[Openswan Users] Firewall, Routing and Tunneling between public networks

Jai Rangi jprangi at gmail.com
Fri Oct 5 15:25:10 EDT 2007


Peter,
I think this is the case and this is what I have been wondering all the
time.
" But your ISP router might not be forwarding to your internal subnet
gateways correctly thinking you have just one large subnet that they've
assigned you. "

Now considering my ISP thinks that we have just one large subnet. Can I use
Linux box and put in front my my whole network and this linux box just act
like a firewall and we setup our IPSec tunneling with one provider and let
the traffic pass through for others.
Traffic comes in eth0, goes out to a switch for my network. Traffic come on
eth1 from the switch and goes out to eth0 to the internet.

I need another suggestion between linux/racoon/ipsec solution VS buying a
cisco or Juniper's firewall.
We are a voip company so uptime of this firewall/tunnel is very very
important. Should we go with Linux/Racoon solution or should we buy cisco
solution more expensive.

Is racoon mature enough that we configure it once and than we just forget
about that assuming that it will never break.

Thank you,
-Jai

On 10/4/07, Peter McGill <petermcgill at goco.net> wrote:
>
>  Ok, so if all your internal communication with your various subnets is
> working and the only thing lacking is internet communication.
> It may be your ISP router. Since your subdividing the subnet given by your
> ISP, all traffic should get to your ISP router, no problem there.
> But your ISP router might not be forwarding to your internal subnet
> gateways correctly thinking you have just one large subnet that they've
> assigned you.
> I suggest either telling your ISP about your subletting scheme with
> gateways so they can correctly forward inbound traffic to your subnet
> gateways,
> or else ask them to forward all traffic to a single machine that you
> control that is directly connected to the ISP router.
> Then setup the routing on that machine to forward all your internal
> traffic correctly. The first option results in less router hops/network
> delay, but
> the second option allows you to more easily reconfigure your internal
> subnets without contacting your ISP.
>
> Peter McGill
>
>
>  ------------------------------
> *From:* Jai Rangi [mailto:jprangi at gmail.com]
> *Sent:* October 4, 2007 1:08 AM
> *To:* petermcgill at goco.net
> *Cc:* users at openswan.org
> *Subject:* Re: [Openswan Users] Firewall,Routing and Tunneling between
> public networks
>
> Peter,
> Thank you for looking in this.
> I restarted my machine and now I am able to ping from 216.209.3.192/27network, if I define the routing table. In another server
> 216.209.3.201, I add the rule in the routing table.
> 206.216.3.224   206.216.3.212   255.255.255.240 UG    0      0        0
> eth0
> 206.216.3.192   *               255.255.255.192 U     0      0        0
> eth0
> 192.168.2.0     *               255.255.255.0   U     0      0        0
> eth1
> 192.168.1.0     *               255.255.255.0   U     0      0        0
> eth1
> 169.254.0.0     *               255.255.0.0     U     0      0        0
> eth1
> default         206.216.3.193   0.0.0.0         UG    0      0        0
> eth0
>
> I can ping 216.209.3.235 from 216.209.2.201 and vise versa
>
> Internet router  <--->  ( 206.216.3.192/26 network and router is one of
> them 206.216.3.212)  206.216.3.224/28 is behind the router.
> So this works.
> 206.216.3.201  ---- router 206.216.3212 (eth0) 206.216.3.225(eth1) -----
> 206.216.3.224.235 with gateway 216.209.3.225
>
> But when I try ping something on internet from 206.216.3.235. Seems the
> traffic goes out but does not find the way to come back. This is what I get
> from tcpdump on my router..
