<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6000.16525" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=680501413-03102007><FONT face=Arial
color=#0000ff size=2>It doesn't look like an iptables/firewall issue, since your
chains seem to accept everything it needs to.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=680501413-03102007><FONT face=Arial
color=#0000ff size=2>However you can check your log for dropped
packets to be sure.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=680501413-03102007><FONT face=Arial
color=#0000ff size=2>grep 'kernel: IN=' /var/log/*</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=680501413-03102007><FONT face=Arial
color=#0000ff size=2>If you see any packets in there that match packets you want
to allow then there is a misconfiguration.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=680501413-03102007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=680501413-03102007><FONT face=Arial
color=#0000ff size=2>According to your ifconfig and route, you are doing
this:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=680501413-03102007><FONT face=Arial
color=#0000ff size=2>Public Internet Interface: eth0</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=680501413-03102007><FONT face=Arial
color=#0000ff size=2>IP Address: 216.209.3.212</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=680501413-03102007><FONT face=Arial
color=#0000ff size=2>Network: 216.209.3.192/27</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=680501413-03102007> <FONT
face=Arial color=#0000ff size=2>Netmask: 255.255.255.224</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=680501413-03102007> <FONT
face=Arial color=#0000ff size=2>IP Address Range:
216.209.3.193-216.209.3.223</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=680501413-03102007><FONT face=Arial
color=#0000ff size=2>Gateway: 216.209.3.193</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=680501413-03102007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=680501413-03102007><FONT face=Arial
color=#0000ff size=2>LAN Interface: eth1</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=680501413-03102007><FONT face=Arial
color=#0000ff size=2>IP Address: 216.209.3.225</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=680501413-03102007><FONT face=Arial
color=#0000ff size=2>Network: 216.209.3.224/28</FONT></SPAN></DIV><SPAN
class=680501413-03102007><FONT>
<DIV dir=ltr align=left><SPAN class=680501413-03102007><FONT face=Arial><FONT
color=#0000ff size=2> Netmask:
255.255.255.240</FONT></FONT></SPAN></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2>
IP Address Range: 216.209.3.225-216.209.239</FONT></DIV>
<DIV dir=ltr align=left></FONT></SPAN><SPAN class=680501413-03102007><FONT
face=Arial color=#0000ff size=2>Gateway: 216.209.3.225</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=680501413-03102007><FONT face=Arial
color=#0000ff size=2>This looks correct also matching your text description and
your Windows network configuration also looks correct.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=680501413-03102007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=680501413-03102007><FONT face=Arial
color=#0000ff size=2>Is your windows firewall enabled or configured to allow the
traffic you want to allow?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=680501413-03102007><FONT face=Arial
color=#0000ff size=2>Windows firewall has a pretty strict default configuration
on XP SP2 and up.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=680501413-03102007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=680501413-03102007><FONT face=Arial
color=#0000ff size=2>Is forwarding enabled in your kernel?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=680501413-03102007><FONT face=Arial
color=#0000ff size=2>cat /proc/sys/net/ipv4/ip_forward</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=680501413-03102007><FONT face=Arial
color=#0000ff size=2>echo "1" >
/proc/sys/net/ipv4/ip_forward</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=680501413-03102007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=680501413-03102007><FONT face=Arial
color=#0000ff size=2>Does your internet router 216.209.3.193 know to forward
traffic for 216.209.3.224/28 to 216.209.3.212 (ie. use .212
as gateway/route for .224/28)?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=680501413-03102007><FONT face=Arial
color=#0000ff size=2>Is your internet router's firewall configured also to allow
this traffic through it?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=680501413-03102007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=680501413-03102007><FONT face=Arial
color=#0000ff size=2>Do you have any iptables mangle or nat rules, you only
showed your filter (default) table?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=680501413-03102007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV align=left><FONT face=Arial size=2>Peter McGill</FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV><FONT face=Arial
size=2></FONT><FONT face=Arial size=2></FONT><FONT face=Arial
size=2></FONT><FONT face=Arial size=2></FONT><FONT face=Arial
size=2></FONT><FONT face=Arial size=2></FONT><FONT face=Arial size=2></FONT><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Jai Rangi [mailto:jprangi@gmail.com]
<BR><B>Sent:</B> October 3, 2007 2:05 AM<BR><B>To:</B>
petermcgill@goco.net<BR><B>Cc:</B> users@openswan.org<BR><B>Subject:</B> Re:
[Openswan Users] Firewall,Routing and Tunneling between public
networks<BR></FONT><BR></DIV>
<DIV></DIV>Hello, <BR><BR>I am running FC5 on my router. I have feeling the I
am missing some thing really simple btu now I am ready to pull my hairs if I
don't get the solution.... At this point my first target to setup my
Linux box as a router and my machines behind the router with Public IP should
be available to the outside world. Below are my configuration.
