[Openswan Users] Firewall, Routing and Tunneling between public networks
Peter McGill
petermcgill at goco.net
Thu Oct 4 10:40:33 EDT 2007
Ok, so if all your internal communication with your various subnets is working and the only thing lacking is internet communication.
It may be your ISP router. Since your subdividing the subnet given by your ISP, all traffic should get to your ISP router, no
problem there.
But your ISP router might not be forwarding to your internal subnet gateways correctly thinking you have just one large subnet that
they've assigned you.
I suggest either telling your ISP about your subletting scheme with gateways so they can correctly forward inbound traffic to your
subnet gateways,
or else ask them to forward all traffic to a single machine that you control that is directly connected to the ISP router.
Then setup the routing on that machine to forward all your internal traffic correctly. The first option results in less router
hops/network delay, but
the second option allows you to more easily reconfigure your internal subnets without contacting your ISP.
Peter McGill
_____
From: Jai Rangi [mailto:jprangi at gmail.com]
Sent: October 4, 2007 1:08 AM
To: petermcgill at goco.net
Cc: users at openswan.org
Subject: Re: [Openswan Users] Firewall,Routing and Tunneling between public networks
Peter,
Thank you for looking in this.
I restarted my machine and now I am able to ping from 216.209.3.192/27 network, if I define the routing table. In another server
216.209.3.201, I add the rule in the routing table.
206.216.3.224 206.216.3.212 255.255.255.240 <http://255.255.255.240> UG 0 0 0 eth0
206.216.3.192 * 255.255.255.192 U 0 0 0 eth0
192.168.2.0 * 255.255.255.0 U 0 0 0 eth1
192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
default 206.216.3.193 0.0.0.0 UG 0 0 0 eth0
I can ping 216.209.3.235 from 216.209.2.201 and vise versa
Internet router <---> ( 206.216.3.192/26 <http://206.216.3.192/26> network and router is one of them 206.216.3.212)
206.216.3.224/28 is behind the router.
So this works.
206.216.3.201 ---- router 206.216.3212 (eth0) 206.216.3.225(eth1) ----- 206.216.3.224.235 with gateway 216.209.3.225
But when I try ping something on internet from 206.216.3.235. Seems the traffic goes out but does not find the way to come back.
This is what I get from tcpdump on my router..
[root at bser2 sysconfig]# tcpdump | grep "235\|158"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
22:04: 01.092356 IP ip68-4-78-109.oc.oc.cox.net.apollo-gms > bser2.bingotelecom.com.24646: P 1197:1249(52) ack 436 win 64499
22:04:03.105456 IP 216.209.3.235 > f1.www.vip.sp1.yahoo.com: ICMP echo request, id 512, seq 23041, length 40
22:04: 03.105939 IP bser2.bingotelecom.com.filenet-pa > ns1.yahoo.com.domain: 43789 [1au] PTR? 158.36.131.209.in-addr.arpa. (56)
22:04:03.117544 arp who-has 216.209.3.235 tell 216.209.3.194
22:04:03.158959 IP ip68-4-78-109.oc.oc.cox.net.apollo-gms > bser2.bingotelecom.com.24646: P 3225:3277(52) ack 804 win 65535
22:04:03.158972 IP bser2.bingotelecom.com.24646 > ip68-4-78-109.oc.oc.cox.net.apollo-gms : . ack 3277 win 12168
22:04:04.101588 IP bser2.bingotelecom.com.24646 > ip68-4-78-109.oc.oc.cox.net.apollo-gms: . ack 3745 win 12168
22:04:04.542637 IP bser2.bingotelecom.com.filenet-pa > dill.arin.net.domain: 1587 [1au] PTR? 16.255.142.68.in-addr.arpa. (55)
22:04:04.556305 IP dill.arin.net.domain > bser2.bingotelecom.com.filenet-pa: 1587- 0/5/1 (154)
22:04:08.472526 IP 216.209.3.235 > f1.www.vip.sp1.yahoo.com: ICMP echo request, id 512, seq 23297, length 40
22:04: 08.483996 arp who-has 216.209.3.235 tell 216.209.3.194
22:04:13.480338 IP 216.209.3.235 > f1.www.vip.sp1.yahoo.com: ICMP echo request, id 512, seq 23553, length 40
22:04: 13.492228 arp who-has 216.209.3.235 tell 216.209.3.194
22:04:15.475158 IP bser2.bingotelecom.com.24646 > ip68-4-78-109.oc.oc.cox.net.apollo-gms: . ack 7801 win 12168
22:04:18.488138 IP 216.209.3.235 > f1.www.vip.sp1.yahoo.com: ICMP echo request, id 512, seq 23809, length 40
22:04:18.499693 arp who-has 216.209.3.235 <http://216.209.3.235> tell 216.209.3.194
Is your windows firewall enabled or configured to allow the traffic you want to allow?
