Peter, <br>Thank you for looking in this. <br><div dir="ltr" align="left"><span style="color: rgb(0, 0, 0);"><font face="Arial" size="2">I restarted my machine and now I am able to ping from <a href="http://216.209.3.192/27">
216.209.3.192/27</a> network, if I define the routing table. In another server <a href="http://216.209.3.201">216.209.3.201</a>, I add the rule in the routing table. <br><span style="font-weight: bold;"><a href="http://206.216.3.224">
206.216.3.224</a> </span></font><font style="font-weight: bold;" face="Arial" size="2">206.216.3</font><font face="Arial" size="2"><span style="font-weight: bold;">.212 <a href="http://255.255.255.240">255.255.255.240
</a> UG 0 0 0 eth0</span><br></font><font face="Arial" size="2">206.216.3</font><font face="Arial" size="2">.192 * <a href="http://255.255.255.192">255.255.255.192</a> U 0 0 0 eth0
<br><a href="http://192.168.2.0">192.168.2.0</a> * <a href="http://255.255.255.0">255.255.255.0</a> U 0 0 0 eth1<br><a href="http://192.168.1.0">192.168.1.0</a> * <a href="http://255.255.255.0">
255.255.255.0</a> U 0 0 0 eth1<br><a href="http://169.254.0.0">169.254.0.0</a> * <a href="http://255.255.0.0">255.255.0.0</a> U 0 0 0 eth1<br>default </font>
<font face="Arial" size="2">206.216.3</font><font face="Arial" size="2">.193 <a href="http://0.0.0.0">0.0.0.0</a> UG 0 0 0 eth0<br><br>I can ping <a href="http://216.209.3.235">216.209.3.235</a> from
<a href="http://216.209.2.201">216.209.2.201</a> and vise versa<br><br><span style="color: rgb(0, 0, 0);">Internet router <---> (</span></font><font style="color: rgb(0, 0, 0);" face="Arial" size="2"><a href="http://206.216.3.192/26">
206.216.3.192/26</a> network and router is one of them </font><font style="color: rgb(0, 0, 0);" face="Arial" size="2">206.216.3</font><font style="color: rgb(0, 0, 0);" face="Arial" size="2">.212) </font><font style="color: rgb(0, 0, 0);" face="Arial" size="2">
<a href="http://206.216.3.224/28">206.216.3.224/28</a> is behind the router. <br>So this works. <br></font><font style="color: rgb(0, 0, 0);" face="Arial" size="2"><a href="http://206.216.3.201">206.216.3.201</a> ---- router
</font><font style="color: rgb(0, 0, 0);" face="Arial" size="2">206.216.3212 (eth0) </font><font style="color: rgb(0, 0, 0);" face="Arial" size="2">206.216.3.225(eth1) ----- </font><font style="color: rgb(0, 0, 0);" face="Arial" size="2">
206.216.3.224.235 with gateway <a href="http://216.209.3.225">216.209.3.225</a></font></span><br style="color: rgb(0, 0, 0);"><span style="color: rgb(0, 0, 0);"><font face="Arial" size="2"><br>But when I try ping something on internet from
</font></span><span><font color="#0000ff" face="Arial" size="2"><span style="color: rgb(0, 0, 0);"><a href="http://206.216.3.235">206.216.3.235</a>. Seems the traffic goes out but does not find the way to come back. This is what I get from tcpdump on my router..
