<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6000.16525" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=909193619-05102007><FONT face=Arial
color=#0000ff size=2>Switching to something else than your current
hardware/os/software will not change things.<BR>The problem you have is with
basic tcp/ip routing, this is the same no matter what hard/software you
use.<BR>You must get you isp to route traffic to your gateway or gateways as I
said before.</FONT></SPAN></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV dir=ltr align=left><SPAN class=909193619-05102007><FONT face=Arial
color=#0000ff size=2>To explain in more detail.</FONT></SPAN></DIV>
<DIV><SPAN class=909193619-05102007><FONT face=Arial color=#0000ff size=2>Ask
your isp to add the following route to their router
(216.209.3.193):<BR>Destination: 216.209.3.192/26<BR>Gateway:
206.216.3.212</FONT></SPAN></DIV>
<DIV><SPAN class=909193619-05102007><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=909193619-05102007><FONT face=Arial color=#0000ff size=2>Once
this is done, all traffic returning from the internet will use your internal
routes via .212,</FONT></SPAN></DIV>
<DIV><FONT face=Arial><FONT size=2><FONT color=#0000ff><SPAN
class=909193619-05102007>and this will fix your traffic flow. It's that easy,
now you just need to convince your isp, which if
they're</SPAN></FONT></FONT></FONT></DIV>
<DIV><FONT face=Arial><FONT size=2><FONT color=#0000ff><SPAN
class=909193619-05102007>any good should not be difficult. Then just make sure
.212 has appropriate routes for all subnets.</SPAN></FONT></FONT></FONT></DIV>
<DIV><FONT face=Arial><FONT size=2><FONT color=#0000ff><SPAN
class=909193619-05102007>You may also need to reconfigure your computers on
.192/27 to use .212 as their internet gateway.</SPAN></FONT></FONT></FONT></DIV>
<DIV><FONT face=Arial><FONT size=2><FONT color=#0000ff><SPAN
class=909193619-05102007>ie)</SPAN></FONT></FONT></FONT></DIV><FONT><FONT
size=2><FONT color=#0000ff><SPAN class=909193619-05102007>
<DIV><FONT size=2><FONT face=Arial color=#0000ff><SPAN
class=909193619-05102007>Destination:
216.209.3.192/27</SPAN></FONT></FONT></DIV>
<DIV><FONT size=2><FONT face=Arial color=#0000ff><SPAN
class=909193619-05102007>Gateway: 216.209.3.212
(eth0)</SPAN></FONT></FONT></DIV>
<DIV><FONT face=Arial>Destination: 216.209.3.224/28</FONT></DIV>
<DIV></SPAN></FONT></FONT></FONT><SPAN class=909193619-05102007><FONT face=Arial
color=#0000ff size=2>Gateway: 216.209.3.225 (eth1)</FONT></SPAN></DIV><SPAN
class=909193619-05102007>
<DIV dir=ltr align=left><FONT face=Arial>
<DIV><FONT face=Arial><FONT size=2><FONT color=#0000ff><SPAN
class=909193619-05102007>Destination:
216.209.3.240/28</SPAN></FONT></FONT></FONT></DIV>
<DIV><FONT face=Arial><FONT size=2><FONT color=#0000ff><SPAN
class=909193619-05102007>Gateway: ? ?
(unallocated?)</SPAN></FONT></FONT></FONT></DIV><BR><FONT color=#0000ff
size=2></FONT></FONT></DIV></SPAN>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV align=left><FONT face=Arial size=2>Peter McGill</FONT></DIV>
<DIV> </DIV><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Jai Rangi [mailto:jprangi@gmail.com]
<BR><B>Sent:</B> October 5, 2007 3:25 PM<BR><B>To:</B>
petermcgill@goco.net<BR><B>Cc:</B> users@openswan.org<BR><B>Subject:</B> Re:
[Openswan Users] Firewall,Routing and Tunneling between public
networks<BR></FONT><BR></DIV>
<DIV></DIV>Peter, <BR>I think this is the case and this is what I have been
wondering all the time. <BR><SPAN><FONT face=Arial color=#0000ff size=2>" But
your ISP router might not be forwarding to your internal subnet gateways
correctly thinking you have just one large subnet that they've assigned you.
"<BR><BR><SPAN style="COLOR: rgb(0,0,0)">Now considering my ISP thinks that we
have just one large subnet. Can I use Linux box and put in front my my whole
network and this linux box just act like a firewall and we setup our IPSec
tunneling with one provider and let the traffic pass through for others.
