[Openswan Users] Firewall, Routing and Tunneling between public networks
Jai Rangi
jprangi at gmail.com
Wed Oct 3 02:04:36 EDT 2007
Hello,
I am running FC5 on my router. I have feeling the I am missing some thing
really simple btu now I am ready to pull my hairs if I don't get the
solution.... At this point my first target to setup my Linux box as a
router and my machines behind the router with Public IP should be available
to the outside world. Below are my configuration.
[root at bser2 sysconfig]# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
4 336 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
45 3944 ACCEPT tcp -- * * 0.0.0.0/0
216.209.3.192/26 tcp dpts:6000:65535
0 0 ACCEPT udp -- * * 0.0.0.0/0
216.209.3.192/26 udp dpts:2048:5799
0 0 ACCEPT udp -- * * 0.0.0.0/0
216.209.3.192/26 udp dpts:6000:65535
0 0 ACCEPT udp -- * * 0.0.0.0/0
216.209.3.192/26 udp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0
192.168.2.0/24 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0
216.209.3.192/26 tcp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.2.0/24 tcp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0
216.209.3.192/26 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
216.209.3.192/26 tcp dpt:443
0 0 ACCEPT all -- * * 216.209.3.192/26
0.0.0.0/0
0 0 ACCEPT all -- * * 216.209.3.192/26
216.209.3.192/26
0 0 ACCEPT all -- * * 192.168.2.0/24
192.168.2.0/24
0 0 ACCEPT all -- * * 0.0.0.0/0
255.255.255.255
0 0 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 50 packets, 5644 bytes)
pkts bytes target prot opt in out source
destination
Chain spoof (0 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 4 prefix
`Spoofing: '
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
[root at bser2 sysconfig]#
[root at bser2 sysconfig]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:15:C5:EB:68:D0
inet addr:216.209.3.212 Bcast:216.209.3.223 Mask:255.255.255.224
inet6 addr: fe80::215:c5ff:feeb:68d0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:23087 errors:0 dropped:0 overruns:0 frame:0
TX packets:21531 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2280064 (2.1 MiB) TX bytes:5351240 (5.1 MiB)
Interrupt:16 Memory:f4000000-f4011100
[root at bser2 sysconfig]# ifconfig eth1
eth1 Link encap:Ethernet HWaddr 00:15:C5:EB:68:CE
inet addr:216.209.3.225 Bcast:216.209.3.239 Mask:255.255.255.240
inet6 addr: fe80::215:c5ff:feeb:68ce/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6479 errors:0 dropped:0 overruns:0 frame:0
TX packets:8083 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3309716 (3.1 MiB) TX bytes:612572 (598.2 KiB)
Interrupt:16 Memory:f8000000-f8011100
[root at bser2 sysconfig]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
216.209.3.224 216.209.3.225 255.255.255.240 UG 0 0 0 eth1
216.209.3.192 * 255.255.255.224 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
default 216.209.3.193 0.0.0.0 UG 0 0 0 eth0
[root at bser2 sysconfig]#
I think I am missing something in my routing table.
So my network are
Internet <----------> (216.209.3.192/27, GW 216.209.3.193 on Eth0 and
216.209.3.225 on eth1) <-----------> <Network behind the router
216.209.3.224/28 >
Inernet configuration for internal machines are
C:\Documents and Settings\Jai Rangi>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 216.209.3.235
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Default Gateway . . . . . . . . . : 216.209.3.225
C:\Documents and Settings\Jai Rangi>
I can ping from internet to 216.209.3.192/27 network.
I can not ping 216.209.3.225/28 network from internet which is behind
internet.
I can ping internal machine from router.
I can ping router from internal machine.
I will appreciate if you can please give me some hint what I am doing wrong
here.
Thank you,
-Jai
On 10/2/07, Peter McGill <petermcgill at goco.net> wrote:
>
> First method should work, and work easier because there is no NAT
> (Network Address Translation) to worry about.
> No reason the FORWARD rules wouldn't work on Public IPs, I don't think
> they care at all what IP you give.
> Make sure you don't use MASQUERADE, SNAT or DNAT rules.
> -A adds the rules to the end of the chain, are there any earlier rules
> that might block the public traffic?
> iptables -t filter -n -v -L
> iptables -t nat -n -v -L
> iptables -t mangle -n -v -L
> Will show you all your firewall rule details.
>
> Peter McGill
>
>
> ------------------------------
> *From:* users-bounces at openswan.org [mailto:users-bounces at openswan.org] *On
> Behalf Of *Jai Rangi
> *Sent:* October 2, 2007 2:56 AM
> *To:* users at openswan.org
> *Subject:* [Openswan Users] Firewall,Routing and Tunneling between public
> networks
>
> Hello List,
> I am trying to set up a linux server as a router/firewall and set up a SIP
> tunneling between two public networks.
> My Diagram will be something like this
> Internet <-----> Linux Router <--------------> My Internal Network with
> Public IPs.
> Say My Network IPs are 216.209.14.192/26
> I tried this setup.
>
> Internet <----> 216.209.14.197 (ExtIP <- Default Gateway 216.209.14.193Router -> Internal IP)
> 216.209.14.198 <------> My Servers connected through a switch with IPs
> 216.209.14.199-254 with Default Gateway 216.209.14.198.
> This set up did not work.
>
> If I do this
> Internet <----> 216.209.14.197 (ExtIP <- Default Gateway 216.209.14.193Router -> Internal IP)
> 192.168.1.1 <------> My Servers connected through a switch with IPs
> 192.168.1.199-254 with Default Gateway 192.168.1.1.
>
> I can go out through ip forwarding like this...
> iptables -P FORWARD DROP
> iptables -A FORWARD -s ${HUB_LAN} -j ACCEPT
> iptables -A FORWARD -d ${HUB_LAN} -j ACCEPT
>
> These rules does not work with public IPs.
>
> My Other Questions are
> 1. Can I use racoon for SIP tunneling, is there any limit on number of
> sessions. Bought a juniper router and found out that the router supports on
> 16 channels. I need to support at least 400 SIP channels.
> 2. I have seen a lot of documentation of setting up Masquarding and IP
> Forwarding. I made it work but that does not solve my purpose. I need to
> assign Public IP to the my machines behind the router so that outside world
> can access those machines through router directly.
> 3. I need to have tunneling with one service provider for network
> 56.211.34.23/27. For rest of the world I want the traffic to go through
> the router without any modification. I might want to add some firewall rules
> later for some specific port.
>
> I will appreciate if some one can give me some lead on how can I achieve
> this.
>
> Thank you,
> JP
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20071002/56e6362a/attachment-0001.html
More information about the Users
mailing list