<BR><BR>[root@bser2 sysconfig]# iptables -L -n -v<BR>Chain INPUT (policy DROP
0 packets, 0 bytes)<BR> pkts bytes target prot
opt in out
source
destination<BR> 4 336
ACCEPT icmp -- *
* <A
href="http://0.0.0.0/0">0.0.0.0/0</A>
<A href="http://0.0.0.0/0">0.0.0.0/0</A><BR> 45 3944
ACCEPT tcp --
* * <A
href="http://0.0.0.0/0">0.0.0.0/0</A>
<A href="http://216.209.3.192/26">216.209.3.192/26</A> tcp
dpts:6000:65535<BR> 0 0
ACCEPT udp --
* * <A
href="http://0.0.0.0/0">0.0.0.0/0</A>
<A href="http://216.209.3.192/26">216.209.3.192/26</A> udp
dpts:2048:5799 <BR> 0 0
ACCEPT udp --
* * <A
href="http://0.0.0.0/0">0.0.0.0/0</A>
<A href="http://216.209.3.192/26">216.209.3.192/26</A> udp
dpts:6000:65535<BR> 0 0
ACCEPT udp --
* * <A
href="http://0.0.0.0/0">0.0.0.0/0</A>
<A href="http://216.209.3.192/26">216.209.3.192/26</A> udp
dpt:53<BR> 0 0
ACCEPT udp --
* * <A
href="http://0.0.0.0/0">0.0.0.0/0</A>
<A
href="http://192.168.2.0/24">192.168.2.0/24</A>
udp dpt:53<BR> 0 0
ACCEPT tcp --
* * <A
href="http://0.0.0.0/0">0.0.0.0/0</A>
<A href="http://216.209.3.192/26">216.209.3.192/26</A> tcp
dpt:53<BR> 0 0
ACCEPT tcp --
* * <A
href="http://0.0.0.0/0">0.0.0.0/0</A>
<A
href="http://192.168.2.0/24">192.168.2.0/24</A>
tcp dpt:53<BR> 0 0
ACCEPT tcp --
* * <A
href="http://0.0.0.0/0">0.0.0.0/0</A>
<A href="http://216.209.3.192/26">216.209.3.192/26</A> tcp
dpt:80<BR> 0 0
ACCEPT tcp --
* * <A
href="http://0.0.0.0/0">0.0.0.0/0</A>
<A href="http://216.209.3.192/26">216.209.3.192/26</A> tcp
dpt:443<BR> 0 0
ACCEPT all --
* * <A
href="http://216.209.3.192/26">216.209.3.192/26</A> <A
href="http://0.0.0.0/0">0.0.0.0/0</A><BR>
0 0 ACCEPT all --
* * <A
href="http://216.209.3.192/26">216.209.3.192/26</A> <A
href="http://216.209.3.192/26">216.209.3.192/26</A><BR>
0 0 ACCEPT all --
* * <A
href="http://192.168.2.0/24">192.168.2.0/24</A>
<A href="http://192.168.2.0/24">192.168.2.0/24</A><BR>
0 0 ACCEPT all --
* * <A
href="http://0.0.0.0/0">0.0.0.0/0</A>
<A href="http://255.255.255.255">255.255.255.255 </A><BR>
0 0 ACCEPT all --
lo * <A
href="http://0.0.0.0/0">0.0.0.0/0</A>
<A href="http://0.0.0.0/0">0.0.0.0/0</A><BR><BR>Chain FORWARD (policy DROP 0
packets, 0 bytes)<BR> pkts bytes target prot opt
in out
source
destination <BR> 0 0
ACCEPT all -- eth0
eth1 <A
href="http://0.0.0.0/0">0.0.0.0/0</A>
<A href="http://0.0.0.0/0">0.0.0.0/0</A><BR>
0 0 ACCEPT all --
eth1 eth0 <A
href="http://0.0.0.0/0">0.0.0.0/0</A>
<A href="http://0.0.0.0/0">0.0.0.0/0</A><BR><BR>Chain OUTPUT (policy ACCEPT 50
packets, 5644 bytes)<BR> pkts bytes target prot
opt in out
source
destination<BR><BR>Chain spoof (0 references) <BR> pkts bytes
target prot opt in
out
source
destination<BR> 0 0
LOG all --
* * <A
href="http://0.0.0.0/0">0.0.0.0/0</A>
<A href="http://0.0.0.0/0">0.0.0.0/0
</A> limit: avg
5/min burst 5 LOG flags 0 level 4 prefix `Spoofing: '<BR>
0 0 DROP all
-- * *
<A
href="http://0.0.0.0/0">0.0.0.0/0</A>
<A href="http://0.0.0.0/0">0.0.0.0/0 </A><BR>[root@bser2
sysconfig]#<BR>[root@bser2 sysconfig]# ifconfig
eth0<BR>eth0 Link encap:Ethernet HWaddr
00:15:C5:EB:68:D0<BR>
inet addr:<A href="http://216.209.3.212">216.209.3.212</A> Bcast:<A