> [root at bser2 sysconfig]# tcpdump  | grep "235\|158"
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 22:04: 01.092356 IP ip68-4-78-109.oc.oc.cox.net.apollo-gms >
> bser2.bingotelecom.com.24646: P 1197:1249(52) ack 436 win 64499
> 22:04:03.105456 IP 216.209.3.235 > f1.www.vip.sp1.yahoo.com: ICMP echo
> request, id 512, seq 23041, length 40
> 22:04: 03.105939 IP bser2.bingotelecom.com.filenet-pa >
> ns1.yahoo.com.domain:  43789 [1au] PTR? 158.36.131.209.in-addr.arpa. (56)
> 22:04:03.117544 arp who-has 216.209.3.235 tell 216.209.3.194
> 22:04:03.158959 IP ip68-4-78-109.oc.oc.cox.net.apollo-gms >
> bser2.bingotelecom.com.24646: P 3225:3277(52) ack 804 win 65535
> 22:04:03.158972 IP bser2.bingotelecom.com.24646 >
> ip68-4-78-109.oc.oc.cox.net.apollo-gms : . ack 3277 win 12168
> 22:04:04.101588 IP bser2.bingotelecom.com.24646 >
> ip68-4-78-109.oc.oc.cox.net.apollo-gms: . ack 3745 win 12168
> 22:04:04.542637 IP bser2.bingotelecom.com.filenet-pa >
> dill.arin.net.domain:  1587 [1au] PTR? 16.255.142.68.in-addr.arpa. (55)
> 22:04:04.556305 IP dill.arin.net.domain >
> bser2.bingotelecom.com.filenet-pa:  1587- 0/5/1 (154)
> 22:04:08.472526 IP 216.209.3.235 > f1.www.vip.sp1.yahoo.com: ICMP echo
> request, id 512, seq 23297, length 40
> 22:04: 08.483996 arp who-has 216.209.3.235 tell 216.209.3.194
> 22:04:13.480338 IP 216.209.3.235 > f1.www.vip.sp1.yahoo.com: ICMP echo
> request, id 512, seq 23553, length 40
> 22:04: 13.492228 arp who-has 216.209.3.235 tell 216.209.3.194
> 22:04:15.475158 IP bser2.bingotelecom.com.24646 >
> ip68-4-78-109.oc.oc.cox.net.apollo-gms: . ack 7801 win 12168
> 22:04:18.488138 IP 216.209.3.235 > f1.www.vip.sp1.yahoo.com: ICMP echo
> request, id 512, seq 23809, length 40
> 22:04:18.499693 arp who-has 216.209.3.235 tell 216.209.3.194
>
>
> Is your windows firewall enabled or configured to allow the traffic you
> want to allow?
> Windows firewall has a pretty strict default configuration on XP SP2 and
> up.
> My Windows firewall is open and I can ping that from my router.
>
> Is forwarding enabled in your kernel?
> cat /proc/sys/net/ipv4/ip_forward
> echo "1" > /proc/sys/net/ipv4/ip_forward
> Yes
>
> Does your internet router 216.209.3.193 know to forward traffic for
> 216.209.3.224/28 to 216.209.3.212 (ie. use .212 as gateway/route for
> .224/28)?
> OK, This might be the case, cause 216.209.3.193 is managed by my internet
> service provider. They have given me a cable that goes in one of my switch.
> My network from ISP is 216.209.3.192/26, which I was sub dividing to build
> my Linux router.
> 216.209.3.192/27 outside of router and 219.209.3.224/28 behind the router.
>
>
>
> Is your internet router's firewall configured also to allow this traffic
> through it?
>
> Yes, I am getting traffic for my all other IPs
> Do you have any iptables mangle or nat rules, you only showed your filter
> (default) table?
>
> No, Mangle and NO Nat,
>
> [root at bser2 ~]# iptables -t mangle -L -n -v
> Chain PREROUTING (policy ACCEPT 1 packets, 92 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>
> Chain OUTPUT (policy ACCEPT 1 packets, 40 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>
> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
> [root at bser2 ~]# iptables -t nat -L -n -v
> Chain PREROUTING (policy ACCEPT 1 packets, 510 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>
> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>
> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>
>
>
> On 10/3/07, Peter McGill < petermcgill at goco.net > wrote:
> >
> >  It doesn't look like an iptables/firewall issue, since your chains seem
> > to accept everything it needs to.
