[Openswan Users] Firewall, Routing and Tunneling between public networks
Jai Rangi
jprangi at gmail.com
Thu Oct 4 01:08:26 EDT 2007
Peter,
Thank you for looking in this.
I restarted my machine and now I am able to ping from
216.209.3.192/27network, if I define the routing table. In another
server
216.209.3.201, I add the rule in the routing table.
206.216.3.224 206.216.3.212 255.255.255.240 UG 0 0 0 eth0
206.216.3.192 * 255.255.255.192 U 0 0 0 eth0
192.168.2.0 * 255.255.255.0 U 0 0 0 eth1
192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
default 206.216.3.193 0.0.0.0 UG 0 0 0 eth0
I can ping 216.209.3.235 from 216.209.2.201 and vise versa
Internet router <---> (206.216.3.192/26 network and router is one of them
206.216.3.212) 206.216.3.224/28 is behind the router.
So this works.
206.216.3.201 ---- router 206.216.3212 (eth0) 206.216.3.225(eth1) -----
206.216.3.224.235 with gateway 216.209.3.225
But when I try ping something on internet from 206.216.3.235. Seems the
traffic goes out but does not find the way to come back. This is what I get
from tcpdump on my router..
[root at bser2 sysconfig]# tcpdump | grep "235\|158"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
22:04:01.092356 IP ip68-4-78-109.oc.oc.cox.net.apollo-gms >
bser2.bingotelecom.com.24646: P 1197:1249(52) ack 436 win 64499
22:04:03.105456 IP 216.209.3.235 > f1.www.vip.sp1.yahoo.com: ICMP echo
request, id 512, seq 23041, length 40
22:04:03.105939 IP bser2.bingotelecom.com.filenet-pa > ns1.yahoo.com.domain:
43789 [1au] PTR? 158.36.131.209.in-addr.arpa. (56)
22:04:03.117544 arp who-has 216.209.3.235 tell 216.209.3.194
22:04:03.158959 IP ip68-4-78-109.oc.oc.cox.net.apollo-gms >
bser2.bingotelecom.com.24646: P 3225:3277(52) ack 804 win 65535
22:04:03.158972 IP bser2.bingotelecom.com.24646 >
ip68-4-78-109.oc.oc.cox.net.apollo-gms: . ack 3277 win 12168
22:04:04.101588 IP bser2.bingotelecom.com.24646 >
ip68-4-78-109.oc.oc.cox.net.apollo-gms: . ack 3745 win 12168
22:04:04.542637 IP bser2.bingotelecom.com.filenet-pa > dill.arin.net.domain:
1587 [1au] PTR? 16.255.142.68.in-addr.arpa. (55)
22:04:04.556305 IP dill.arin.net.domain > bser2.bingotelecom.com.filenet-pa:
1587- 0/5/1 (154)
22:04:08.472526 IP 216.209.3.235 > f1.www.vip.sp1.yahoo.com: ICMP echo
request, id 512, seq 23297, length 40
22:04:08.483996 arp who-has 216.209.3.235 tell 216.209.3.194
22:04:13.480338 IP 216.209.3.235 > f1.www.vip.sp1.yahoo.com: ICMP echo
request, id 512, seq 23553, length 40
22:04:13.492228 arp who-has 216.209.3.235 tell 216.209.3.194
22:04:15.475158 IP bser2.bingotelecom.com.24646 >
ip68-4-78-109.oc.oc.cox.net.apollo-gms: . ack 7801 win 12168
22:04:18.488138 IP 216.209.3.235 > f1.www.vip.sp1.yahoo.com: ICMP echo
request, id 512, seq 23809, length 40
22:04:18.499693 arp who-has 216.209.3.235 tell 216.209.3.194
Is your windows firewall enabled or configured to allow the traffic you want
to allow?
Windows firewall has a pretty strict default configuration on XP SP2 and up.
My Windows firewall is open and I can ping that from my router.
Is forwarding enabled in your kernel?
cat /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_forward
Yes
Does your internet router 216.209.3.193 know to forward traffic for
216.209.3.224/28 to 216.209.3.212 (ie. use .212 as gateway/route for
.224/28)?
OK, This might be the case, cause 216.209.3.19 <http://216.209.3.193/>3 is
managed by my internet service provider. They have given me a cable that
goes in one of my switch. My network from ISP is 216.209.3.192/26, which I
was sub dividing to build my Linux router.
216.209.3.192/27 outside of router and 219.209.3.224/28 behind the router.
Is your internet router's firewall configured also to allow this traffic
through it?
Yes, I am getting traffic for my all other IPs
Do you have any iptables mangle or nat rules, you only showed your filter
(default) table?
No, Mangle and NO Nat,
[root at bser2 ~]# iptables -t mangle -L -n -v
Chain PREROUTING (policy ACCEPT 1 packets, 92 bytes)
pkts bytes target prot opt in out source
destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 1 packets, 40 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
[root at bser2 ~]# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 1 packets, 510 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
On 10/3/07, Peter McGill <petermcgill at goco.net > wrote:
>
> It doesn't look like an iptables/firewall issue, since your chains seem
> to accept everything it needs to.
