CIPE 1.4.5 iptables forward rule?|
Andrew Grimberg <tykeal,AT,bardicgrove,DOT,org>|
Fri, 3 May 2002 19:09:31 +0200|
Thanks again to Richard for the previous fix on my server mode problem.
I've got another issue now between a couple of new firewall CIPE tunnel
endpoints that I'm setting up.
Still RedHat 7.2 and CIPE 1.4.5
I've found that if I set the default policy on the FORWARD chain to DROP
I can't pass traffic from the tunnel into my network.
Going with the most basic example. Assume a completely flushed table.
Gateway/FW 1 --- Internet --- Gateway/FW 2 -- Machine 2
MIP = Machine IP addy
Pinging from Gateway 1 to Machine 2:
let's start from ground zero
service iptables stop
causes tables to flush and everything to be set to ACCEPT, forwarding is
Starts to ping
iptables -P FORWARD DROP
the pings stop as expected
iptables -A FORWARD -i cipcb0 -s 192.168.1.0/24 -d 192.168.2.0/24 -o
eth1 -j ACCEPT
I expect at this point to see my pings resume, they do not.
switching it from -j ACCEPT to -j LOG I start to see in my logs my pings
coming in on on cipcb0 and trying to go to eth1 as I figured.
Does anyone have any suggestion as to why this doesn't work?
I've currently got it working in the most ugly of fashions by setting
FORWARD to ACCEPT and then having a final catch-all rule at the end of
the chain to DROP. I don't like this method.