href="http://216.209.3.223"> 216.209.3.223</A> Mask:<A
href="http://255.255.255.224">255.255.255.224</A><BR>
inet6 addr: fe80::215:c5ff:feeb:68d0/64
Scope:Link<BR> UP
BROADCAST RUNNING MULTICAST MTU:1500
Metric:1<BR> RX
packets:23087 errors:0 dropped:0 overruns:0 frame:0
<BR> TX packets:21531
errors:0 dropped:0 overruns:0
carrier:0<BR>
collisions:0
txqueuelen:1000<BR> RX
bytes:2280064 (2.1 MiB) TX bytes:5351240 (5.1
MiB)<BR> Interrupt:16
Memory:f4000000-f4011100 <BR><BR>[root@bser2 sysconfig]# ifconfig
eth1<BR>eth1 Link encap:Ethernet HWaddr
00:15:C5:EB:68:CE<BR>
inet addr:<A href="http://216.209.3.225">216.209.3.225</A> Bcast:<A
href="http://216.209.3.239">216.209.3.239 </A> Mask:<A
href="http://255.255.255.240">255.255.255.240</A><BR>
inet6 addr: fe80::215:c5ff:feeb:68ce/64
Scope:Link<BR> UP
BROADCAST RUNNING MULTICAST MTU:1500
Metric:1<BR> RX
packets:6479 errors:0 dropped:0 overruns:0 frame:0
<BR> TX packets:8083
errors:0 dropped:0 overruns:0
carrier:0<BR>
collisions:0
txqueuelen:1000<BR> RX
bytes:3309716 (3.1 MiB) TX bytes:612572 (598.2
KiB)<BR> Interrupt:16
Memory:f8000000-f8011100 <BR><BR>[root@bser2 sysconfig]# route<BR>Kernel IP
routing table<BR>Destination
Gateway
Genmask Flags Metric
Ref Use Iface<BR><A
href="http://216.209.3.224">216.209.3.224</A> <A
href="http://216.209.3.225">216.209.3.225</A> <A
href="http://255.255.255.240">255.255.255.240</A> UG
0 0 0
eth1<BR><A href="http://216.209.3.192">216.209.3.192</A>
*
<A href="http://255.255.255.224">255.255.255.224</A> U
0 0 0
eth0<BR><A href="http://169.254.0.0">169.254.0.0</A>
*
<A href="http://255.255.0.0">255.255.0.0</A>
U 0
0 0
eth1<BR>default <A
href="http://216.209.3.193">216.209.3.193</A> <A
href="http://0.0.0.0">0.0.0.0</A>
UG 0
0 0 eth0<BR>[root@bser2
sysconfig]#<BR><BR>I think I am missing something in my routing table.
<BR><BR>So my network are <BR><BR>Internet <----------> ( <A
href="http://216.209.3.192/27">216.209.3.192/27</A>, GW <A
href="http://216.209.3.193">216.209.3.193</A> on Eth0 and <A
href="http://216.209.3.225">216.209.3.225</A> on eth1) <----------->
<Network behind the router <A
href="http://216.209.3.224/28">216.209.3.224/28</A> ><BR><BR><BR>Inernet
configuration for internal machines are<BR><BR>C:\Documents and Settings\Jai
Rangi>ipconfig<BR><BR>Windows IP Configuration<BR><BR><BR>Ethernet adapter
Local Area Connection: <BR><BR>
Connection-specific DNS Suffix .
:<BR> IP Address. . . . . . . . . .
. . : <A
href="http://216.209.3.235">216.209.3.235</A><BR>
Subnet Mask . . . . . . . . . . . : <A
href="http://255.255.255.240">255.255.255.240</A><BR>
Default Gateway . . . . . . . . . : <A
href="http://216.209.3.225">216.209.3.225</A><BR><BR>C:\Documents and
Settings\Jai Rangi><BR><BR>I can ping from internet to <A
href="http://216.209.3.192/27">216.209.3.192/27</A> network. <BR>I can not
ping <A href="http://216.209.3.225/28">216.209.3.225/28</A> network from
internet which is behind internet. <BR>I can ping internal machine from
router. <BR>I can ping router from internal machine. <BR><BR><BR>I will
appreciate if you can please give me some hint what I am doing wrong here.