</SPAN><BR style="COLOR: rgb(0,0,0)"><SPAN style="COLOR: rgb(0,0,0)">Traffic
comes in eth0, goes out to a switch for my network. Traffic come on eth1 from
the switch and goes out to eth0 to the internet. </SPAN><BR
style="COLOR: rgb(0,0,0)"><BR style="COLOR: rgb(0,0,0)"><SPAN
style="COLOR: rgb(0,0,0)">I need another suggestion between linux/racoon/ipsec
solution VS buying a cisco or Juniper's firewall. </SPAN><BR
style="COLOR: rgb(0,0,0)"><SPAN style="COLOR: rgb(0,0,0)">We are a voip
company so uptime of this firewall/tunnel is very very important. Should we go
with Linux/Racoon solution or should we buy cisco solution more expensive.
</SPAN><BR style="COLOR: rgb(0,0,0)"><BR style="COLOR: rgb(0,0,0)"><SPAN
style="COLOR: rgb(0,0,0)">Is racoon mature enough that we configure it once
and than we just forget about that assuming that it will never break.
</SPAN><BR style="COLOR: rgb(0,0,0)"><BR style="COLOR: rgb(0,0,0)"><SPAN
style="COLOR: rgb(0,0,0)">Thank you,</SPAN><BR style="COLOR: rgb(0,0,0)"><SPAN
style="COLOR: rgb(0,0,0)">-Jai</SPAN><BR></FONT></SPAN><BR>
<DIV><SPAN class=gmail_quote>On 10/4/07, <B class=gmail_sendername>Peter
McGill</B> <<A
href="mailto:petermcgill@goco.net">petermcgill@goco.net</A>> wrote:</SPAN>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">
<DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>Ok, so
if all your internal communication with your various subnets is working and
the only thing lacking is internet communication.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>It may
be your ISP router. Since your subdividing the subnet given by your ISP, all
traffic should get to your ISP router, no problem there.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>But your
ISP router might not be forwarding to your internal subnet gateways
correctly thinking you have just one large subnet that they've assigned
you.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>I
suggest either telling your ISP about your subletting scheme with gateways
so they can correctly forward inbound traffic to your subnet
gateways,</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>or else
ask them to forward all traffic to a single machine that you control
that is directly connected to the ISP router.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>Then
setup the routing on that machine to forward all your internal traffic
correctly. The first option results in less router hops/network delay,
but</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>the
second option allows you to more easily reconfigure your internal subnets
without contacting your ISP.</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV align=left><FONT face=Arial size=2>Peter McGill</FONT></DIV>
<DIV> </DIV><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: rgb(0,0,255) 2px solid; MARGIN-RIGHT: 0px">
<DIV lang=en-us dir=ltr align=left>
<HR>
<FONT face=Tahoma size=2><SPAN class=q><B>From:</B> Jai Rangi
[mailto:<A>jprangi@gmail.com</A>] <BR></SPAN><B>Sent:</B> October 4, 2007
1:08 AM
<DIV><SPAN class=e id=q_1156b75f430b56ad_3><FONT face=Arial
color=#0000ff></FONT><FONT face=Arial color=#0000ff></FONT><BR><B>To:</B>
<A>petermcgill@goco.net</A><BR><B>Cc:</B>
<A>users@openswan.org</A><BR><B>Subject:</B> Re: [Openswan Users]
Firewall,Routing and Tunneling between public
networks<BR></SPAN></DIV></FONT><BR></DIV>
<DIV><SPAN class=e id=q_1156b75f430b56ad_5>
<DIV></DIV>Peter, <BR>Thank you for looking in this. <BR>
<DIV dir=ltr align=left><SPAN style="COLOR: rgb(0,0,0)"><FONT face=Arial
size=2>I restarted my machine and now I am able to ping from
<A>216.209.3.192/27</A> network, if I define the routing table. In another
server <A>216.209.3.201</A>, I add the rule in the routing table.