</span><br style="color: rgb(0, 0, 0);"><span style="color: rgb(0, 0, 0);">[root@bser2 sysconfig]# tcpdump | grep "235\|158"</span><br style="color: rgb(0, 0, 0);"><span style="color: rgb(0, 0, 0);">tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
</span><br style="color: rgb(0, 0, 0);"><span style="color: rgb(0, 0, 0);">listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes</span><br style="color: rgb(0, 0, 0);"><span style="color: rgb(0, 0, 0);">22:04:
01.092356 IP ip68-4-78-109.oc.oc.cox.net.apollo-gms > bser2.bingotelecom.com.24646: P 1197:1249(52) ack 436 win 64499</span><br style="color: rgb(0, 0, 0);"><span style="color: rgb(0, 0, 0);">22:04:03.105456 IP <a href="http://216.209.3.235">
216.209.3.235</a> > <a href="http://f1.www.vip.sp1.yahoo.com">f1.www.vip.sp1.yahoo.com</a>: ICMP echo request, id 512, seq 23041, length 40</span><br style="color: rgb(0, 0, 0);"><span style="color: rgb(0, 0, 0);">22:04:
03.105939 IP bser2.bingotelecom.com.filenet-pa > ns1.yahoo.com.domain: 43789 [1au] PTR? 158.36.131.209.in-addr.arpa. (56)</span><br style="color: rgb(0, 0, 0);"><span style="color: rgb(0, 0, 0);">22:04:03.117544 arp who-has
<a href="http://216.209.3.235">216.209.3.235</a> tell <a href="http://216.209.3.194">216.209.3.194</a></span><br style="color: rgb(0, 0, 0);"><span style="color: rgb(0, 0, 0);">22:04:03.158959 IP ip68-4-78-109.oc.oc.cox.net.apollo-gms
> bser2.bingotelecom.com.24646: P 3225:3277(52) ack 804 win 65535</span><br style="color: rgb(0, 0, 0);"><span style="color: rgb(0, 0, 0);">22:04:03.158972 IP bser2.bingotelecom.com.24646 > ip68-4-78-109.oc.oc.cox.net.apollo-gms
: . ack 3277 win 12168</span><br style="color: rgb(0, 0, 0);"><span style="color: rgb(0, 0, 0);">22:04:04.101588 IP bser2.bingotelecom.com.24646 > ip68-4-78-109.oc.oc.cox.net.apollo-gms: . ack 3745 win 12168</span><br style="color: rgb(0, 0, 0);">
<span style="color: rgb(0, 0, 0);">22:04:04.542637 IP bser2.bingotelecom.com.filenet-pa > dill.arin.net.domain: 1587 [1au] PTR? 16.255.142.68.in-addr.arpa. (55)</span><br style="color: rgb(0, 0, 0);"><span style="color: rgb(0, 0, 0);">
22:04:04.556305 IP dill.arin.net.domain > bser2.bingotelecom.com.filenet-pa: 1587- 0/5/1 (154)</span><br style="color: rgb(0, 0, 0);"><span style="color: rgb(0, 0, 0);">22:04:08.472526 IP <a href="http://216.209.3.235">
216.209.3.235</a> > <a href="http://f1.www.vip.sp1.yahoo.com">f1.www.vip.sp1.yahoo.com</a>: ICMP echo request, id 512, seq 23297, length 40</span><br style="color: rgb(0, 0, 0);"><span style="color: rgb(0, 0, 0);">22:04:
08.483996 arp who-has <a href="http://216.209.3.235">216.209.3.235</a> tell <a href="http://216.209.3.194">216.209.3.194</a></span><br style="color: rgb(0, 0, 0);"><span style="color: rgb(0, 0, 0);">22:04:13.480338 IP <a href="http://216.209.3.235">
216.209.3.235</a> > <a href="http://f1.www.vip.sp1.yahoo.com">f1.www.vip.sp1.yahoo.com</a>: ICMP echo request, id 512, seq 23553, length 40</span><br style="color: rgb(0, 0, 0);"><span style="color: rgb(0, 0, 0);">22:04:
13.492228 arp who-has <a href="http://216.209.3.235">216.209.3.235</a> tell <a href="http://216.209.3.194">216.209.3.194</a></span><br style="color: rgb(0, 0, 0);"><span style="color: rgb(0, 0, 0);">22:04:15.475158 IP bser2.bingotelecom.com.24646
> ip68-4-78-109.oc.oc.cox.net.apollo-gms: . ack 7801 win 12168</span><br style="color: rgb(0, 0, 0);"><span style="color: rgb(0, 0, 0);">22:04:18.488138 IP <a href="http://216.209.3.235">216.209.3.235</a> > <a href="http://f1.www.vip.sp1.yahoo.com">
f1.www.vip.sp1.yahoo.com</a>: ICMP echo request, id 512, seq 23809, length 40</span><br style="color: rgb(0, 0, 0);"><span style="color: rgb(0, 0, 0);">22:04:18.499693 arp who-has <a href="http://216.209.3.235">216.209.3.235
</a> tell <a href="http://216.209.3.194">216.209.3.194</a></span><br><br></font></span><span><font color="#0000ff" face="Arial" size="2"><br>Is your windows firewall enabled or configured to allow the
traffic you want to allow?</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">Windows firewall has a pretty strict default configuration
on XP SP2 and up.<br><span style="color: rgb(0, 0, 0);">My Windows firewall is open and I can ping that from my router. </span><br></font></span></div>