> > However you can check your log for dropped packets to be sure.
> > grep 'kernel: IN=' /var/log/*
> > If you see any packets in there that match packets you want to allow
> > then there is a misconfiguration.
> >
> > According to your ifconfig and route, you are doing this:
> > Public Internet Interface: eth0
> > IP Address: 216.209.3.212
> > Network: 216.209.3.192/27
> >     Netmask: 255.255.255.224
> >     IP Address Range: 216.209.3.193-216.209.3.223
> > Gateway: 216.209.3.193
> >
> > LAN Interface: eth1
> > IP Address: 216.209.3.225
> > Network: 216.209.3.224/28
> >     Netmask: 255.255.255.240
> >     IP Address Range: 216.209.3.225-216.209.239
> > Gateway: 216.209.3.225
> > This looks correct also matching your text description and your Windows
> > network configuration also looks correct.
> >
> > Is your windows firewall enabled or configured to allow the traffic you
> > want to allow?
> > Windows firewall has a pretty strict default configuration on XP SP2 and
> > up.
> >
> > Is forwarding enabled in your kernel?
> > cat /proc/sys/net/ipv4/ip_forward
> > echo "1" > /proc/sys/net/ipv4/ip_forward
> >
> > Does your internet router 216.209.3.193 know to forward traffic for
> > 216.209.3.224/28 to 216.209.3.212 (ie. use .212 as gateway/route for
> > .224/28)?
> > Is your internet router's firewall configured also to allow this traffic
> > through it?
> >
> > Do you have any iptables mangle or nat rules, you only showed your
> > filter (default) table?
> >
> >
> > Peter McGill
> >
> >
> >  ------------------------------
> > *From:* Jai Rangi [mailto:jprangi at gmail.com]
> > *Sent:* October 3, 2007 2:05 AM
> > *To:* petermcgill at goco.net
> > *Cc:* users at openswan.org
> > *Subject:* Re: [Openswan Users] Firewall,Routing and Tunneling between
> > public networks
> >
> >  Hello,
> >
> > I am running FC5 on my router. I have feeling the I am missing some
> > thing really simple btu now I am ready to pull my hairs if I don't get the
> > solution....  At this point my first target to setup my Linux box as a
> > router and my machines behind the router with Public IP should be available
> > to the outside world. Below are my configuration.
> >
> > [root at bser2 sysconfig]# iptables -L -n -v
> > Chain INPUT (policy DROP 0 packets, 0 bytes)
> >  pkts bytes target     prot opt in     out     source
> > destination
> >     4   336 ACCEPT     icmp --  *      *       0.0.0.0/0
> > 0.0.0.0/0
> >    45  3944 ACCEPT     tcp  --  *      *       0.0.0.0/0
> > 216.209.3.192/26    tcp dpts:6000:65535
> >     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
> > 216.209.3.192/26    udp dpts:2048:5799
> >     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
> > 216.209.3.192/26    udp dpts:6000:65535
> >     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
> > 216.209.3.192/26    udp dpt:53
> >     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
> > 192.168.2.0/24      udp dpt:53
> >     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
> > 216.209.3.192/26     tcp dpt:53
> >     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
> > 192.168.2.0/24      tcp dpt:53
> >     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
> > 216.209.3.192/26    tcp dpt:80
> >     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
> > 216.209.3.192/26    tcp dpt:443
> >     0     0 ACCEPT     all  --  *      *       216.209.3.192/26
> > 0.0.0.0/0
> >     0     0 ACCEPT     all  --  *      *       216.209.3.192/26
> > 216.209.3.192/26
> >     0     0 ACCEPT     all  --  *      *       192.168.2.0/24