Windows firewall has a pretty strict default configuration on XP SP2 and up.
My Windows firewall is open and I can ping that from my router.
Is forwarding enabled in your kernel?
cat /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_forward
Yes
Does your internet router 216.209.3.193 <http://216.209.3.193/> know to forward traffic for 216.209.3.224/28 to 216.209.3.212
<http://216.209.3.212/> (ie. use .212 as gateway/route for .224/28)?
OK, This might be the case, cause 216.209.3.19 <http://216.209.3.193/> 3 is managed by my internet service provider. They have given
me a cable that goes in one of my switch. My network from ISP is 216.209.3.192/26, which I was sub dividing to build my Linux
router.
216.209.3.192/27 outside of router and 219.209.3.224/28 behind the router.
Is your internet router's firewall configured also to allow this traffic through it?
Yes, I am getting traffic for my all other IPs
Do you have any iptables mangle or nat rules, you only showed your filter (default) table?
No, Mangle and NO Nat,
[root at bser2 ~]# iptables -t mangle -L -n -v
Chain PREROUTING (policy ACCEPT 1 packets, 92 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1 packets, 40 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root at bser2 ~]# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 1 packets, 510 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
On 10/3/07, Peter McGill < petermcgill at goco.net <mailto:petermcgill at goco.net> > wrote:
It doesn't look like an iptables/firewall issue, since your chains seem to accept everything it needs to.
However you can check your log for dropped packets to be sure.
grep 'kernel: IN=' /var/log/*
If you see any packets in there that match packets you want to allow then there is a misconfiguration.
According to your ifconfig and route, you are doing this:
Public Internet Interface: eth0
IP Address: 216.209.3.212
Network: 216.209.3.192/27
Netmask: 255.255.255.224
IP Address Range: 216.209.3.193-216.209.3.223
Gateway: 216.209.3.193
LAN Interface: eth1
IP Address: 216.209.3.225
Network: 216.209.3.224/28
Netmask: 255.255.255.240
IP Address Range: 216.209.3.225-216.209.239
Gateway: 216.209.3.225
This looks correct also matching your text description and your Windows network configuration also looks correct.
Is your windows firewall enabled or configured to allow the traffic you want to allow?
Windows firewall has a pretty strict default configuration on XP SP2 and up.
Is forwarding enabled in your kernel?
cat /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_forward
Does your internet router 216.209.3.193 know to forward traffic for 216.209.3.224/28 to 216.209.3.212 (ie. use .212 as gateway/route
for .224/28)?
Is your internet router's firewall configured also to allow this traffic through it?
Do you have any iptables mangle or nat rules, you only showed your filter (default) table?
Peter McGill
_____
From: Jai Rangi [mailto:jprangi at gmail.com]
Sent: October 3, 2007 2:05 AM
To: petermcgill at goco.net
Cc: users at openswan.org
Subject: Re: [Openswan Users] Firewall,Routing and Tunneling between public networks
Hello,
I am running FC5 on my router. I have feeling the I am missing some thing really simple btu now I am ready to pull my hairs if I
don't get the solution.... At this point my first target to setup my Linux box as a router and my machines behind the router with
Public IP should be available to the outside world. Below are my configuration.
[root at bser2 sysconfig]# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4 336 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
45 3944 ACCEPT tcp -- * * 0.0.0.0/0 216.209.3.192/26 tcp dpts:6000:65535
0 0 ACCEPT udp -- * * 0.0.0.0/0 216.209.3.192/26 udp dpts:2048:5799
0 0 ACCEPT udp -- * * 0.0.0.0/0 216.209.3.192/26 udp dpts:6000:65535
0 0 ACCEPT udp -- * * 0.0.0.0/0 216.209.3.192/26 udp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.2.0/24 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 216.209.3.192/26 tcp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.2.0/24 tcp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 216.209.3.192/26 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 216.209.3.192/26 tcp dpt:443
0 0 ACCEPT all -- * * 216.209.3.192/26 0.0.0.0/0
0 0 ACCEPT all -- * * 216.209.3.192/26 216.209.3.192/26
0 0 ACCEPT all -- * * 192.168.2.0/24 192.168.2.0/24
0 0 ACCEPT all -- * * 0.0.0.0/0 255.255.255.255 <http://255.255.255.255>
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 50 packets, 5644 bytes)
pkts bytes target prot opt in out source destination
Chain spoof (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 <http://0.0.0.0/0> limit: avg 5/min burst
5 LOG flags 0 level 4 prefix `Spoofing: '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 <http://0.0.0.0/0>
[root at bser2 sysconfig]#
[root at bser2 sysconfig]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:15:C5:EB:68:D0
inet addr:216.209.3.212 Bcast: 216.209.3.223 <http://216.209.3.223> Mask:255.255.255.224
inet6 addr: fe80::215:c5ff:feeb:68d0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:23087 errors:0 dropped:0 overruns:0 frame:0
TX packets:21531 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2280064 (2.1 MiB) TX bytes:5351240 (5.1 MiB)
Interrupt:16 Memory:f4000000-f4011100
[root at bser2 sysconfig]# ifconfig eth1
eth1 Link encap:Ethernet HWaddr 00:15:C5:EB:68:CE
inet addr:216.209.3.225 Bcast: 216.209.3.239 <http://216.209.3.239> Mask:255.255.255.240
inet6 addr: fe80::215:c5ff:feeb:68ce/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6479 errors:0 dropped:0 overruns:0 frame:0
TX packets:8083 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3309716 (3.1 MiB) TX bytes:612572 (598.2 KiB)
Interrupt:16 Memory:f8000000-f8011100
[root at bser2 sysconfig]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
216.209.3.224 216.209.3.225 255.255.255.240 UG 0 0 0 eth1
216.209.3.192 * 255.255.255.224 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
default 216.209.3.193 0.0.0.0 UG 0 0 0 eth0
[root at bser2 sysconfig]#
I think I am missing something in my routing table.