<div dir="ltr" align="left"><span></span> </div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">Is forwarding enabled in your kernel?</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">cat /proc/sys/net/ipv4/ip_forward</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">echo "1" >
/proc/sys/net/ipv4/ip_forward</font></span></div>
<div dir="ltr" align="left"><span></span> Yes<br><br></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">Does your internet router <a href="http://216.209.3.193/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.209.3.193
</a>
know to forward
traffic for <a href="http://216.209.3.224/28" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.209.3.224/28</a> to <a href="http://216.209.3.212/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
216.209.3.212</a> (ie. use .212
as gateway/route for .224/28)?<br><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 0);">OK, This might be the case, cause </span></font></span><span><font color="#0000ff" face="Arial" size="2"><a style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 0);" href="http://216.209.3.193/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
216.209.3.19</a><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 0);">3 is managed by my internet service provider. They have given me a cable that goes in one of my switch. My network from ISP is <a href="http://216.209.3.192/26">
216.209.3.192/26</a>, which I was sub dividing to build my Linux router. </span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 0);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 0);">
<a href="http://216.209.3.192/27">216.209.3.192/27</a> outside of router and <a href="http://219.209.3.224/28">219.209.3.224/28</a> behind the router. </span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 0);">
</font></span><span><font color="#0000ff" face="Arial" size="2"><br><br></font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">Is your internet router's firewall configured also to allow
this traffic through it?</font></span></div>
<div dir="ltr" align="left"><span></span> <br>Yes, I am getting traffic for my all other IPs <br></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">Do you have any iptables mangle or nat rules, you only
showed your filter (default) table?<br><br><span style="color: rgb(0, 0, 0);">No, Mangle and NO Nat, </span><br style="color: rgb(0, 0, 0);"><br style="color: rgb(0, 0, 0);"><span style="color: rgb(0, 0, 0);">[root@bser2
~]# iptables -t mangle -L -n -v</span><br style="color: rgb(0, 0, 0);"><span style="color: rgb(0, 0, 0);">Chain PREROUTING (policy ACCEPT 1 packets, 92 bytes)</span><br style="color: rgb(0, 0, 0);"><span style="color: rgb(0, 0, 0);">
pkts bytes target prot opt in out source destination</span><br style="color: rgb(0, 0, 0);"><br style="color: rgb(0, 0, 0);"><span style="color: rgb(0, 0, 0);">Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
</span><br style="color: rgb(0, 0, 0);"><span style="color: rgb(0, 0, 0);"> pkts bytes target prot opt in out source destination</span><br style="color: rgb(0, 0, 0);"><br style="color: rgb(0, 0, 0);">
<span style="color: rgb(0, 0, 0);">Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)</span><br style="color: rgb(0, 0, 0);"><span style="color: rgb(0, 0, 0);"> pkts bytes target prot opt in out source destination
</span><br style="color: rgb(0, 0, 0);"><br style="color: rgb(0, 0, 0);"><span style="color: rgb(0, 0, 0);">Chain OUTPUT (policy ACCEPT 1 packets, 40 bytes)</span><br style="color: rgb(0, 0, 0);"><span style="color: rgb(0, 0, 0);">
pkts bytes target prot opt in out source destination</span><br style="color: rgb(0, 0, 0);"><br style="color: rgb(0, 0, 0);"><span style="color: rgb(0, 0, 0);">Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
</span><br style="color: rgb(0, 0, 0);"><span style="color: rgb(0, 0, 0);"> pkts bytes target prot opt in out source destination</span><br style="color: rgb(0, 0, 0);"><span style="color: rgb(0, 0, 0);">