<BR><SPAN style="FONT-WEIGHT: bold"><A>206.216.3.224</A>
</SPAN></FONT><FONT style="FONT-WEIGHT: bold" face=Arial
size=2>206.216.3</FONT><FONT face=Arial size=2><SPAN
style="FONT-WEIGHT: bold">.212 <A>255.255.255.240
</A>UG 0
0 0 eth0</SPAN><BR></FONT><FONT
face=Arial size=2>206.216.3</FONT><FONT face=Arial size=2>.192
*
<A>255.255.255.192</A> U
0
0 0 eth0
<BR><A>192.168.2.0</A>
*
<A>255.255.255.0</A> U
0
0 0
eth1<BR><A>192.168.1.0</A>
*
<A>255.255.255.0</A> U
0
0 0
eth1<BR><A>169.254.0.0</A>
*
<A>255.255.0.0</A> U
0
0 0
eth1<BR>default
</FONT><FONT face=Arial size=2>206.216.3</FONT><FONT face=Arial
size=2>.193
<A>0.0.0.0</A>
UG 0
0 0 eth0<BR><BR>I can ping
<A>216.209.3.235</A> from <A>216.209.2.201</A> and vise versa<BR><BR><SPAN
style="COLOR: rgb(0,0,0)">Internet router <--->
(</SPAN></FONT><FONT style="COLOR: rgb(0,0,0)" face=Arial size=2><A>
206.216.3.192/26</A> network and router is one of them </FONT><FONT
style="COLOR: rgb(0,0,0)" face=Arial size=2>206.216.3</FONT><FONT
style="COLOR: rgb(0,0,0)" face=Arial size=2>.212) </FONT><FONT
style="COLOR: rgb(0,0,0)" face=Arial size=2><A>206.216.3.224/28</A> is
behind the router. <BR>So this works. <BR></FONT><FONT
style="COLOR: rgb(0,0,0)" face=Arial size=2><A>206.216.3.201</A>
---- router </FONT><FONT style="COLOR: rgb(0,0,0)" face=Arial
size=2>206.216.3212 (eth0) </FONT><FONT style="COLOR: rgb(0,0,0)"
face=Arial size=2>206.216.3.225(eth1) ----- </FONT><FONT
style="COLOR: rgb(0,0,0)" face=Arial size=2>206.216.3.224.235 with gateway
<A>216.209.3.225</A></FONT></SPAN><BR style="COLOR: rgb(0,0,0)"><SPAN
style="COLOR: rgb(0,0,0)"><FONT face=Arial size=2><BR>But when I try ping
something on internet from </FONT></SPAN><SPAN><FONT face=Arial
color=#0000ff size=2><SPAN style="COLOR: rgb(0,0,0)"><A>206.216.3.235</A>.
Seems the traffic goes out but does not find the way to come back. This is
what I get from tcpdump on my router.. </SPAN><BR
style="COLOR: rgb(0,0,0)"><SPAN style="COLOR: rgb(0,0,0)">[root@bser2
sysconfig]# tcpdump | grep "235\|158"</SPAN><BR
style="COLOR: rgb(0,0,0)"><SPAN style="COLOR: rgb(0,0,0)">tcpdump: verbose
output suppressed, use -v or -vv for full protocol decode </SPAN><BR
style="COLOR: rgb(0,0,0)"><SPAN style="COLOR: rgb(0,0,0)">listening on
eth0, link-type EN10MB (Ethernet), capture size 96 bytes</SPAN><BR
style="COLOR: rgb(0,0,0)"><SPAN style="COLOR: rgb(0,0,0)">22:04: 01.092356
IP ip68-4-78-109.oc.oc.cox.net.apollo-gms >
bser2.bingotelecom.com.24646: P 1197:1249(52) ack 436 win 64499</SPAN><BR
style="COLOR: rgb(0,0,0)"><SPAN style="COLOR: rgb(0,0,0)">22:04:03.105456
IP <A>216.209.3.235</A> > <A>f1.www.vip.sp1.yahoo.com</A>: ICMP echo
request, id 512, seq 23041, length 40</SPAN><BR
style="COLOR: rgb(0,0,0)"><SPAN style="COLOR: rgb(0,0,0)">22:04: 03.105939
IP bser2.bingotelecom.com.filenet-pa > ns1.yahoo.com.domain:
43789 [1au] PTR? 158.36.131.209.in-addr.arpa. (56)</SPAN><BR
style="COLOR: rgb(0,0,0)"><SPAN style="COLOR: rgb(0,0,0)">22:04:03.117544
arp who-has <A>216.209.3.235</A> tell <A>216.209.3.194</A></SPAN><BR
style="COLOR: rgb(0,0,0)"><SPAN style="COLOR: rgb(0,0,0)">22:04:03.158959
IP ip68-4-78-109.oc.oc.cox.net.apollo-gms >
bser2.bingotelecom.com.24646: P 3225:3277(52) ack 804 win 65535</SPAN><BR
style="COLOR: rgb(0,0,0)"><SPAN style="COLOR: rgb(0,0,0)">22:04:03.158972
IP bser2.bingotelecom.com.24646 >
ip68-4-78-109.oc.oc.cox.net.apollo-gms : . ack 3277 win 12168</SPAN><BR