So my network are
Internet <----------> ( 216.209.3.192/27, GW 216.209.3.193 on Eth0 and 216.209.3.225 on eth1) <-----------> <Network behind the
router 216.209.3.224/28 >
Inernet configuration for internal machines are
C:\Documents and Settings\Jai Rangi>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 216.209.3.235
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Default Gateway . . . . . . . . . : 216.209.3.225
C:\Documents and Settings\Jai Rangi>
I can ping from internet to 216.209.3.192/27 network.
I can not ping 216.209.3.225/28 network from internet which is behind internet.
I can ping internal machine from router.
I can ping router from internal machine.
I will appreciate if you can please give me some hint what I am doing wrong here.
Thank you,
-Jai
On 10/2/07, Peter McGill <petermcgill at goco.net> wrote:
First method should work, and work easier because there is no NAT (Network Address Translation) to worry about.
No reason the FORWARD rules wouldn't work on Public IPs, I don't think they care at all what IP you give.
Make sure you don't use MASQUERADE, SNAT or DNAT rules.
-A adds the rules to the end of the chain, are there any earlier rules that might block the public traffic?
iptables -t filter -n -v -L
iptables -t nat -n -v -L
iptables -t mangle -n -v -L
Will show you all your firewall rule details.
Peter McGill
_____
From: users-bounces at openswan.org [mailto: <mailto:users-bounces at openswan.org> users-bounces at openswan.org] On Behalf Of Jai Rangi
Sent: October 2, 2007 2:56 AM
To: users at openswan.org
Subject: [Openswan Users] Firewall,Routing and Tunneling between public networks
Hello List,
I am trying to set up a linux server as a router/firewall and set up a SIP tunneling between two public networks.
My Diagram will be something like this
Internet <-----> Linux Router <--------------> My Internal Network with Public IPs.
Say My Network IPs are 216.209.14.192/26
I tried this setup.
Internet <----> 216.209.14.197 (ExtIP <- Default Gateway 216.209.14.193 Router -> Internal IP) 216.209.14.198 <------> My Servers
connected through a switch with IPs 216.209.14.199-254 with Default Gateway 216.209.14.198.
This set up did not work.
If I do this
Internet <----> 216.209.14.197 (ExtIP <- Default Gateway 216.209.14.193 Router -> Internal IP) 192.168.1.1 <------> My Servers
connected through a switch with IPs 192.168.1.199-254 with Default Gateway 192.168.1.1.
I can go out through ip forwarding like this...
iptables -P FORWARD DROP
iptables -A FORWARD -s ${HUB_LAN} -j ACCEPT
iptables -A FORWARD -d ${HUB_LAN} -j ACCEPT
These rules does not work with public IPs.
My Other Questions are
1. Can I use racoon for SIP tunneling, is there any limit on number of sessions. Bought a juniper router and found out that the
router supports on 16 channels. I need to support at least 400 SIP channels.
2. I have seen a lot of documentation of setting up Masquarding and IP Forwarding. I made it work but that does not solve my
purpose. I need to assign Public IP to the my machines behind the router so that outside world can access those machines through
router directly.
3. I need to have tunneling with one service provider for network 56.211.34.23/27. For rest of the world I want the traffic to go
through the router without any modification. I might want to add some firewall rules later for some specific port.
I will appreciate if some one can give me some lead on how can I achieve this.
Thank you,
JP
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20071004/8f8827c6/attachment-0001.html
More information about the Users
mailing list