[Openswan Users] Firewall, Routing and Tunneling between public networks
Peter McGill
petermcgill at goco.net
Wed Oct 3 09:50:08 EDT 2007
It doesn't look like an iptables/firewall issue, since your chains seem to accept everything it needs to.
However you can check your log for dropped packets to be sure.
grep 'kernel: IN=' /var/log/*
If you see any packets in there that match packets you want to allow then there is a misconfiguration.
According to your ifconfig and route, you are doing this:
Public Internet Interface: eth0
IP Address: 216.209.3.212
Network: 216.209.3.192/27
Netmask: 255.255.255.224
IP Address Range: 216.209.3.193-216.209.3.223
Gateway: 216.209.3.193
LAN Interface: eth1
IP Address: 216.209.3.225
Network: 216.209.3.224/28
Netmask: 255.255.255.240
IP Address Range: 216.209.3.225-216.209.239
Gateway: 216.209.3.225
This looks correct also matching your text description and your Windows network configuration also looks correct.
Is your windows firewall enabled or configured to allow the traffic you want to allow?
Windows firewall has a pretty strict default configuration on XP SP2 and up.
Is forwarding enabled in your kernel?
cat /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_forward
Does your internet router 216.209.3.193 know to forward traffic for 216.209.3.224/28 to 216.209.3.212 (ie. use .212 as gateway/route
for .224/28)?
Is your internet router's firewall configured also to allow this traffic through it?
Do you have any iptables mangle or nat rules, you only showed your filter (default) table?
Peter McGill
_____
From: Jai Rangi [mailto:jprangi at gmail.com]
Sent: October 3, 2007 2:05 AM
To: petermcgill at goco.net
Cc: users at openswan.org
Subject: Re: [Openswan Users] Firewall,Routing and Tunneling between public networks
Hello,
I am running FC5 on my router. I have feeling the I am missing some thing really simple btu now I am ready to pull my hairs if I
don't get the solution.... At this point my first target to setup my Linux box as a router and my machines behind the router with
Public IP should be available to the outside world. Below are my configuration.
[root at bser2 sysconfig]# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4 336 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
45 3944 ACCEPT tcp -- * * 0.0.0.0/0 216.209.3.192/26 tcp dpts:6000:65535
0 0 ACCEPT udp -- * * 0.0.0.0/0 216.209.3.192/26 udp dpts:2048:5799
0 0 ACCEPT udp -- * * 0.0.0.0/0 216.209.3.192/26 udp dpts:6000:65535
0 0 ACCEPT udp -- * * 0.0.0.0/0 216.209.3.192/26 udp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.2.0/24 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 216.209.3.192/26 tcp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.2.0/24 tcp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 216.209.3.192/26 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 216.209.3.192/26 tcp dpt:443
0 0 ACCEPT all -- * * 216.209.3.192/26 0.0.0.0/0
0 0 ACCEPT all -- * * 216.209.3.192/26 216.209.3.192/26
0 0 ACCEPT all -- * * 192.168.2.0/24 192.168.2.0/24
0 0 ACCEPT all -- * * 0.0.0.0/0 255.255.255.255 <http://255.255.255.255>
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 50 packets, 5644 bytes)
pkts bytes target prot opt in out source destination
Chain spoof (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 <http://0.0.0.0/0> limit: avg 5/min burst
5 LOG flags 0 level 4 prefix `Spoofing: '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 <http://0.0.0.0/0>
[root at bser2 sysconfig]#
[root at bser2 sysconfig]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:15:C5:EB:68:D0
inet addr:216.209.3.212 Bcast: 216.209.3.223 <http://216.209.3.223> Mask:255.255.255.224
inet6 addr: fe80::215:c5ff:feeb:68d0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:23087 errors:0 dropped:0 overruns:0 frame:0
TX packets:21531 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2280064 (2.1 MiB) TX bytes:5351240 (5.1 MiB)
Interrupt:16 Memory:f4000000-f4011100
[root at bser2 sysconfig]# ifconfig eth1
eth1 Link encap:Ethernet HWaddr 00:15:C5:EB:68:CE
inet addr:216.209.3.225 Bcast:216.209.3.239 <http://216.209.3.239> Mask:255.255.255.240
inet6 addr: fe80::215:c5ff:feeb:68ce/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6479 errors:0 dropped:0 overruns:0 frame:0
TX packets:8083 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3309716 (3.1 MiB) TX bytes:612572 (598.2 KiB)
Interrupt:16 Memory:f8000000-f8011100
[root at bser2 sysconfig]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
216.209.3.224 216.209.3.225 255.255.255.240 UG 0 0 0 eth1
216.209.3.192 * 255.255.255.224 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
default 216.209.3.193 0.0.0.0 UG 0 0 0 eth0
[root at bser2 sysconfig]#
I think I am missing something in my routing table.
