
> Hi!
> 
> I've problem to get cipe to work with iptables.
> 
> If I have no iptables rules and sets the default iptables policy to
> ACCEPT for INPUT, OUTPUT and FORWARD everything works fine. I.e. I
> can comunicate over the CIPE-link.
> 
> But I don't wants to have iptables configured in such a open way.
> I've tried the following (besides the some basic rules), but with
> this configuration I get "ping: sendto: Operation not permitted"
> when I tries to ping the cipe-address of the other gate.
> 
> Gate A:
> $IPTABLES -A INPUT -p UDP -i $EXT_IF -s gateB_IP -j ACCEPT
> $IPTABLES -A OUTPUT -p UDP -o $EXT_IF -d gateB_IP -j ACCEPT
> $IPTABLES -A INPUT -i cipecb0 -j ACCEPT
> $IPTABLES -A OUTPUT -o cipecb0 -j ACCEPT
> $IPTABLES -A FORWARD -i cipecb0 -j ACCEPT
> options:
> me 6060
> peer gateB_IP
> ptpaddr 10.255.255.3
> ipaddr 10.255.255.1
> 
> Gate B:
> $IPTABLES -A INPUT -p UDP -i $EXT_IF -s gateA_IP -j ACCEPT
> $IPTABLES -A OUTPUT -p UDP -o $EXT_IF -d gateA_IP -j ACCEPT
> $IPTABLES -A INPUT -i cipecb0 -j ACCEPT
> $IPTABLES -A OUTPUT -o cipecb0 -j ACCEPT
> $IPTABLES -A FORWARD -i cipecb0 -j ACCEPT
> options:
> me 6060
> peer gateA_IP
> ptpaddr 10.255.255.1
> ipaddr 10.255.255.3
> 
> What do I miss with the configuration of iptables?
> 
> Software used:
> cipe 1.5.2
> iptables 1.2.4
> kernel 2.4.9 (Redhat 7.2 original) and 2.4.5 (Custumed compiled)
> 
> /Andreas
> 
> 
> --
> Message sent by the cipe-l,AT,inka,DOT,de mailing list.
> Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body
> Other commands available with "help" in body to the same address.
> CIPE info and list archive: 
><URL:http://sites.inka.de/~bigred/devel/cipe.html>
> 
-- 
Jochen Witte
<jwitte,AT,alpha-lab,DOT,net>
PGP fingerprint = 2F92 97EA BB67 E49A EE79  AD55 2FE7 DF05 EA9A 3A32
Keyserver = www.keyserver.net





<< | Thread Index | >> ]    [ << | Date Index | >> ]