style="COLOR: rgb(0,0,0)"><SPAN style="COLOR: rgb(0,0,0)">22:04:04.101588
IP bser2.bingotelecom.com.24646 >
ip68-4-78-109.oc.oc.cox.net.apollo-gms: . ack 3745 win 12168</SPAN><BR
style="COLOR: rgb(0,0,0)"><SPAN style="COLOR: rgb(0,0,0)">22:04:04.542637
IP bser2.bingotelecom.com.filenet-pa > dill.arin.net.domain: 1587
[1au] PTR? 16.255.142.68.in-addr.arpa. (55)</SPAN><BR
style="COLOR: rgb(0,0,0)"><SPAN style="COLOR: rgb(0,0,0)">22:04:04.556305
IP dill.arin.net.domain > bser2.bingotelecom.com.filenet-pa:
1587- 0/5/1 (154)</SPAN><BR style="COLOR: rgb(0,0,0)"><SPAN
style="COLOR: rgb(0,0,0)">22:04:08.472526 IP <A>216.209.3.235</A> >
<A>f1.www.vip.sp1.yahoo.com</A>: ICMP echo request, id 512, seq 23297,
length 40</SPAN><BR style="COLOR: rgb(0,0,0)"><SPAN
style="COLOR: rgb(0,0,0)">22:04: 08.483996 arp who-has
<A>216.209.3.235</A> tell <A>216.209.3.194</A></SPAN><BR
style="COLOR: rgb(0,0,0)"><SPAN style="COLOR: rgb(0,0,0)">22:04:13.480338
IP <A>216.209.3.235</A> > <A>f1.www.vip.sp1.yahoo.com</A>: ICMP echo
request, id 512, seq 23553, length 40</SPAN><BR
style="COLOR: rgb(0,0,0)"><SPAN style="COLOR: rgb(0,0,0)">22:04: 13.492228
arp who-has <A>216.209.3.235</A> tell <A>216.209.3.194</A></SPAN><BR
style="COLOR: rgb(0,0,0)"><SPAN style="COLOR: rgb(0,0,0)">22:04:15.475158
IP bser2.bingotelecom.com.24646 >
ip68-4-78-109.oc.oc.cox.net.apollo-gms: . ack 7801 win 12168</SPAN><BR
style="COLOR: rgb(0,0,0)"><SPAN style="COLOR: rgb(0,0,0)">22:04:18.488138
IP <A>216.209.3.235</A> > <A>f1.www.vip.sp1.yahoo.com</A>: ICMP echo
request, id 512, seq 23809, length 40</SPAN><BR
style="COLOR: rgb(0,0,0)"><SPAN style="COLOR: rgb(0,0,0)">22:04:18.499693
arp who-has <A>216.209.3.235 </A>tell
<A>216.209.3.194</A></SPAN><BR><BR></FONT></SPAN><SPAN><FONT face=Arial
color=#0000ff size=2><BR>Is your windows firewall enabled or configured to
allow the traffic you want to allow?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>Windows firewall has a pretty strict default configuration on XP
SP2 and up.<BR><SPAN style="COLOR: rgb(0,0,0)">My Windows firewall is open
and I can ping that from my router. </SPAN><BR></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>Is
forwarding enabled in your kernel?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>cat
/proc/sys/net/ipv4/ip_forward</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>echo
"1" > /proc/sys/net/ipv4/ip_forward</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN></SPAN>Yes<BR><BR></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>Does
your internet router <A>216.209.3.193 </A>know to forward traffic for
<A>216.209.3.224/28</A> to <A>216.209.3.212</A> (ie. use .212
as gateway/route for .224/28)?<BR><SPAN
style="COLOR: rgb(0,0,0); BACKGROUND-COLOR: rgb(255,255,255)">OK, This
might be the case, cause </SPAN></FONT></SPAN><SPAN><FONT face=Arial
color=#0000ff size=2><A
style="COLOR: rgb(0,0,0); BACKGROUND-COLOR: rgb(255,255,255)">216.209.3.19</A><SPAN
style="COLOR: rgb(0,0,0); BACKGROUND-COLOR: rgb(255,255,255)"> 3 is
managed by my internet service provider. They have given me a cable that
goes in one of my switch. My network from ISP is <A>216.209.3.192/26</A>,
which I was sub dividing to build my Linux router. </SPAN><BR
style="COLOR: rgb(0,0,0); BACKGROUND-COLOR: rgb(255,255,255)"><SPAN
style="COLOR: rgb(0,0,0); BACKGROUND-COLOR: rgb(255,255,255)"><A>216.209.3.192/27</A>
outside of router and <A>219.209.3.224/28</A> behind the router.