> > 192.168.2.0/24
> >     0     0 ACCEPT     all  --  *      *       0.0.0.0/0            255.255.255.255
> >
> >     0     0 ACCEPT     all  --  lo     *       0.0.0.0/0
> > 0.0.0.0/0
> >
> > Chain FORWARD (policy DROP 0 packets, 0 bytes)
> >  pkts bytes target     prot opt in     out     source
> > destination
> >     0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0
> > 0.0.0.0/0
> >     0     0 ACCEPT     all  --  eth1   eth0    0.0.0.0/0
> > 0.0.0.0/0
> >
> > Chain OUTPUT (policy ACCEPT 50 packets, 5644 bytes)
> >  pkts bytes target     prot opt in     out     source
> > destination
> >
> > Chain spoof (0 references)
> >  pkts bytes target     prot opt in     out     source
> > destination
> >     0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0
> >            limit: avg 5/min burst 5 LOG flags 0 level 4 prefix
> > `Spoofing: '
> >     0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
> >
> > [root at bser2 sysconfig]#
> > [root at bser2 sysconfig]# ifconfig eth0
> > eth0      Link encap:Ethernet  HWaddr 00:15:C5:EB:68:D0
> >           inet addr:216.209.3.212  Bcast: 216.209.3.223  Mask:
> > 255.255.255.224
> >           inet6 addr: fe80::215:c5ff:feeb:68d0/64 Scope:Link
> >           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> >           RX packets:23087 errors:0 dropped:0 overruns:0 frame:0
> >           TX packets:21531 errors:0 dropped:0 overruns:0 carrier:0
> >           collisions:0 txqueuelen:1000
> >           RX bytes:2280064 (2.1 MiB)  TX bytes:5351240 (5.1 MiB)
> >           Interrupt:16 Memory:f4000000-f4011100
> >
> > [root at bser2 sysconfig]# ifconfig eth1
> > eth1      Link encap:Ethernet  HWaddr 00:15:C5:EB:68:CE
> >           inet addr:216.209.3.225  Bcast: 216.209.3.239   Mask:
> > 255.255.255.240
> >           inet6 addr: fe80::215:c5ff:feeb:68ce/64 Scope:Link
> >           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> >           RX packets:6479 errors:0 dropped:0 overruns:0 frame:0
> >           TX packets:8083 errors:0 dropped:0 overruns:0 carrier:0
> >           collisions:0 txqueuelen:1000
> >           RX bytes:3309716 (3.1 MiB)  TX bytes:612572 (598.2 KiB)
> >           Interrupt:16 Memory:f8000000-f8011100
> >
> > [root at bser2 sysconfig]# route
> > Kernel IP routing table
> > Destination     Gateway         Genmask         Flags Metric Ref    Use
> > Iface
> > 216.209.3.224   216.209.3.225   255.255.255.240 UG    0      0        0
> > eth1
> > 216.209.3.192   *               255.255.255.224 U     0      0        0
> > eth0
> > 169.254.0.0     *               255.255.0.0     U     0      0        0
> > eth1
> > default         216.209.3.193   0.0.0.0         UG    0      0        0
> > eth0
> > [root at bser2 sysconfig]#
> >
> > I think I am missing something in my routing table.
> >
> > So my network are
> >
> > Internet <---------->  ( 216.209.3.192/27, GW 216.209.3.193 on Eth0 and
> > 216.209.3.225 on eth1) <-----------> <Network behind the router
> > 216.209.3.224/28 >
> >
> >
> > Inernet configuration for internal machines are
> >
> > C:\Documents and Settings\Jai Rangi>ipconfig
> >
> > Windows IP Configuration
> >
> >
> > Ethernet adapter Local Area Connection:
> >
> >         Connection-specific DNS Suffix  . :
> >         IP Address. . . . . . . . . . . . : 216.209.3.235
> >         Subnet Mask . . . . . . . . . . . : 255.255.255.240
> >         Default Gateway . . . . . . . . . : 216.209.3.225
> >
> > C:\Documents and Settings\Jai Rangi>
> >
> > I can ping from internet to 216.209.3.192/27 network.
