<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: Re: Routing: Ping from router A to Host behind Router B does not work
From: Keith Smith <keith,AT,ksmith,DOT,com>
Date: Tue, 5 Feb 2002 17:49:52 +0100
In-reply-to: <OFE5D1E49C.DC458517-ONC1256B56.0053012C@medisearch-int.com>

The simplest thing is something along these lines
ipchains -F
ipchains -P input ACCEPT
ipchains -P forward REJECT
ipchains -P output ACCEPT

# Don't need -b here :) forward anything private
ipchains -A forward    -s 192.168.0.0/16  -d 192.168.0.0/16 -j ACCEPT
# But Masq to external hosts
ipchains -A forward -b -s 192.168.0.0/16 -d 0.0.0.0/0 -j MASQ

Then you need to make sure the machine behind routerB uses routerB as:
1) It's default route
or
2) Has a static route to it like:
(NT) route -p add 192.168.0.0 mask 255.255.0.0 192.168.3.1

The same would hold true on routerA's private net boxes

Finally the routers need to have routing entries for each other's networks

route add -net 192.168.1.0/24 gw 192.168.1.1
and on the .1 box
route add -net 192.168.3.0/24 gw 192.168.3.1

traceroute will tell you which machine is stopping the packet if you set 
ttl to 64 on the CIPE tunnel.

A packet will stop for 1 of two reasons:
The machine it stopped at cannot forwad the packet
The NEXT machine in the chain cannot RETURN a response.

Run the trace both ways.  One of the "gotcha's" with masquerading is 
that you have a rule like:

ipchains -A forward -b -s 192.168.0.0/16 -d 0.0.0.0/0 -j MASQ

at the top of the chain which basically will masquerade all of your VPN 
traffic at this host.

Life tends to be simpler when you just pass all your vpn addresses 
around first with a wide netmask.  Then use traceroute both ways if you 
need to figure out where the holdup is.  Your problem is common, and is 
usually routing or a firewall rule.  CIPE could care less, it's just a 
connection.

Properly configured there is no reason clientA - routerA - routerB - 
clientB , cannot talk like they are there.

YMMV, Good Luck

Nils Lichtenfeld wrote:

> Hi Gert!
> 
> 
> 
>>Have you tried the pings with the firewall flushed ?
>>
> 
> Well, I just tried and it worked :-)
> Both routers ipchains -L output looks like this:
> 
> Chain input (policy ACCEPT):
> target     prot opt     source                destination           ports
> ACCEPT     all  ------  anywhere             anywhere              n/a
> Chain forward (policy DENY):
> target     prot opt     source                destination           ports
> ACCEPT     all  ------  anywhere             anywhere              n/a
> Chain output (policy ACCEPT):
> 
> But thats not the way it can stay... I at least have to get the 
>masquerading back in. With forwardpolicy looking like this
> 
> target     prot opt     source                destination           ports
> ACCEPT     all  ------  192.168.3.0/24       192.168.1.0/24        n/a
> ACCEPT     all  ------  192.168.1.0/24       192.168.3.0/24        n/a
> MASQ       all  ------  192.168.1.0/24       anywhere              n/a
> 
> everything behaved like before the "flush"....
> 
> I am still screwed.
> 
> MFG Nils
> 
> 
> --
> Message sent by the cipe-l,AT,inka,DOT,de mailing list.
> Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body
> Other commands available with "help" in body to the same address.
> CIPE info and list archive: 
><URL:http://sites.inka.de/~bigred/devel/cipe.html>
> 

-- 
Keith Smith                 keith,AT,ksmith,DOT,com
655 W Fremont Dr
Tempe AZ 85282              it's hot





<< | Thread Index | >> ]    [ << | Date Index | >> ]