[Openswan Users] Firewall, Routing and Tunneling between public networks

Peter McGill petermcgill at goco.net
Fri Oct 5 16:08:53 EDT 2007


Switching to something else than your current hardware/os/software will not change things.
The problem you have is with basic tcp/ip routing, this is the same no matter what hard/software you use.
You must get you isp to route traffic to your gateway or gateways as I said before.
 
To explain in more detail.
Ask your isp to add the following route to their router (216.209.3.193):
Destination: 216.209.3.192/26
Gateway: 206.216.3.212
 
Once this is done, all traffic returning from the internet will use your internal routes via .212,
and this will fix your traffic flow. It's that easy, now you just need to convince your isp, which if they're
any good should not be difficult. Then just make sure .212 has appropriate routes for all subnets.
You may also need to reconfigure your computers on .192/27 to use .212 as their internet gateway.
ie)
Destination: 216.209.3.192/27
Gateway: 216.209.3.212 (eth0)
Destination: 216.209.3.224/28
Gateway: 216.209.3.225 (eth1)
Destination: 216.209.3.240/28
Gateway: ? ? (unallocated?)

 
Peter McGill
 


  _____  

From: Jai Rangi [mailto:jprangi at gmail.com] 
Sent: October 5, 2007 3:25 PM
To: petermcgill at goco.net
Cc: users at openswan.org
Subject: Re: [Openswan Users] Firewall,Routing and Tunneling between public networks


Peter, 
I think this is the case and this is what I have been wondering all the time. 
" But your ISP router might not be forwarding to your internal subnet gateways correctly thinking you have just one large subnet
that they've assigned you. "

Now considering my ISP thinks that we have just one large subnet. Can I use Linux box and put in front my my whole network and this
linux box just act like a firewall and we setup our IPSec tunneling with one provider and let the traffic pass through for others. 
Traffic comes in eth0, goes out to a switch for my network. Traffic come on eth1 from the switch and goes out to eth0 to the
internet. 

I need another suggestion between linux/racoon/ipsec solution VS buying a cisco or Juniper's firewall. 
We are a voip company so uptime of this firewall/tunnel is very very important. Should we go with Linux/Racoon solution or should we
buy cisco solution more expensive. 

Is racoon mature enough that we configure it once and than we just forget about that assuming that it will never break. 

Thank you,
-Jai


On 10/4/07, Peter McGill <petermcgill at goco.net> wrote: 

Ok, so if all your internal communication with your various subnets is working and the only thing lacking is internet communication.
It may be your ISP router. Since your subdividing the subnet given by your ISP, all traffic should get to your ISP router, no
problem there.
But your ISP router might not be forwarding to your internal subnet gateways correctly thinking you have just one large subnet that
they've assigned you.
I suggest either telling your ISP about your subletting scheme with gateways so they can correctly forward inbound traffic to your
subnet gateways,
or else ask them to forward all traffic to a single machine that you control that is directly connected to the ISP router.
Then setup the routing on that machine to forward all your internal traffic correctly. The first option results in less router
hops/network delay, but
the second option allows you to more easily reconfigure your internal subnets without contacting your ISP.
 
Peter McGill
 


  _____  

From: Jai Rangi [mailto:jprangi at gmail.com] 
Sent: October 4, 2007 1:08 AM 

To: petermcgill at goco.net
Cc: users at openswan.org
Subject: Re: [Openswan Users] Firewall,Routing and Tunneling between public networks



Peter, 
Thank you for looking in this. 

I restarted my machine and now I am able to ping from 216.209.3.192/27 network, if I define the routing table. In another server
216.209.3.201, I add the rule in the routing table. 
206.216.3.224   206.216.3.212   255.255.255.240 UG    0      0        0 eth0
206.216.3.192   *               255.255.255.192 U     0      0        0 eth0 
192.168.2.0     *               255.255.255.0   U     0      0        0 eth1
192.168.1.0     *               255.255.255.0   U     0      0        0 eth1
169.254.0.0     *               255.255.0.0     U     0      0        0 eth1
default         206.216.3.193   0.0.0.0         UG    0      0        0 eth0

I can ping 216.209.3.235 from 216.209.2.201 and vise versa

Internet router  <--->  ( 206.216.3.192/26 network and router is one of them 206.216.3.212)  206.216.3.224/28 is behind the router. 
So this works. 
206.216.3.201  ---- router 206.216.3212 (eth0) 206.216.3.225(eth1) ----- 206.216.3.224.235 with gateway 216.209.3.225