> However you can check your log for dropped packets to be sure.
> grep 'kernel: IN=' /var/log/*
> If you see any packets in there that match packets you want to allow then
> there is a misconfiguration.
>
> According to your ifconfig and route, you are doing this:
> Public Internet Interface: eth0
> IP Address: 216.209.3.212
> Network: 216.209.3.192/27
> Netmask: 255.255.255.224
> IP Address Range: 216.209.3.193-216.209.3.223
> Gateway: 216.209.3.193
>
> LAN Interface: eth1
> IP Address: 216.209.3.225
> Network: 216.209.3.224/28
> Netmask: 255.255.255.240
> IP Address Range: 216.209.3.225-216.209.239
> Gateway: 216.209.3.225
> This looks correct also matching your text description and your Windows
> network configuration also looks correct.
>
> Is your windows firewall enabled or configured to allow the traffic you
> want to allow?
> Windows firewall has a pretty strict default configuration on XP SP2 and
> up.
>
> Is forwarding enabled in your kernel?
> cat /proc/sys/net/ipv4/ip_forward
> echo "1" > /proc/sys/net/ipv4/ip_forward
>
> Does your internet router 216.209.3.193 know to forward traffic for
> 216.209.3.224/28 to 216.209.3.212 (ie. use .212 as gateway/route for
> .224/28)?
> Is your internet router's firewall configured also to allow this traffic
> through it?
>
> Do you have any iptables mangle or nat rules, you only showed your filter
> (default) table?
>
>
> Peter McGill
>
>
> ------------------------------
> *From:* Jai Rangi [mailto:jprangi at gmail.com]
> *Sent:* October 3, 2007 2:05 AM
> *To:* petermcgill at goco.net
> *Cc:* users at openswan.org
> *Subject:* Re: [Openswan Users] Firewall,Routing and Tunneling between
> public networks
>
> Hello,
>
> I am running FC5 on my router. I have feeling the I am missing some thing
> really simple btu now I am ready to pull my hairs if I don't get the
> solution.... At this point my first target to setup my Linux box as a
> router and my machines behind the router with Public IP should be available
> to the outside world. Below are my configuration.
>
> [root at bser2 sysconfig]# iptables -L -n -v
> Chain INPUT (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 4 336 ACCEPT icmp -- * * 0.0.0.0/0
> 0.0.0.0/0
> 45 3944 ACCEPT tcp -- * * 0.0.0.0/0
> 216.209.3.192/26 tcp dpts:6000:65535
> 0 0 ACCEPT udp -- * * 0.0.0.0/0
> 216.209.3.192/26 udp dpts:2048:5799
> 0 0 ACCEPT udp -- * * 0.0.0.0/0
> 216.209.3.192/26 udp dpts:6000:65535
> 0 0 ACCEPT udp -- * * 0.0.0.0/0
> 216.209.3.192/26 udp dpt:53
> 0 0 ACCEPT udp -- * * 0.0.0.0/0
> 192.168.2.0/24 udp dpt:53
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0
> 216.209.3.192/26 tcp dpt:53
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0
> 192.168.2.0/24 tcp dpt:53
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0
> 216.209.3.192/26 tcp dpt:80
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0
> 216.209.3.192/26 tcp dpt:443
> 0 0 ACCEPT all -- * * 216.209.3.192/26
> 0.0.0.0/0
> 0 0 ACCEPT all -- * * 216.209.3.192/26
> 216.209.3.192/26
> 0 0 ACCEPT all -- * * 192.168.2.0/24
> 192.168.2.0/24
> 0 0 ACCEPT all -- * * 0.0.0.0/0 255.255.255.255
>
> 0 0 ACCEPT all -- lo * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0
> 0.0.0.0/0
> 0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0
> 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT 50 packets, 5644 bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain spoof (0 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
> limit: avg 5/min burst 5 LOG flags 0 level 4 prefix `Spoofing:
> '
> 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
>
> [root at bser2 sysconfig]#
> [root at bser2 sysconfig]# ifconfig eth0
> eth0 Link encap:Ethernet HWaddr 00:15:C5:EB:68:D0
> inet addr:216.209.3.212 Bcast: 216.209.3.223 Mask:
> 255.255.255.224
> inet6 addr: fe80::215:c5ff:feeb:68d0/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:23087 errors:0 dropped:0 overruns:0 frame:0
> TX packets:21531 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:2280064 (2.1 MiB) TX bytes:5351240 (5.1 MiB)
> Interrupt:16 Memory:f4000000-f4011100
>
> [root at bser2 sysconfig]# ifconfig eth1
> eth1 Link encap:Ethernet HWaddr 00:15:C5:EB:68:CE
> inet addr:216.209.3.225 Bcast: 216.209.3.239 Mask:
> 255.255.255.240
> inet6 addr: fe80::215:c5ff:feeb:68ce/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:6479 errors:0 dropped:0 overruns:0 frame:0
> TX packets:8083 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:3309716 (3.1 MiB) TX bytes:612572 (598.2 KiB)
> Interrupt:16 Memory:f8000000-f8011100
>
> [root at bser2 sysconfig]# route
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use
> Iface
> 216.209.3.224 216.209.3.225 255.255.255.240 UG 0 0 0
> eth1
> 216.209.3.192 * 255.255.255.224 U 0 0 0
> eth0
> 169.254.0.0 * 255.255.0.0 U 0 0 0
> eth1
> default 216.209.3.193 0.0.0.0 UG 0 0 0
> eth0
> [root at bser2 sysconfig]#
>
> I think I am missing something in my routing table.