[root@bser2 ~]# iptables -t nat -L -n -v</span><br style="color: rgb(0, 0, 0);"><span style="color: rgb(0, 0, 0);">Chain PREROUTING (policy ACCEPT 1 packets, 510 bytes)</span><br style="color: rgb(0, 0, 0);"><span style="color: rgb(0, 0, 0);">
pkts bytes target prot opt in out source destination</span><br style="color: rgb(0, 0, 0);"><br style="color: rgb(0, 0, 0);"><span style="color: rgb(0, 0, 0);">Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
</span><br style="color: rgb(0, 0, 0);"><span style="color: rgb(0, 0, 0);"> pkts bytes target prot opt in out source destination</span><br style="color: rgb(0, 0, 0);"><br style="color: rgb(0, 0, 0);">
<span style="color: rgb(0, 0, 0);">Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)</span><br style="color: rgb(0, 0, 0);"><span style="color: rgb(0, 0, 0);"> pkts bytes target prot opt in out source destination
</span><br style="color: rgb(0, 0, 0);"><br></font></span></div><br><br><div><span class="gmail_quote">On 10/3/07, <b class="gmail_sendername">Peter McGill</b> <<a href="mailto:petermcgill@goco.net" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
petermcgill@goco.net</a>
> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">It doesn't look like an iptables/firewall issue, since your
chains seem to accept everything it needs to.</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">However you can check your log for dropped
packets to be sure.</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">grep 'kernel: IN=' /var/log/*</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">If you see any packets in there that match packets you want
to allow then there is a misconfiguration.</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2"></font></span> </div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">According to your ifconfig and route, you are doing
this:</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">Public Internet Interface: eth0</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">IP Address: <a href="http://216.209.3.212" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.209.3.212</a></font></span>
</div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">Network: <a href="http://216.209.3.192/27" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.209.3.192/27</a></font></span>
</div>
<div dir="ltr" align="left"><span> <font color="#0000ff" face="Arial" size="2">Netmask: <a href="http://255.255.255.224" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">255.255.255.224</a></font>
</span></div>
<div dir="ltr" align="left"><span> <font color="#0000ff" face="Arial" size="2">IP Address Range:
216.209.3.193-216.209.3.223</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">Gateway: <a href="http://216.209.3.193" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.209.3.193</a></font></span>
</div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2"></font></span> </div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">LAN Interface: eth1</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">IP Address: <a href="http://216.209.3.225" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.209.3.225</a></font></span>
</div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">Network: <a href="http://216.209.3.224/28" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.209.3.224/28</a></font></span>
</div><span><font>
<div dir="ltr" align="left"><span><font face="Arial"><font color="#0000ff" size="2"> Netmask:
<a href="http://255.255.255.240" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">255.255.255.240</a></font></font></span></div>
<div dir="ltr" align="left"><font color="#0000ff" face="Arial" size="2">
IP Address Range: 216.209.3.225-216.209.239</font></div>
<div dir="ltr" align="left"></div></font></span><span><span><font color="#0000ff" face="Arial" size="2">Gateway: <a href="http://216.209.3.225" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
216.209.3.225</a></font></span></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">This looks correct also matching your text description and
your Windows network configuration also looks correct.</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2"></font></span> </div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">Is your windows firewall enabled or configured to allow the