</SPAN><BR
style="COLOR: rgb(0,0,0); BACKGROUND-COLOR: rgb(255,255,255)"></FONT></SPAN><SPAN><FONT
face=Arial color=#0000ff size=2><BR><BR></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>Is
your internet router's firewall configured also to allow this traffic
through it?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN></SPAN><FONT face=Arial color=#0000ff
size=2></FONT><BR>Yes, I am getting traffic for my all other IPs
<BR></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>Do you
have any iptables mangle or nat rules, you only showed your filter
(default) table?<BR><BR><SPAN style="COLOR: rgb(0,0,0)">No, Mangle
and NO Nat, </SPAN><BR style="COLOR: rgb(0,0,0)"><BR
style="COLOR: rgb(0,0,0)"><SPAN style="COLOR: rgb(0,0,0)">[root@bser2 ~]#
iptables -t mangle -L -n -v</SPAN><BR style="COLOR: rgb(0,0,0)"><SPAN
style="COLOR: rgb(0,0,0)">Chain PREROUTING (policy ACCEPT 1 packets, 92
bytes)</SPAN><BR style="COLOR: rgb(0,0,0)"><SPAN
style="COLOR: rgb(0,0,0)"> pkts bytes target
prot opt in out
source
destination</SPAN><BR style="COLOR: rgb(0,0,0)"><BR
style="COLOR: rgb(0,0,0)"><SPAN style="COLOR: rgb(0,0,0)">Chain INPUT
(policy ACCEPT 0 packets, 0 bytes) </SPAN><BR
style="COLOR: rgb(0,0,0)"><SPAN style="COLOR: rgb(0,0,0)"> pkts bytes
target prot opt in
out
source
destination</SPAN><BR style="COLOR: rgb(0,0,0)"><BR
style="COLOR: rgb(0,0,0)"><SPAN style="COLOR: rgb(0,0,0)">Chain FORWARD
(policy ACCEPT 0 packets, 0 bytes)</SPAN><BR
style="COLOR: rgb(0,0,0)"><SPAN style="COLOR: rgb(0,0,0)"> pkts bytes
target prot opt in
out
source
destination </SPAN><BR style="COLOR: rgb(0,0,0)"><BR
style="COLOR: rgb(0,0,0)"><SPAN style="COLOR: rgb(0,0,0)">Chain OUTPUT
(policy ACCEPT 1 packets, 40 bytes)</SPAN><BR
style="COLOR: rgb(0,0,0)"><SPAN style="COLOR: rgb(0,0,0)"> pkts bytes
target prot opt in
out
source
destination</SPAN><BR style="COLOR: rgb(0,0,0)"><BR
style="COLOR: rgb(0,0,0)"><SPAN style="COLOR: rgb(0,0,0)">Chain
POSTROUTING (policy ACCEPT 0 packets, 0 bytes) </SPAN><BR
style="COLOR: rgb(0,0,0)"><SPAN style="COLOR: rgb(0,0,0)"> pkts bytes
target prot opt in
out
source
destination</SPAN><BR style="COLOR: rgb(0,0,0)"><SPAN
style="COLOR: rgb(0,0,0)">[root@bser2 ~]# iptables -t nat -L -n
-v</SPAN><BR style="COLOR: rgb(0,0,0)"><SPAN
style="COLOR: rgb(0,0,0)">Chain PREROUTING (policy ACCEPT 1 packets, 510
bytes)</SPAN><BR style="COLOR: rgb(0,0,0)"><SPAN
style="COLOR: rgb(0,0,0)"> pkts bytes target
prot opt in out
source
destination</SPAN><BR style="COLOR: rgb(0,0,0)"><BR
style="COLOR: rgb(0,0,0)"><SPAN style="COLOR: rgb(0,0,0)">Chain
POSTROUTING (policy ACCEPT 0 packets, 0 bytes) </SPAN><BR
style="COLOR: rgb(0,0,0)"><SPAN style="COLOR: rgb(0,0,0)"> pkts bytes
target prot opt in
out
source
destination</SPAN><BR style="COLOR: rgb(0,0,0)"><BR
style="COLOR: rgb(0,0,0)"><SPAN style="COLOR: rgb(0,0,0)">Chain OUTPUT
(policy ACCEPT 0 packets, 0 bytes)</SPAN><BR
style="COLOR: rgb(0,0,0)"><SPAN style="COLOR: rgb(0,0,0)"> pkts bytes
target prot opt in
out
source
destination </SPAN><BR
style="COLOR: rgb(0,0,0)"><BR></FONT></SPAN></DIV><BR><BR>
<DIV><SPAN class=gmail_quote>On 10/3/07, <B class=gmail_sendername>Peter
McGill</B> <<A> petermcgill@goco.net</A> > wrote:</SPAN>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">
<DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>It
doesn't look like an iptables/firewall issue, since your chains seem to
accept everything it needs to.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>However you can check your log for dropped packets to
be sure.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>grep
'kernel: IN=' /var/log/*</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>If
you see any packets in there that match packets you want to allow then
there is a misconfiguration.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>According to your ifconfig and route, you are doing
this:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>Public Internet Interface: eth0</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>IP