<BR><BR>Thank you,<BR>-Jai<BR><BR><BR><BR><BR><BR>
<DIV><SPAN class=gmail_quote>On 10/2/07, <B class=gmail_sendername>Peter
McGill </B><<A
href="mailto:petermcgill@goco.net">petermcgill@goco.net</A>> wrote:</SPAN>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">
<DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>First
method should work, and work easier because there is no NAT (Network Address
Translation) to worry about.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>No
reason the FORWARD rules wouldn't work on Public IPs, I don't think they
care at all what IP you give.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>Make
sure you don't use MASQUERADE, SNAT or DNAT rules.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>-A adds
the rules to the end of the chain, are there any earlier rules that might
block the public traffic?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>iptables
-t filter -n -v -L</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>iptables
-t nat -n -v -L</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>iptables
-t mangle -n -v -L</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>Will
show you all your firewall rule details.</FONT></SPAN></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV align=left><FONT face=Arial size=2>Peter McGill</FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV><FONT
face=Arial size=2></FONT><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: rgb(0,0,255) 2px solid; MARGIN-RIGHT: 0px">
<DIV lang=en-us dir=ltr align=left>
<HR>
<FONT face=Tahoma size=2><B>From:</B> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="mailto:users-bounces@openswan.org"
target=_blank>users-bounces@openswan.org</A> [mailto:<A
onclick="return top.js.OpenExtLink(window,event,this)"
href="mailto:users-bounces@openswan.org"
target=_blank>users-bounces@openswan.org</A>] <B>On Behalf Of </B>Jai
Rangi<BR><B>Sent:</B> October 2, 2007 2:56 AM<BR><B>To:</B> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="mailto:users@openswan.org"
target=_blank>users@openswan.org</A><BR><B>Subject:</B> [Openswan Users]
Firewall,Routing and Tunneling between public
networks<BR></FONT><BR></DIV>
<DIV><SPAN class=e id=q_11560e921ce94bc4_1>
<DIV></DIV>Hello List,<BR>I am trying to set up a linux server as a
router/firewall and set up a SIP tunneling between two public networks.
<BR>My Diagram will be something like this<BR>Internet <-----> Linux
Router <--------------> My Internal Network with Public IPs. <BR>Say
My Network IPs are <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://216.209.14.192/26" target=_blank>216.209.14.192/26</A> <BR>I
tried this setup.<BR><BR>Internet <----> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://216.209.14.197" target=_blank>216.209.14.197</A> (ExtIP <-
Default Gateway <A onclick="return top.js.OpenExtLink(window,event,this)"
href="http://216.209.14.193" target=_blank>216.209.14.193</A> Router ->
Internal IP) <A onclick="return top.js.OpenExtLink(window,event,this)"
href="http://216.209.14.198" target=_blank>216.209.14.198</A>
<------> My Servers connected through a switch with IPs
216.209.14.199-254 with Default Gateway <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://216.209.14.198" target=_blank>216.209.14.198</A>. <BR>This
set up did not work. <BR><BR>If I do this<BR>Internet <----> <A
onclick="return top.js.OpenExtLink(window,event,this)"
href="http://216.209.14.197" target=_blank>216.209.14.197</A> (ExtIP <-
Default Gateway <A onclick="return top.js.OpenExtLink(window,event,this)"
href="http://216.209.14.193" target=_blank>216.209.14.193</A> Router ->
Internal IP) <A onclick="return top.js.OpenExtLink(window,event,this)"
href="http://192.168.1.1" target=_blank>192.168.1.1</A> <------> My
Servers connected through a switch with IPs 192.168.1.199-254 with Default
Gateway <A onclick="return top.js.OpenExtLink(window,event,this)"
href="http://192.168.1.1" target=_blank>192.168.1.1</A>.<BR><BR>I can go
out through ip forwarding like this... <BR>iptables -P FORWARD
DROP<BR>iptables -A FORWARD -s ${HUB_LAN} -j ACCEPT<BR>iptables -A FORWARD
-d ${HUB_LAN} -j ACCEPT <BR><BR>These rules does not work with public IPs.
<BR><BR>My Other Questions are<BR>1. Can I use racoon for SIP tunneling,
is there any limit on number of sessions. Bought a juniper router and
found out that the router supports on 16 channels. I need to support at
least 400 SIP channels. <BR>2. I have seen a lot of documentation of
setting up Masquarding and IP Forwarding. I made it work but that does not
solve my purpose. I need to assign Public IP to the my machines behind the
router so that outside world can access those machines through router
directly. <BR>3. I need to have tunneling with one service provider for
network <A onclick="return top.js.OpenExtLink(window,event,this)"
href="http://56.211.34.23/27" target=_blank>56.211.34.23/27</A>. For rest
of the world I want the traffic to go through the router without any
modification. I might want to add some firewall rules later for some
specific port. <BR><BR>I will appreciate if some one can give me some lead
on how can I achieve this. <BR><BR>Thank
you,<BR>JP<BR></SPAN></DIV></BLOCKQUOTE></DIV></BLOCKQUOTE></DIV><BR></BLOCKQUOTE></BODY></HTML>