traffic you want to allow?</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">Windows firewall has a pretty strict default configuration
on XP SP2 and up.</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2"></font></span> </div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">Is forwarding enabled in your kernel?</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">cat /proc/sys/net/ipv4/ip_forward</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">echo "1" >
/proc/sys/net/ipv4/ip_forward</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2"></font></span> </div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">Does your internet router <a href="http://216.209.3.193" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.209.3.193</a>
know to forward
traffic for <a href="http://216.209.3.224/28" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.209.3.224/28</a> to <a href="http://216.209.3.212" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
216.209.3.212</a> (ie. use .212
as gateway/route for .224/28)?</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">Is your internet router's firewall configured also to allow
this traffic through it?</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2"></font></span> </div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">Do you have any iptables mangle or nat rules, you only
showed your filter (default) table?</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2"></font></span> </div>
<div><font color="#0000ff" face="Arial" size="2"></font> </div>
<div align="left"><font face="Arial" size="2">Peter McGill</font></div>
<div><font color="#0000ff" face="Arial" size="2"></font> </div><font face="Arial" size="2"></font><font face="Arial" size="2"></font><font face="Arial" size="2"></font><font face="Arial" size="2"></font><font face="Arial" size="2">
</font><font face="Arial" size="2"></font><font face="Arial" size="2"></font><br>
<blockquote style="border-left: 2px solid rgb(0, 0, 255); padding-left: 5px; margin-left: 5px; margin-right: 0px;">
<div dir="ltr" align="left" lang="en-us">
<hr>
<font face="Tahoma" size="2"><b>From:</b> Jai Rangi [mailto:<a href="mailto:jprangi@gmail.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">jprangi@gmail.com</a>]
<br><b>Sent:</b> October 3, 2007 2:05 AM<br><b>To:</b>
<a href="mailto:petermcgill@goco.net" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">petermcgill@goco.net</a><br><b>Cc:</b> <a href="mailto:users@openswan.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
users@openswan.org</a><br><b>Subject:</b> Re:
[Openswan Users] Firewall,Routing and Tunneling between public
networks<br></font><br></div><div><span>
<div></div>Hello, <br><br>I am running FC5 on my router. I have feeling the I
am missing some thing really simple btu now I am ready to pull my hairs if I
don't get the solution.... At this point my first target to setup my
Linux box as a router and my machines behind the router with Public IP should
be available to the outside world. Below are my configuration.
<br><br>[root@bser2 sysconfig]# iptables -L -n -v<br>Chain INPUT (policy DROP
0 packets, 0 bytes)<br> pkts bytes target prot
opt in out
source
destination<br> 4 336
ACCEPT icmp -- *
* <a href="http://0.0.0.0/0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">0.0.0.0/0</a>
<a href="http://0.0.0.0/0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">0.0.0.0/0</a><br> 45 3944
ACCEPT tcp --
* * <a href="http://0.0.0.0/0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">0.0.0.0/0</a>
<a href="http://216.209.3.192/26" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.209.3.192/26</a> tcp
dpts:6000:65535<br> 0 0
ACCEPT udp --
* * <a href="http://0.0.0.0/0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">0.0.0.0/0</a>
<a href="http://216.209.3.192/26" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.209.3.192/26</a> udp
dpts:2048:5799 <br> 0 0
ACCEPT udp --
* * <a href="http://0.0.0.0/0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">0.0.0.0/0</a>
<a href="http://216.209.3.192/26" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.209.3.192/26</a> udp
