Re: Routing: Ping from router A to Host behind Router B does not work|
Wed, 6 Feb 2002 09:48:05 +0100|
I'll write some rules,
these are only specific to the VPN / MASQ part ...
ipchains -A input -i "cipdb_intf" -s "IP Range HostsB" -d "IP Range HostsA"
-- This rule will make pings on / from /to both routers work via VPN --
ipchains -A input -s "external IP RouterB:some_port" -p udp -i
"external_intf" -d "External IP RouterA:some_port" -j ACCEPT
-- This rule to make initial key exchange and VPN traffic work --
ipchains -A forward -s "internal IP Range RouterA" -p (any, or whatever) -d
! "internal IP Range RouterB" -j MASQ
-- Notice the inverse rule making masq still work for none VPN traffic --
ipchains -A forward -s "internal IP Range RouterB" -d "internal IP Range
RouterA" -i "internal_intf" -j ACCEPT
-- This to make forwarding from VPN packets from "Hosts B" let through too
"Hosts A" --
ipchains -A forward -s "internal IP Range RouterA" -d "internal IP Range
RouterB" -i "cipdb_intf" -j ACCEPT
-- The reverse of the previous rule --
note that on a 2.4 linux, it's a bit different to specify rules, because of
the way that packets are traversed on the firewall chains ... but that's a
different story actually.
d,AT,gmx,DOT,net> Subject: Re: Routing:
from router A to Host behind Router B does not work
> Router A : VPN allow RouterB's regged IP, incoming UDP : port ....
> VPN allow HostB's Network / Netmask incoming via cipdb0 (;
> destination HostA's Network / Netmask --> this only security related, not
> MASQ allow HostA's Network / Netmask forwarding via local-eth#;
> destination NOT HostB's network / netmask --> this to prevent LAN being
> spewed directly on, the Internet
> VPN allow HostA's Network / Netmask forwarding via local-eth#;
> destination HostB's Network / Netmask --> this to make MASQ still work
> Be sure to have the forwarding rules in this order ...
Well, thanks for the answer, but I am not quiet shure I understood what you
wrote. Her is what I made out of it for Router B
(192.168.3.1, me=0.0.0.0:4040) :
ipchains -A forward -p udp -s 192.168.1.1 --dport 4040 -j ACCEPT
ipchains -A forward -s 192.168.1.0/24 -i cipcb0 -d 192.168.3.0/24 -j ACCEPT
ipchains -A forward -s 192.168.3.0/24 -i eth0 -d ! 192.168.1.0/24 -j MASQ
ipchains -A forward -s 192.168.3.0/24 -i eth0 -d 192.168.1.0/24 -j ACCEPT
But that didn't work at all, my network did not even get masqueraded. The
same rules but without the -i parameter made my network
masqueraded again, and connections through the cipe-tunnel where possible.
But still, pings from Router A -> Host B and Router B ->
Host A could not make their way through...
I still do not understand why a simple
ipchains -A forward -s 192.168.3.0/24 -d 192.168.1.0/24 -j ACCEPT
ipchains -A forward -s 192.168.1.0/24 -d 192.168.3.0/24 -j ACCEPT
ipchains -A forward -s 192.168.3.0/24 -j MASQ
for Router B (and the reverse for Router A) is not doing it. (Ping goes
Host A -> Router B but not Router B -> Host A !!)