Thanks for your reply! It pushed me another step near the goal :)
From: "Keith Smith" <keith,AT,ksmith,DOT,com>
> The simplest thing is something along these lines
> ipchains -F
> ipchains -P input ACCEPT
> ipchains -P forward REJECT
> ipchains -P output ACCEPT
Ok thats already set, just the forward-policy is DENY, but that sould not
make any difference concerning the VPN(?).
> # Don't need -b here :) forward anything private
> ipchains -A forward -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
Ok, but a
ipchains -I forward 1 -b -s 192.168.1.0/24 -d 192.168.3.0/24 -j ACCEPT
would do the same concerning my two networks?
> # But Masq to external hosts
> ipchains -A forward -b -s 192.168.0.0/16 -d 0.0.0.0/0 -j MASQ
When I do that the ping is getting through.... And when I do this
ipchains -A forward -b -s 192.168.3.0/24 -d 0.0.0.0/0 -j MASQ # router B
ist still gets through.
But when I cut out the -b here, it is not working (though I can still use the
Internet with a Host behind the router). Why is that?
Can anyone explain why I need to make masquerading bidirectional? I works
fine without as long as Router A doesn't try to ping Host
> Then you need to make sure the machine behind routerB uses routerB as:
> 1) It's default route
Yes this is set, since both cipe-machines are the routers at the same time.
> Finally the routers need to have routing entries for each other's networks
> route add -net 192.168.1.0/24 gw 192.168.1.1
> and on the .1 box
> route add -net 192.168.3.0/24 gw 192.168.3.1
Well, they look like
route add -net 192.168.1.0/24 gw 10.10.1.1 # gw is IP of cipe-interface
route add -net 192.168.3.0/24 gw 10.10.3.1 # gw is IP of cipe-interface
Does that make any difference?
> Your problem is common, and is
> usually routing or a firewall rule. CIPE could care less, it's just a
I think it is a firewall rule... since I can make it work and not work when I
play around with the firewall.