Nils Lichtenfeld wrote:
>>ipchains -P forward REJECT
> Ok thats already set, just the forward-policy is DENY, but that sould not
>make any difference concerning the VPN(?).
Reject and deny are identical, other than REJECT returns a no-workie
packet back upstream.
> ipchains -I forward 1 -b -s 192.168.1.0/24 -d 192.168.3.0/24 -j ACCEPT
> would do the same concerning my two networks?
Yes, of course then if you put 3 machines in a spider web of tunnels you
get to have 2 rules per machine, and adding the 4th starts to get to be
a lot of extra maintenance.
> ipchains -A forward -b -s 192.168.3.0/24 -d 0.0.0.0/0 -j MASQ # router B
> ist still gets through.
> But when I cut out the -b here, it is not working (though I can still use
>the Internet with a Host behind the router). Why is that?
> Can anyone explain why I need to make masquerading bidirectional? I works
>fine without as long as Router A doesn't try to ping Host
Not sure, just always did it that way. Might have something to do with
FTP or other app that needs "helper" for the returns like icmp traces.
My recollection was that things didn't always work without it.
Something in the chains FAQ. Most of my setups are iptables now, so the
memory is fuzzy.
Keith Smith keith,AT,ksmith,DOT,com
655 W Fremont Dr
Tempe AZ 85282 it's hot