<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: Re: Routing: Ping from router A to Host behind Router B does not work
From: Gert.Vandelaer,AT,medisearch-int,DOT,com
Date: Wed, 6 Feb 2002 09:48:05 +0100

I'll write some rules,
these are only specific to the VPN / MASQ part ...

On RouterA
ipchains -A input -i "cipdb_intf" -s "IP Range HostsB" -d "IP Range HostsA"
-j ACCEPT
-- This rule will make pings on / from /to both routers work via VPN --

ipchains -A input -s "external IP RouterB:some_port" -p udp -i
"external_intf" -d "External IP RouterA:some_port" -j ACCEPT
-- This rule to make initial key exchange and VPN traffic work --

ipchains -A forward -s "internal IP Range RouterA" -p (any, or whatever) -d
! "internal IP Range RouterB" -j MASQ
-- Notice the inverse rule making masq still work for none VPN traffic --

ipchains -A forward -s "internal IP Range RouterB" -d "internal IP Range
RouterA" -i "internal_intf" -j ACCEPT
-- This to make forwarding from VPN packets from "Hosts B" let through too
"Hosts A" --

ipchains -A forward -s "internal IP Range RouterA" -d "internal IP Range
RouterB" -i "cipdb_intf" -j ACCEPT
-- The reverse of the previous rule --

That's it,
note that on a 2.4 linux, it's a bit different to specify rules, because of
the way that packets are traversed on the firewall chains ... but that's a
different story actually.

Cya,
Gert

                                                                              
                                                     
                    "Nils                                                     
                                                     
                    Lichtenfeld"            To:     
<Gert.Vandelaer,AT,medisearch-int,DOT,com>                                    
       
 
                    <Nils.Lichtenfel        cc:                               
                                                     
                    d,AT,gmx,DOT,net>              Subject:     Re: Routing: 
Ping 
from router A to Host behind Router B does not work     
                                                                              
                                                     
                    05/02/2002 05:38                                          
                                                     
                    PM                                                        
                                                     
                                                                              
                                                     
                                                                              
                                                     

Hallo Gert

> Router A :     VPN  allow RouterB's regged IP, incoming UDP : port ....
>           VPN  allow HostB's Network / Netmask incoming via cipdb0 (;
> destination HostA's Network / Netmask --> this only security related, not
> necessary)
>           MASQ allow HostA's Network / Netmask forwarding via local-eth#;
> destination NOT HostB's network / netmask --> this to prevent LAN being
> spewed directly on, the Internet
>           VPN  allow HostA's Network / Netmask forwarding via local-eth#;
> destination HostB's Network / Netmask --> this to make MASQ still work
>
> Be sure to have the forwarding rules in this order ...

Well, thanks for the answer, but I am not quiet shure I understood what you
wrote. Her is what I made out of it for Router B
(192.168.3.1, me=0.0.0.0:4040) :
ipchains -A forward -p udp -s 192.168.1.1 --dport 4040 -j ACCEPT
ipchains -A forward -s 192.168.1.0/24 -i cipcb0 -d 192.168.3.0/24 -j ACCEPT
ipchains -A forward -s 192.168.3.0/24 -i eth0  -d ! 192.168.1.0/24 -j MASQ
ipchains -A forward -s 192.168.3.0/24 -i eth0 -d 192.168.1.0/24 -j ACCEPT

But that didn't work at all, my network did not even get masqueraded. The
same rules but without the -i parameter made my network
masqueraded again, and connections through the cipe-tunnel where possible.
But still, pings from Router A -> Host B and Router B ->
Host A could not make their way through...

I still do not understand why a simple
ipchains -A forward -s 192.168.3.0/24 -d 192.168.1.0/24 -j ACCEPT
ipchains -A forward -s 192.168.1.0/24 -d 192.168.3.0/24 -j ACCEPT
ipchains -A forward -s 192.168.3.0/24 -j MASQ
for Router B (and the reverse for Router A) is not doing it. (Ping goes
Host A -> Router B but not Router B -> Host A !!)

Still screwed..
MFG Nils





<< | Thread Index | >> ]    [ << | Date Index | >> ]