<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: CIPE 1.4.5 iptables forward rule?
From: Andrew Grimberg <tykeal,AT,bardicgrove,DOT,org>
Date: Fri, 3 May 2002 19:09:31 +0200

Thanks again to Richard for the previous fix on my server mode problem.

I've got another issue now between a couple of new firewall CIPE tunnel
endpoints that I'm setting up.

Still RedHat 7.2 and CIPE 1.4.5

I've found that if I set the default policy on the FORWARD chain to DROP
I can't pass traffic from the tunnel into my network.

Going with the most basic example.  Assume a completely flushed table.

Gateway/FW 1 --- Internet --- Gateway/FW 2 -- Machine 2

MIP = Machine IP addy 

Pinging  from Gateway 1 to Machine 2:

(Gateway 2)
let's start from ground zero
service iptables stop

causes tables to flush and everything to be set to ACCEPT, forwarding is
still enabled

(Gateway 1)
ping 192.168.2.103

Starts to ping

(Gateway 2)
iptables -P FORWARD DROP

(Gateway 1)
the pings stop as expected

(Gateway 2)
iptables -A FORWARD -i cipcb0 -s 192.168.1.0/24 -d 192.168.2.0/24 -o
eth1 -j ACCEPT

I expect at this point to see my pings resume, they do not.

switching it from -j ACCEPT to -j LOG I start to see in my logs my pings
coming in on on cipcb0 and trying to go to eth1 as I figured.

Does anyone have any suggestion as to why this doesn't work?

I've currently got it working in the most ugly of fashions by setting
FORWARD to ACCEPT and then having a final catch-all rule at the end of
the chain to DROP.  I don't like this method.

again TIA,
-Andy-





<< | Thread Index | >> ]    [ << | Date Index | >> ]