Address: <A>216.209.3.212</A></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>Network: <A>216.209.3.192/27</A></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN> <FONT face=Arial
color=#0000ff size=2>Netmask: <A>255.255.255.224</A></FONT>
</SPAN></DIV>
<DIV dir=ltr align=left><SPAN> <FONT face=Arial
color=#0000ff size=2>IP Address Range:
216.209.3.193-216.209.3.223</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>Gateway: <A>216.209.3.193</A></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>LAN
Interface: eth1</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>IP
Address: <A>216.209.3.225</A></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>Network: <A>216.209.3.224/28</A></FONT></SPAN> </DIV><SPAN><FONT
size=+0>
<DIV dir=ltr align=left><SPAN><FONT face=Arial><FONT color=#0000ff
size=2> Netmask:
<A>255.255.255.240</A></FONT></FONT></SPAN></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff
size=2> IP Address Range:
216.209.3.225-216.209.239</FONT></DIV>
<DIV dir=ltr align=left></DIV></FONT></SPAN><SPAN><SPAN><FONT face=Arial
color=#0000ff size=2>Gateway:
<A>216.209.3.225</A></FONT></SPAN></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>This
looks correct also matching your text description and your Windows
network configuration also looks correct.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>Is
your windows firewall enabled or configured to allow the traffic you
want to allow?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>Windows firewall has a pretty strict default configuration on XP
SP2 and up.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>Is
forwarding enabled in your kernel?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>cat
/proc/sys/net/ipv4/ip_forward</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>echo
"1" > /proc/sys/net/ipv4/ip_forward</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>Does
your internet router <A>216.209.3.193</A> know to forward traffic for
<A>216.209.3.224/28</A> to <A>216.209.3.212</A> (ie. use .212
as gateway/route for .224/28)?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>Is
your internet router's firewall configured also to allow this traffic
through it?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>Do
you have any iptables mangle or nat rules, you only showed your
filter (default) table?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV align=left><FONT face=Arial size=2>Peter McGill</FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV><FONT
face=Arial size=2></FONT><FONT face=Arial size=2></FONT><FONT face=Arial
size=2></FONT><FONT face=Arial size=2></FONT><FONT face=Arial
size=2></FONT><FONT face=Arial size=2></FONT><FONT face=Arial
size=2></FONT><FONT face=Arial size=2></FONT><FONT face=Arial
size=2></FONT><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: rgb(0,0,255) 2px solid; MARGIN-RIGHT: 0px">
<DIV lang=en-us dir=ltr align=left>
<HR>
<FONT face=Tahoma size=2><B>From:</B> Jai Rangi
[mailto:<A>jprangi@gmail.com</A>] <BR><B>Sent:</B> October 3, 2007
2:05 AM<BR><B>To:</B> <A>petermcgill@goco.net</A><BR><B>Cc:</B>
<A>users@openswan.org</A><BR><B>Subject:</B> Re: [Openswan Users]
Firewall,Routing and Tunneling between public
networks<BR></FONT><BR></DIV>
<DIV><SPAN>
<DIV></DIV>Hello, <BR><BR>I am running FC5 on my router. I have
feeling the I am missing some thing really simple btu now I am ready
to pull my hairs if I don't get the solution.... At this point
my first target to setup my Linux box as a router and my machines
behind the router with Public IP should be available to the outside
world. Below are my configuration. <BR><BR>[root@bser2 sysconfig]#
iptables -L -n -v<BR>Chain INPUT (policy DROP 0 packets, 0
bytes)<BR> pkts bytes target prot opt
in out
source
destination<BR> 4 336
ACCEPT icmp --
* *
<A>0.0.0.0/0</A>
<A>0.0.0.0/0</A><BR> 45 3944
ACCEPT tcp --
* *
<A>0.0.0.0/0</A>
<A>216.209.3.192/26</A> tcp
dpts:6000:65535<BR> 0 0
ACCEPT udp --
* *
<A>0.0.0.0/0</A>
<A>216.209.3.192/26</A> udp dpts:2048:5799
<BR> 0 0