dpts:6000:65535<br> 0 0
ACCEPT udp --
* * <a href="http://0.0.0.0/0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">0.0.0.0/0</a>
<a href="http://216.209.3.192/26" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.209.3.192/26</a> udp
dpt:53<br> 0 0
ACCEPT udp --
* * <a href="http://0.0.0.0/0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">0.0.0.0/0</a>
<a href="http://192.168.2.0/24" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.2.0/24</a>
udp dpt:53<br> 0 0
ACCEPT tcp --
* * <a href="http://0.0.0.0/0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">0.0.0.0/0</a>
<a href="http://216.209.3.192/26" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.209.3.192/26</a> tcp
dpt:53<br> 0 0
ACCEPT tcp --
* * <a href="http://0.0.0.0/0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">0.0.0.0/0</a>
<a href="http://192.168.2.0/24" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.2.0/24</a>
tcp dpt:53<br> 0 0
ACCEPT tcp --
* * <a href="http://0.0.0.0/0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">0.0.0.0/0</a>
<a href="http://216.209.3.192/26" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.209.3.192/26</a> tcp
dpt:80<br> 0 0
ACCEPT tcp --
* * <a href="http://0.0.0.0/0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">0.0.0.0/0</a>
<a href="http://216.209.3.192/26" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.209.3.192/26</a> tcp
dpt:443<br> 0 0
ACCEPT all --
* * <a href="http://216.209.3.192/26" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.209.3.192/26</a> <a href="http://0.0.0.0/0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
0.0.0.0/0</a><br>
0 0 ACCEPT all --
* * <a href="http://216.209.3.192/26" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.209.3.192/26</a> <a href="http://216.209.3.192/26" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
216.209.3.192/26</a><br>
0 0 ACCEPT all --
* * <a href="http://192.168.2.0/24" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.2.0/24</a>
<a href="http://192.168.2.0/24" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.2.0/24</a><br>
0 0 ACCEPT all --
* * <a href="http://0.0.0.0/0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">0.0.0.0/0</a>
<a href="http://255.255.255.255" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">255.255.255.255 </a><br>
0 0 ACCEPT all --
lo * <a href="http://0.0.0.0/0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">0.0.0.0/0</a>
<a href="http://0.0.0.0/0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">0.0.0.0/0</a><br><br>Chain FORWARD (policy DROP 0
packets, 0 bytes)<br> pkts bytes target prot opt
in out
source
destination <br> 0 0
ACCEPT all -- eth0
eth1 <a href="http://0.0.0.0/0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">0.0.0.0/0</a>
<a href="http://0.0.0.0/0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">0.0.0.0/0</a><br>
0 0 ACCEPT all --
eth1 eth0 <a href="http://0.0.0.0/0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">0.0.0.0/0</a>
<a href="http://0.0.0.0/0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">0.0.0.0/0</a><br><br>Chain OUTPUT (policy ACCEPT 50
packets, 5644 bytes)<br> pkts bytes target prot
opt in out
source
destination<br><br>Chain spoof (0 references) <br> pkts bytes
target prot opt in
out
source
destination<br> 0 0
LOG all --
* * <a href="http://0.0.0.0/0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">0.0.0.0/0</a>
<a href="http://0.0.0.0/0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">0.0.0.0/0
</a> limit: avg
5/min burst 5 LOG flags 0 level 4 prefix `Spoofing: '<br>
0 0 DROP all
-- * *
<a href="http://0.0.0.0/0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">0.0.0.0/0</a>
<a href="http://0.0.0.0/0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">0.0.0.0/0 </a><br>[root@bser2
sysconfig]#<br>[root@bser2 sysconfig]# ifconfig
eth0<br>eth0 Link encap:Ethernet HWaddr
00:15:C5:EB:68:D0<br>
inet addr:<a href="http://216.209.3.212" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.209.3.212</a> Bcast:<a href="http://216.209.3.223" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
