<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: Re: Routing: Ping from router A to Host behind Router B does not work
From: Keith Smith <keith,AT,ksmith,DOT,com>
Date: Tue, 5 Feb 2002 23:14:48 +0100
In-reply-to: <OFE5D1E49C.DC458517-ONC1256B56.0053012C@medisearch-int.com>

Nils Lichtenfeld wrote:

>>ipchains -P forward REJECT
> Ok thats already set, just the forward-policy is DENY, but that sould not 
>make any difference concerning the VPN(?).

Reject and deny are identical, other than REJECT returns a no-workie 
packet back upstream.

> ipchains -I forward 1 -b -s 192.168.1.0/24 -d 192.168.3.0/24 -j ACCEPT
> would do the same concerning my two networks?

Yes, of course then if you put 3 machines in a spider web of tunnels you 
get to have 2 rules per machine, and adding the 4th starts to get to be 
a lot of extra maintenance.

> ipchains -A forward -b -s 192.168.3.0/24 -d 0.0.0.0/0 -j MASQ # router B
> ist still gets through.
> 
> But when I cut out the -b here, it is not working (though I can still use 
>the Internet with a Host behind the router).  Why is that?
> Can anyone explain why I need to make masquerading bidirectional? I works 
>fine without as long as Router A doesn't try to ping Host
> B....

Not sure, just always did it that way.  Might have something to do with 
FTP or other app that needs "helper" for the returns like icmp traces. 
My recollection was that things didn't always work without it. 
Something in the chains FAQ.  Most of my setups are iptables now, so the 
memory is fuzzy.

-- 
Keith Smith                 keith,AT,ksmith,DOT,com
655 W Fremont Dr
Tempe AZ 85282              it's hot





<< | Thread Index | >> ]    [ << | Date Index | >> ]