> > I can not ping 216.209.3.225/28 network from internet which is behind
> > internet.
> > I can ping internal machine from router.
> > I can ping router from internal machine.
> >
> >
> > I will appreciate if you can please give me some hint what I am doing
> > wrong here.
> >
> > Thank you,
> > -Jai
> >
> >
> >
> >
> >
> > On 10/2/07, Peter McGill <petermcgill at goco.net> wrote:
> > >
> > >  First method should work, and work easier because there is no NAT
> > > (Network Address Translation) to worry about.
> > > No reason the FORWARD rules wouldn't work on Public IPs, I don't think
> > > they care at all what IP you give.
> > > Make sure you don't use MASQUERADE, SNAT or DNAT rules.
> > > -A adds the rules to the end of the chain, are there any earlier rules
> > > that might block the public traffic?
> > > iptables -t filter -n -v -L
> > > iptables -t nat -n -v -L
> > > iptables -t mangle -n -v -L
> > > Will show you all your firewall rule details.
> > >
> > > Peter McGill
> > >
> > >
> > >  ------------------------------
> > > *From:* users-bounces at openswan.org [mailto: users-bounces at openswan.org]
> > > *On Behalf Of *Jai Rangi
> > > *Sent:* October 2, 2007 2:56 AM
> > > *To:* users at openswan.org
> > > *Subject:* [Openswan Users] Firewall,Routing and Tunneling between
> > > public networks
> > >
> > >  Hello List,
> > > I am trying to set up a linux server as a router/firewall and set up a
> > > SIP tunneling between two public networks.
> > > My Diagram will be something like this
> > > Internet <-----> Linux Router <--------------> My Internal Network
> > > with Public IPs.
> > > Say My Network IPs are 216.209.14.192/26
> > > I tried this setup.
> > >
> > > Internet <----> 216.209.14.197 (ExtIP <- Default Gateway
> > > 216.209.14.193 Router -> Internal IP) 216.209.14.198 <------> My
> > > Servers connected through a switch with IPs 216.209.14.199-254 with
> > > Default Gateway 216.209.14.198.
> > > This set up did not work.
> > >
> > > If I do this
> > > Internet <----> 216.209.14.197 (ExtIP <- Default Gateway
> > > 216.209.14.193 Router -> Internal IP) 192.168.1.1 <------> My Servers
> > > connected through a switch with IPs 192.168.1.199-254 with Default
> > > Gateway 192.168.1.1.
> > >
> > > I can go out through ip forwarding like this...
> > > iptables -P FORWARD DROP
> > > iptables -A FORWARD -s ${HUB_LAN} -j ACCEPT
> > > iptables -A FORWARD -d ${HUB_LAN} -j ACCEPT
> > >
> > > These rules does not work with public IPs.
> > >
> > > My Other Questions are
> > > 1. Can I use racoon for SIP tunneling, is there any limit on number of
> > > sessions. Bought a juniper router and found out that the router supports on
> > > 16 channels. I need to support at least 400 SIP channels.
> > > 2. I have seen a lot of documentation of setting up Masquarding and IP
> > > Forwarding. I made it work but that does not solve my purpose. I need to
> > > assign Public IP to the my machines behind the router so that outside world
> > > can access those machines through router directly.
> > > 3. I need to have tunneling with one service provider for network
> > > 56.211.34.23/27. For rest of the world I want the traffic to go
> > > through the router without any modification. I might want to add some
> > > firewall rules later for some specific port.
> > >
> > > I will appreciate if some one can give me some lead on how can I
> > > achieve this.
> > >
> > > Thank you,
> > > JP
> > >
> > >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20071005/da538c88/attachment-0001.html 


More information about the Users mailing list