216.209.3.223</a> Mask:<a href="http://255.255.255.224" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">255.255.255.224</a><br>
inet6 addr: fe80::215:c5ff:feeb:68d0/64
Scope:Link<br> UP
BROADCAST RUNNING MULTICAST MTU:1500
Metric:1<br> RX
packets:23087 errors:0 dropped:0 overruns:0 frame:0
<br> TX packets:21531
errors:0 dropped:0 overruns:0
carrier:0<br>
collisions:0
txqueuelen:1000<br> RX
bytes:2280064 (2.1 MiB) TX bytes:5351240 (5.1
MiB)<br> Interrupt:16
Memory:f4000000-f4011100 <br><br>[root@bser2 sysconfig]# ifconfig
eth1<br>eth1 Link encap:Ethernet HWaddr
00:15:C5:EB:68:CE<br>
inet addr:<a href="http://216.209.3.225" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.209.3.225</a> Bcast:<a href="http://216.209.3.239" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
216.209.3.239 </a> Mask:<a href="http://255.255.255.240" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">255.255.255.240</a><br>
inet6 addr: fe80::215:c5ff:feeb:68ce/64
Scope:Link<br> UP
BROADCAST RUNNING MULTICAST MTU:1500
Metric:1<br> RX
packets:6479 errors:0 dropped:0 overruns:0 frame:0
<br> TX packets:8083
errors:0 dropped:0 overruns:0
carrier:0<br>
collisions:0
txqueuelen:1000<br> RX
bytes:3309716 (3.1 MiB) TX bytes:612572 (598.2
KiB)<br> Interrupt:16
Memory:f8000000-f8011100 <br><br>[root@bser2 sysconfig]# route<br>Kernel IP
routing table<br>Destination
Gateway
Genmask Flags Metric
Ref Use Iface<br><a href="http://216.209.3.224" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.209.3.224</a> <a href="http://216.209.3.225" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
216.209.3.225</a> <a href="http://255.255.255.240" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">255.255.255.240</a> UG
0 0 0
eth1<br><a href="http://216.209.3.192" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.209.3.192</a>
*
<a href="http://255.255.255.224" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">255.255.255.224</a> U
0 0 0
eth0<br><a href="http://169.254.0.0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">169.254.0.0</a>
*
<a href="http://255.255.0.0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">255.255.0.0</a>
U 0
0 0
eth1<br>default <a href="http://216.209.3.193" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.209.3.193</a> <a href="http://0.0.0.0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
0.0.0.0</a>
UG 0
0 0 eth0<br>[root@bser2
sysconfig]#<br><br>I think I am missing something in my routing table.
<br><br>So my network are <br><br>Internet <----------> ( <a href="http://216.209.3.192/27" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.209.3.192/27</a>, GW <a href="http://216.209.3.193" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
216.209.3.193</a> on Eth0 and <a href="http://216.209.3.225" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.209.3.225</a> on eth1) <----------->
<Network behind the router <a href="http://216.209.3.224/28" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.209.3.224/28</a> ><br><br><br>Inernet
configuration for internal machines are<br><br>C:\Documents and Settings\Jai
Rangi>ipconfig<br><br>Windows IP Configuration<br><br><br>Ethernet adapter
Local Area Connection: <br><br>
Connection-specific DNS Suffix .
:<br> IP Address. . . . . . . . . .
. . : <a href="http://216.209.3.235" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.209.3.235</a><br>
Subnet Mask . . . . . . . . . . . : <a href="http://255.255.255.240" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">255.255.255.240</a><br>
Default Gateway . . . . . . . . . : <a href="http://216.209.3.225" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.209.3.225</a><br><br>C:\Documents and
Settings\Jai Rangi><br><br>I can ping from internet to <a href="http://216.209.3.192/27" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.209.3.192/27</a> network. <br>I can not
ping <a href="http://216.209.3.225/28" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.209.3.225/28</a> network from
internet which is behind internet. <br>I can ping internal machine from
router. <br>I can ping router from internal machine. <br><br><br>I will
appreciate if you can please give me some hint what I am doing wrong here.