ACCEPT udp --
* *
<A>0.0.0.0/0</A>
<A>216.209.3.192/26</A> udp
dpts:6000:65535<BR> 0 0
ACCEPT udp --
* *
<A>0.0.0.0/0</A>
<A>216.209.3.192/26</A> udp
dpt:53<BR> 0 0
ACCEPT udp --
* *
<A>0.0.0.0/0</A>
<A>192.168.2.0/24</A> udp
dpt:53<BR> 0 0
ACCEPT tcp --
* *
<A>0.0.0.0/0</A>
<A>216.209.3.192/26</A> tcp
dpt:53<BR> 0 0
ACCEPT tcp --
* *
<A>0.0.0.0/0</A>
<A>192.168.2.0/24</A> tcp
dpt:53<BR> 0 0
ACCEPT tcp --
* *
<A>0.0.0.0/0</A>
<A>216.209.3.192/26</A> tcp
dpt:80<BR> 0 0
ACCEPT tcp --
* *
<A>0.0.0.0/0</A>
<A>216.209.3.192/26</A> tcp
dpt:443<BR> 0 0
ACCEPT all --
* *
<A>216.209.3.192/26</A>
<A>0.0.0.0/0</A><BR> 0 0
ACCEPT all --
* *
<A>216.209.3.192/26</A>
<A>216.209.3.192/26</A><BR>
0 0 ACCEPT all
-- *
*
<A>192.168.2.0/24</A>
<A>192.168.2.0/24</A><BR> 0
0 ACCEPT all --
* *
<A>0.0.0.0/0</A>
<A>255.255.255.255 </A><BR>
0 0 ACCEPT all
-- lo
*
<A>0.0.0.0/0</A>
<A>0.0.0.0/0</A><BR><BR>Chain FORWARD (policy DROP 0 packets, 0
bytes)<BR> pkts bytes target prot opt
in out
source
destination <BR> 0 0
ACCEPT all -- eth0
eth1
<A>0.0.0.0/0</A>
<A>0.0.0.0/0</A><BR> 0 0
ACCEPT all -- eth1
eth0
<A>0.0.0.0/0</A>
<A>0.0.0.0/0</A><BR><BR>Chain OUTPUT (policy ACCEPT 50 packets, 5644
bytes)<BR> pkts bytes target prot opt
in out
source
destination<BR><BR>Chain spoof (0 references) <BR> pkts bytes
target prot opt in
out
source
destination<BR> 0 0
LOG all --
* *
<A>0.0.0.0/0</A>
<A>0.0.0.0/0
</A>
limit: avg 5/min burst 5 LOG flags 0 level 4 prefix `Spoofing:
'<BR> 0 0
DROP all --
* *
<A>0.0.0.0/0</A>
<A>0.0.0.0/0 </A><BR>[root@bser2 sysconfig]#<BR>[root@bser2
sysconfig]# ifconfig eth0<BR>eth0 Link
encap:Ethernet HWaddr
00:15:C5:EB:68:D0<BR>
inet addr:<A>216.209.3.212</A> Bcast:<A> 216.209.3.223</A>
Mask:<A>255.255.255.224</A><BR>
inet6 addr: fe80::215:c5ff:feeb:68d0/64
Scope:Link<BR>
UP BROADCAST RUNNING MULTICAST MTU:1500
Metric:1<BR> RX
packets:23087 errors:0 dropped:0 overruns:0 frame:0
<BR> TX
packets:21531 errors:0 dropped:0 overruns:0
carrier:0<BR>
collisions:0
txqueuelen:1000<BR>
RX bytes:2280064 (2.1 MiB) TX bytes:5351240 (5.1
MiB)<BR>
Interrupt:16 Memory:f4000000-f4011100 <BR><BR>[root@bser2 sysconfig]#
ifconfig eth1<BR>eth1 Link
encap:Ethernet HWaddr
00:15:C5:EB:68:CE<BR>
inet addr:<A>216.209.3.225</A> Bcast:<A> 216.209.3.239
</A>
Mask:<A>255.255.255.240</A><BR>
inet6 addr: fe80::215:c5ff:feeb:68ce/64
Scope:Link<BR>
UP BROADCAST RUNNING MULTICAST MTU:1500
Metric:1<BR> RX
packets:6479 errors:0 dropped:0 overruns:0 frame:0
<BR> TX
packets:8083 errors:0 dropped:0 overruns:0
carrier:0<BR>
collisions:0
txqueuelen:1000<BR>
RX bytes:3309716 (3.1 MiB) TX bytes:612572 (598.2
KiB)<BR>
Interrupt:16 Memory:f8000000-f8011100 <BR><BR>[root@bser2 sysconfig]#
route<BR>Kernel IP routing
table<BR>Destination
Gateway
Genmask Flags Metric
Ref Use Iface<BR><A>216.209.3.224</A>
<A>216.209.3.225</A> <A>255.255.255.240</A>
UG 0
0 0
eth1<BR><A>216.209.3.192</A>
*
<A>255.255.255.224</A> U
0
0 0
eth0<BR><A>169.254.0.0</A>
*
<A>255.255.0.0</A> U
0
0 0
eth1<BR>default
<A>216.209.3.193</A>
<A>0.0.0.0</A>
UG 0
0 0 eth0<BR>[root@bser2
sysconfig]#<BR><BR>I think I am missing something in my routing table.
<BR><BR>So my network are <BR><BR>Internet <----------> (
<A>216.209.3.192/27</A>, GW <A>216.209.3.193</A> on Eth0 and
<A>216.209.3.225</A> on eth1) <-----------> <Network behind
the router <A>216.209.3.224/28</A> ><BR><BR><BR>Inernet
configuration for internal machines are<BR><BR>C:\Documents and
Settings\Jai Rangi>ipconfig<BR><BR>Windows IP
Configuration<BR><BR><BR>Ethernet adapter Local Area Connection:
<BR><BR> Connection-specific
DNS Suffix . :<BR> IP
Address. . . . . . . . . . . . :
<A>216.209.3.235</A><BR>
Subnet Mask . . . . . . . . . . . :
<A>255.255.255.240</A><BR>
Default Gateway . . . . . . . . . :
<A>216.209.3.225</A><BR><BR>C:\Documents and Settings\Jai
Rangi><BR><BR>I can ping from internet to <A>216.209.3.192/27</A>
network. <BR>I can not ping <A>216.209.3.225/28</A> network from
internet which is behind internet. <BR>I can ping internal machine
from router. <BR>I can ping router from internal machine.
