<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6000.16525" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=900412313-02102007><FONT face=Arial
color=#0000ff size=2>First method should work, and work easier because there is
no NAT (Network Address Translation) to worry about.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=900412313-02102007><FONT face=Arial
color=#0000ff size=2>No reason the FORWARD rules wouldn't work on Public IPs, I
don't think they care at all what IP you give.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=900412313-02102007><FONT face=Arial
color=#0000ff size=2>Make sure you don't use MASQUERADE, SNAT or DNAT
rules.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=900412313-02102007><FONT face=Arial
color=#0000ff size=2>-A adds the rules to the end of the chain, are there any
earlier rules that might block the public traffic?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=900412313-02102007><FONT face=Arial
color=#0000ff size=2>iptables -t filter -n -v -L</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=900412313-02102007><FONT face=Arial
color=#0000ff size=2>iptables -t nat -n -v -L</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=900412313-02102007><FONT face=Arial
color=#0000ff size=2>iptables -t mangle -n -v -L</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=900412313-02102007><FONT face=Arial
color=#0000ff size=2>Will show you all your firewall rule
details.</FONT></SPAN></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV align=left><FONT face=Arial size=2>Peter McGill</FONT></DIV>
<DIV> </DIV><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> users-bounces@openswan.org
[mailto:users-bounces@openswan.org] <B>On Behalf Of </B>Jai
Rangi<BR><B>Sent:</B> October 2, 2007 2:56 AM<BR><B>To:</B>
users@openswan.org<BR><B>Subject:</B> [Openswan Users] Firewall,Routing and
Tunneling between public networks<BR></FONT><BR></DIV>
<DIV></DIV>Hello List,<BR>I am trying to set up a linux server as a
router/firewall and set up a SIP tunneling between two public networks. <BR>My
Diagram will be something like this<BR>Internet <-----> Linux Router
<--------------> My Internal Network with Public IPs. <BR>Say My Network
IPs are <A href="http://216.209.14.192/26">216.209.14.192/26</A> <BR>I tried
this setup.<BR><BR>Internet <----> <A
href="http://216.209.14.197">216.209.14.197</A> (ExtIP <- Default Gateway
<A href="http://216.209.14.193">216.209.14.193</A> Router -> Internal IP)
<A href="http://216.209.14.198">216.209.14.198</A> <------> My Servers
connected through a switch with IPs 216.209.14.199-254 with Default Gateway <A
href="http://216.209.14.198">216.209.14.198</A>. <BR>This set up did not work.
<BR><BR>If I do this<BR>Internet <----> <A
href="http://216.209.14.197">216.209.14.197</A> (ExtIP <- Default Gateway
<A href="http://216.209.14.193">216.209.14.193</A> Router -> Internal IP)
<A href="http://192.168.1.1">192.168.1.1</A> <------> My Servers
connected through a switch with IPs 192.168.1.199-254 with Default Gateway <A
href="http://192.168.1.1">192.168.1.1</A>.<BR><BR>I can go out through ip
forwarding like this... <BR>iptables -P FORWARD DROP<BR>iptables -A FORWARD -s
${HUB_LAN} -j ACCEPT<BR>iptables -A FORWARD -d ${HUB_LAN} -j ACCEPT
<BR><BR>These rules does not work with public IPs. <BR><BR>My Other Questions
are<BR>1. Can I use racoon for SIP tunneling, is there any limit on number of
sessions. Bought a juniper router and found out that the router supports on 16
channels. I need to support at least 400 SIP channels. <BR>2. I have seen a
lot of documentation of setting up Masquarding and IP Forwarding. I made it
work but that does not solve my purpose. I need to assign Public IP to the my
machines behind the router so that outside world can access those machines
through router directly. <BR>3. I need to have tunneling with one service
provider for network <A href="http://56.211.34.23/27">56.211.34.23/27</A>. For
rest of the world I want the traffic to go through the router without any
modification. I might want to add some firewall rules later for some specific
port. <BR><BR>I will appreciate if some one can give me some lead on how can I
achieve this. <BR><BR>Thank you,<BR>JP<BR></BLOCKQUOTE></BODY></HTML>