<br><br>Thank you,<br>-Jai<br><br><br><br><br><br>
<div><span class="gmail_quote">On 10/2/07, <b class="gmail_sendername">Peter
McGill </b><<a href="mailto:petermcgill@goco.net" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">petermcgill@goco.net</a>> wrote:</span>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">First
method should work, and work easier because there is no NAT (Network Address
Translation) to worry about.</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">No
reason the FORWARD rules wouldn't work on Public IPs, I don't think they
care at all what IP you give.</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">Make
sure you don't use MASQUERADE, SNAT or DNAT rules.</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">-A adds
the rules to the end of the chain, are there any earlier rules that might
block the public traffic?</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">iptables
-t filter -n -v -L</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">iptables
-t nat -n -v -L</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">iptables
-t mangle -n -v -L</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">Will
show you all your firewall rule details.</font></span></div>
<div><font color="#0000ff" face="Arial" size="2"></font> </div>
<div align="left"><font face="Arial" size="2">Peter McGill</font></div>
<div><font color="#0000ff" face="Arial" size="2"></font> </div><font face="Arial" size="2"></font><br>
<blockquote style="border-left: 2px solid rgb(0, 0, 255); padding-left: 5px; margin-left: 5px; margin-right: 0px;">
<div dir="ltr" align="left" lang="en-us">
<hr>
<font face="Tahoma" size="2"><b>From:</b> <a href="mailto:users-bounces@openswan.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">users-bounces@openswan.org</a> [mailto:<a href="mailto:users-bounces@openswan.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
users-bounces@openswan.org</a>] <b>On Behalf Of </b>Jai
Rangi<br><b>Sent:</b> October 2, 2007 2:56 AM<br><b>To:</b> <a href="mailto:users@openswan.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">users@openswan.org</a><br><b>Subject:</b> [Openswan Users]
Firewall,Routing and Tunneling between public
networks<br></font><br></div>
<div><span>
<div></div>Hello List,<br>I am trying to set up a linux server as a
router/firewall and set up a SIP tunneling between two public networks.
<br>My Diagram will be something like this<br>Internet <-----> Linux
Router <--------------> My Internal Network with Public IPs. <br>Say
My Network IPs are <a href="http://216.209.14.192/26" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.209.14.192/26</a> <br>I
tried this setup.<br><br>Internet <----> <a href="http://216.209.14.197" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.209.14.197</a> (ExtIP <-
Default Gateway <a href="http://216.209.14.193" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.209.14.193</a> Router ->
Internal IP) <a href="http://216.209.14.198" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.209.14.198</a>
<------> My Servers connected through a switch with IPs
216.209.14.199-254 with Default Gateway <a href="http://216.209.14.198" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.209.14.198</a>. <br>This
set up did not work. <br><br>If I do this<br>Internet <----> <a href="http://216.209.14.197" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.209.14.197</a> (ExtIP <-
Default Gateway <a href="http://216.209.14.193" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">216.209.14.193</a> Router ->
Internal IP) <a href="http://192.168.1.1" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.1.1</a> <------> My
Servers connected through a switch with IPs 192.168.1.199-254 with Default
Gateway <a href="http://192.168.1.1" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.1.1</a>.<br><br>I can go
out through ip forwarding like this... <br>iptables -P FORWARD
DROP<br>iptables -A FORWARD -s ${HUB_LAN} -j ACCEPT<br>iptables -A FORWARD
-d ${HUB_LAN} -j ACCEPT <br><br>These rules does not work with public IPs.
<br><br>My Other Questions are<br>1. Can I use racoon for SIP tunneling,
is there any limit on number of sessions. Bought a juniper router and
found out that the router supports on 16 channels. I need to support at
least 400 SIP channels. <br>2. I have seen a lot of documentation of
setting up Masquarding and IP Forwarding. I made it work but that does not
solve my purpose. I need to assign Public IP to the my machines behind the
router so that outside world can access those machines through router
directly. <br>3. I need to have tunneling with one service provider for
network <a href="http://56.211.34.23/27" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">56.211.34.23/27</a>. For rest
of the world I want the traffic to go through the router without any
modification. I might want to add some firewall rules later for some
specific port. <br><br>I will appreciate if some one can give me some lead
on how can I achieve this. <br><br>Thank
you,<br>JP<br></span></div></blockquote></div></blockquote></div><br></span></div></blockquote>
</blockquote></div><br>