[Openswan Users] Firewall, Routing and Tunneling between public networks

Peter McGill petermcgill at goco.net
Tue Oct 2 09:30:38 EDT 2007

First method should work, and work easier because there is no NAT (Network Address Translation) to worry about.
No reason the FORWARD rules wouldn't work on Public IPs, I don't think they care at all what IP you give.
Make sure you don't use MASQUERADE, SNAT or DNAT rules.
-A adds the rules to the end of the chain, are there any earlier rules that might block the public traffic?
iptables -t filter -n -v -L
iptables -t nat -n -v -L
iptables -t mangle -n -v -L
Will show you all your firewall rule details.
Peter McGill


From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Jai Rangi
Sent: October 2, 2007 2:56 AM
To: users at openswan.org
Subject: [Openswan Users] Firewall,Routing and Tunneling between public networks

Hello List,
I am trying to set up a linux server as a router/firewall and set up a SIP tunneling between two public networks. 
My Diagram will be something like this
Internet <-----> Linux Router <--------------> My Internal Network with Public IPs. 
Say My Network IPs are 
I tried this setup.

Internet <----> (ExtIP <- Default Gateway Router -> Internal IP) <------> My Servers
connected through a switch with IPs with Default Gateway 
This set up did not work. 

If I do this
Internet <----> (ExtIP <- Default Gateway Router -> Internal IP) <------> My Servers
connected through a switch with IPs with Default Gateway

I can go out through ip forwarding like this... 
iptables -P FORWARD DROP
iptables -A FORWARD -s ${HUB_LAN} -j ACCEPT
iptables -A FORWARD -d ${HUB_LAN} -j ACCEPT 

These rules does not work with public IPs. 

My Other Questions are
1. Can I use racoon for SIP tunneling, is there any limit on number of sessions. Bought a juniper router and found out that the
router supports on 16 channels. I need to support at least 400 SIP channels. 
2. I have seen a lot of documentation of setting up Masquarding and IP Forwarding. I made it work but that does not solve my
purpose. I need to assign Public IP to the my machines behind the router so that outside world can access those machines through
router directly. 
3. I need to have tunneling with one service provider for network For rest of the world I want the traffic to go
through the router without any modification. I might want to add some firewall rules later for some specific port. 

I will appreciate if some one can give me some lead on how can I achieve this. 

Thank you,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20071002/9c6d5b67/attachment-0001.html 

More information about the Users mailing list