<BR><BR><BR>I will appreciate if you can please give me some hint what
I am doing wrong here. <BR><BR>Thank
you,<BR>-Jai<BR><BR><BR><BR><BR><BR>
<DIV><SPAN class=gmail_quote>On 10/2/07, <B
class=gmail_sendername>Peter McGill
</B><<A>petermcgill@goco.net</A>> wrote:</SPAN>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">
<DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>First method should work, and work easier because there is no
NAT (Network Address Translation) to worry
about.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>No reason the FORWARD rules wouldn't work on Public IPs, I
don't think they care at all what IP you give.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>Make sure you don't use MASQUERADE, SNAT or DNAT
rules.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>-A adds the rules to the end of the chain, are there any
earlier rules that might block the public
traffic?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>iptables -t filter -n -v -L</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>iptables -t nat -n -v -L</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>iptables -t mangle -n -v -L</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>Will show you all your firewall rule
details.</FONT></SPAN></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV align=left><FONT face=Arial size=2>Peter McGill</FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV><FONT
face=Arial size=2></FONT><FONT face=Arial size=2></FONT><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: rgb(0,0,255) 2px solid; MARGIN-RIGHT: 0px">
<DIV lang=en-us dir=ltr align=left>
<HR>
<FONT face=Tahoma size=2><B>From:</B>
<A>users-bounces@openswan.org</A> [mailto:<A>
users-bounces@openswan.org</A>] <B>On Behalf Of </B>Jai
Rangi<BR><B>Sent:</B> October 2, 2007 2:56 AM<BR><B>To:</B>
<A>users@openswan.org</A><BR><B>Subject:</B> [Openswan Users]
Firewall,Routing and Tunneling between public
networks<BR></FONT><BR></DIV>
<DIV><SPAN>
<DIV></DIV>Hello List,<BR>I am trying to set up a linux server as
a router/firewall and set up a SIP tunneling between two public
networks. <BR>My Diagram will be something like this<BR>Internet
<-----> Linux Router <--------------> My Internal
Network with Public IPs. <BR>Say My Network IPs are
<A>216.209.14.192/26</A> <BR>I tried this setup.<BR><BR>Internet
<----> <A>216.209.14.197</A> (ExtIP <- Default Gateway
<A>216.209.14.193</A> Router -> Internal IP)
<A>216.209.14.198</A> <------> My Servers connected through
a switch with IPs 216.209.14.199-254 with Default Gateway
<A>216.209.14.198</A>. <BR>This set up did not work. <BR><BR>If I
do this<BR>Internet <----> <A>216.209.14.197</A> (ExtIP
<- Default Gateway <A>216.209.14.193</A> Router -> Internal
IP) <A>192.168.1.1</A> <------> My Servers connected through
a switch with IPs 192.168.1.199-254 with Default Gateway
<A>192.168.1.1</A>.<BR><BR>I can go out through ip forwarding like
this... <BR>iptables -P FORWARD DROP<BR>iptables -A FORWARD -s
${HUB_LAN} -j ACCEPT<BR>iptables -A FORWARD -d ${HUB_LAN} -j
ACCEPT <BR><BR>These rules does not work with public IPs.
<BR><BR>My Other Questions are<BR>1. Can I use racoon for SIP
tunneling, is there any limit on number of sessions. Bought a
juniper router and found out that the router supports on 16
channels. I need to support at least 400 SIP channels. <BR>2. I
have seen a lot of documentation of setting up Masquarding and IP
Forwarding. I made it work but that does not solve my purpose. I
need to assign Public IP to the my machines behind the router so
that outside world can access those machines through router
directly. <BR>3. I need to have tunneling with one service
provider for network <A>56.211.34.23/27</A>. For rest of the world
I want the traffic to go through the router without any
modification. I might want to add some firewall rules later for
some specific port. <BR><BR>I will appreciate if some one can give
me some lead on how can I achieve this. <BR><BR>Thank
you,<BR>JP<BR></SPAN></DIV></BLOCKQUOTE></DIV></BLOCKQUOTE></DIV><BR></SPAN></DIV></BLOCKQUOTE></BLOCKQUOTE></DIV><BR></SPAN></DIV></BLOCKQUOTE></DIV></BLOCKQUOTE></DIV><BR></BLOCKQUOTE></BODY></HTML>