So my network are
Internet <----------> ( 216.209.3.192/27, GW 216.209.3.193 on Eth0 and 216.209.3.225 on eth1) <-----------> <Network behind the
router 216.209.3.224/28 >
Inernet configuration for internal machines are
C:\Documents and Settings\Jai Rangi>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 216.209.3.235
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Default Gateway . . . . . . . . . : 216.209.3.225
C:\Documents and Settings\Jai Rangi>
I can ping from internet to 216.209.3.192/27 network.
I can not ping 216.209.3.225/28 network from internet which is behind internet.
I can ping internal machine from router.
I can ping router from internal machine.
I will appreciate if you can please give me some hint what I am doing wrong here.
Thank you,
-Jai
On 10/2/07, Peter McGill <petermcgill at goco.net> wrote:
First method should work, and work easier because there is no NAT (Network Address Translation) to worry about.
No reason the FORWARD rules wouldn't work on Public IPs, I don't think they care at all what IP you give.
Make sure you don't use MASQUERADE, SNAT or DNAT rules.
-A adds the rules to the end of the chain, are there any earlier rules that might block the public traffic?
iptables -t filter -n -v -L
iptables -t nat -n -v -L
iptables -t mangle -n -v -L
Will show you all your firewall rule details.
Peter McGill
_____
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Jai Rangi
Sent: October 2, 2007 2:56 AM
To: users at openswan.org
Subject: [Openswan Users] Firewall,Routing and Tunneling between public networks
Hello List,
I am trying to set up a linux server as a router/firewall and set up a SIP tunneling between two public networks.
My Diagram will be something like this
Internet <-----> Linux Router <--------------> My Internal Network with Public IPs.
Say My Network IPs are 216.209.14.192/26
I tried this setup.
Internet <----> 216.209.14.197 (ExtIP <- Default Gateway 216.209.14.193 Router -> Internal IP) 216.209.14.198 <------> My Servers
connected through a switch with IPs 216.209.14.199-254 with Default Gateway 216.209.14.198.
This set up did not work.
If I do this
Internet <----> 216.209.14.197 (ExtIP <- Default Gateway 216.209.14.193 Router -> Internal IP) 192.168.1.1 <------> My Servers
connected through a switch with IPs 192.168.1.199-254 with Default Gateway 192.168.1.1.
I can go out through ip forwarding like this...
iptables -P FORWARD DROP
iptables -A FORWARD -s ${HUB_LAN} -j ACCEPT
iptables -A FORWARD -d ${HUB_LAN} -j ACCEPT
These rules does not work with public IPs.
My Other Questions are
1. Can I use racoon for SIP tunneling, is there any limit on number of sessions. Bought a juniper router and found out that the
router supports on 16 channels. I need to support at least 400 SIP channels.
2. I have seen a lot of documentation of setting up Masquarding and IP Forwarding. I made it work but that does not solve my
purpose. I need to assign Public IP to the my machines behind the router so that outside world can access those machines through
router directly.
3. I need to have tunneling with one service provider for network 56.211.34.23/27. For rest of the world I want the traffic to go
through the router without any modification. I might want to add some firewall rules later for some specific port.
I will appreciate if some one can give me some lead on how can I achieve this.
Thank you,
JP
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20071003/d3442889/attachment-0001.html
More information about the Users
mailing list