>
> So my network are
>
> Internet <----------> ( 216.209.3.192/27, GW 216.209.3.193 on Eth0 and
> 216.209.3.225 on eth1) <-----------> <Network behind the router
> 216.209.3.224/28 >
>
>
> Inernet configuration for internal machines are
>
> C:\Documents and Settings\Jai Rangi>ipconfig
>
> Windows IP Configuration
>
>
> Ethernet adapter Local Area Connection:
>
> Connection-specific DNS Suffix . :
> IP Address. . . . . . . . . . . . : 216.209.3.235
> Subnet Mask . . . . . . . . . . . : 255.255.255.240
> Default Gateway . . . . . . . . . : 216.209.3.225
>
> C:\Documents and Settings\Jai Rangi>
>
> I can ping from internet to 216.209.3.192/27 network.
> I can not ping 216.209.3.225/28 network from internet which is behind
> internet.
> I can ping internal machine from router.
> I can ping router from internal machine.
>
>
> I will appreciate if you can please give me some hint what I am doing
> wrong here.
>
> Thank you,
> -Jai
>
>
>
>
>
> On 10/2/07, Peter McGill <petermcgill at goco.net> wrote:
> >
> > First method should work, and work easier because there is no NAT
> > (Network Address Translation) to worry about.
> > No reason the FORWARD rules wouldn't work on Public IPs, I don't think
> > they care at all what IP you give.
> > Make sure you don't use MASQUERADE, SNAT or DNAT rules.
> > -A adds the rules to the end of the chain, are there any earlier rules
> > that might block the public traffic?
> > iptables -t filter -n -v -L
> > iptables -t nat -n -v -L
> > iptables -t mangle -n -v -L
> > Will show you all your firewall rule details.
> >
> > Peter McGill
> >
> >
> > ------------------------------
> > *From:* users-bounces at openswan.org [mailto: users-bounces at openswan.org]
> > *On Behalf Of *Jai Rangi
> > *Sent:* October 2, 2007 2:56 AM
> > *To:* users at openswan.org
> > *Subject:* [Openswan Users] Firewall,Routing and Tunneling between
> > public networks
> >
> > Hello List,
> > I am trying to set up a linux server as a router/firewall and set up a
> > SIP tunneling between two public networks.
> > My Diagram will be something like this
> > Internet <-----> Linux Router <--------------> My Internal Network with
> > Public IPs.
> > Say My Network IPs are 216.209.14.192/26
> > I tried this setup.
> >
> > Internet <----> 216.209.14.197 (ExtIP <- Default Gateway 216.209.14.193Router -> Internal IP)
> > 216.209.14.198 <------> My Servers connected through a switch with IPs
> > 216.209.14.199-254 with Default Gateway 216.209.14.198.
> > This set up did not work.
> >
> > If I do this
> > Internet <----> 216.209.14.197 (ExtIP <- Default Gateway 216.209.14.193Router -> Internal IP)
> > 192.168.1.1 <------> My Servers connected through a switch with IPs
> > 192.168.1.199-254 with Default Gateway 192.168.1.1.
> >
> > I can go out through ip forwarding like this...
> > iptables -P FORWARD DROP
> > iptables -A FORWARD -s ${HUB_LAN} -j ACCEPT
> > iptables -A FORWARD -d ${HUB_LAN} -j ACCEPT
> >
> > These rules does not work with public IPs.
> >
> > My Other Questions are
> > 1. Can I use racoon for SIP tunneling, is there any limit on number of
> > sessions. Bought a juniper router and found out that the router supports on
> > 16 channels. I need to support at least 400 SIP channels.
> > 2. I have seen a lot of documentation of setting up Masquarding and IP
> > Forwarding. I made it work but that does not solve my purpose. I need to
> > assign Public IP to the my machines behind the router so that outside world
> > can access those machines through router directly.
> > 3. I need to have tunneling with one service provider for network
> > 56.211.34.23/27. For rest of the world I want the traffic to go through
> > the router without any modification. I might want to add some firewall rules
> > later for some specific port.
> >
> > I will appreciate if some one can give me some lead on how can I achieve
> > this.
> >
> > Thank you,
> > JP
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20071003/4019977a/attachment-0001.html
More information about the Users
mailing list