But when I try ping something on internet from 206.216.3.235. Seems the traffic goes out but does not find the way to come back.
This is what I get from tcpdump on my router.. 
[root at bser2 sysconfig]# tcpdump  | grep "235\|158"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode 
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
22:04: 01.092356 IP ip68-4-78-109.oc.oc.cox.net.apollo-gms > bser2.bingotelecom.com.24646: P 1197:1249(52) ack 436 win 64499
22:04:03.105456 IP 216.209.3.235 > f1.www.vip.sp1.yahoo.com: ICMP echo request, id 512, seq 23041, length 40
22:04: 03.105939 IP bser2.bingotelecom.com.filenet-pa > ns1.yahoo.com.domain:  43789 [1au] PTR? 158.36.131.209.in-addr.arpa. (56)
22:04:03.117544 arp who-has 216.209.3.235 tell 216.209.3.194
22:04:03.158959 IP ip68-4-78-109.oc.oc.cox.net.apollo-gms > bser2.bingotelecom.com.24646: P 3225:3277(52) ack 804 win 65535
22:04:03.158972 IP bser2.bingotelecom.com.24646 > ip68-4-78-109.oc.oc.cox.net.apollo-gms : . ack 3277 win 12168
22:04:04.101588 IP bser2.bingotelecom.com.24646 > ip68-4-78-109.oc.oc.cox.net.apollo-gms: . ack 3745 win 12168
22:04:04.542637 IP bser2.bingotelecom.com.filenet-pa > dill.arin.net.domain:  1587 [1au] PTR? 16.255.142.68.in-addr.arpa. (55)
22:04:04.556305 IP dill.arin.net.domain > bser2.bingotelecom.com.filenet-pa:  1587- 0/5/1 (154)
22:04:08.472526 IP 216.209.3.235 > f1.www.vip.sp1.yahoo.com: ICMP echo request, id 512, seq 23297, length 40
22:04: 08.483996 arp who-has 216.209.3.235 tell 216.209.3.194
22:04:13.480338 IP 216.209.3.235 > f1.www.vip.sp1.yahoo.com: ICMP echo request, id 512, seq 23553, length 40
22:04: 13.492228 arp who-has 216.209.3.235 tell 216.209.3.194
22:04:15.475158 IP bser2.bingotelecom.com.24646 > ip68-4-78-109.oc.oc.cox.net.apollo-gms: . ack 7801 win 12168
22:04:18.488138 IP 216.209.3.235 > f1.www.vip.sp1.yahoo.com: ICMP echo request, id 512, seq 23809, length 40
22:04:18.499693 arp who-has 216.209.3.235 tell 216.209.3.194


Is your windows firewall enabled or configured to allow the traffic you want to allow?
Windows firewall has a pretty strict default configuration on XP SP2 and up.
My Windows firewall is open and I can ping that from my router. 

 
Is forwarding enabled in your kernel?
cat /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_forward
Yes


Does your internet router 216.209.3.193 know to forward traffic for 216.209.3.224/28 to 216.209.3.212 (ie. use .212 as gateway/route
for .224/28)?
OK, This might be the case, cause 216.209.3.19 3 is managed by my internet service provider. They have given me a cable that goes in
one of my switch. My network from ISP is 216.209.3.192/26, which I was sub dividing to build my Linux router. 
216.209.3.192/27 outside of router and 219.209.3.224/28 behind the router. 



Is your internet router's firewall configured also to allow this traffic through it?

Yes, I am getting traffic for my all other IPs 

Do you have any iptables mangle or nat rules, you only showed your filter (default) table?

No, Mangle and NO Nat, 

[root at bser2 ~]# iptables -t mangle -L -n -v
Chain PREROUTING (policy ACCEPT 1 packets, 92 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes) 
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain OUTPUT (policy ACCEPT 1 packets, 40 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) 
 pkts bytes target     prot opt in     out     source               destination
[root at bser2 ~]# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 1 packets, 510 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) 
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 




On 10/3/07, Peter McGill < petermcgill at goco.net > wrote: 

It doesn't look like an iptables/firewall issue, since your chains seem to accept everything it needs to.
However you can check your log for dropped packets to be sure.
grep 'kernel: IN=' /var/log/*
If you see any packets in there that match packets you want to allow then there is a misconfiguration.
 
According to your ifconfig and route, you are doing this:
Public Internet Interface: eth0
IP Address: 216.209.3.212 
Network: 216.209.3.192/27 
    Netmask: 255.255.255.224 
    IP Address Range: 216.209.3.193-216.209.3.223
Gateway: 216.209.3.193 
 
LAN Interface: eth1
IP Address: 216.209.3.225 
Network: 216.209.3.224/28 

    Netmask: 255.255.255.240
    IP Address Range: 216.209.3.225-216.209.239
Gateway: 216.209.3.225
This looks correct also matching your text description and your Windows network configuration also looks correct.
 
Is your windows firewall enabled or configured to allow the traffic you want to allow?
Windows firewall has a pretty strict default configuration on XP SP2 and up.
 
Is forwarding enabled in your kernel?
cat /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_forward
 
Does your internet router 216.209.3.193 know to forward traffic for 216.209.3.224/28 to 216.209.3.212 (ie. use .212 as gateway/route
for .224/28)?
Is your internet router's firewall configured also to allow this traffic through it?
 
Do you have any iptables mangle or nat rules, you only showed your filter (default) table?
 
 
Peter McGill
 



  _____  

From: Jai Rangi [mailto:jprangi at gmail.com] 
Sent: October 3, 2007 2:05 AM
To: petermcgill at goco.net
Cc: users at openswan.org
Subject: Re: [Openswan Users] Firewall,Routing and Tunneling between public networks



Hello, 

I am running FC5 on my router. I have feeling the I am missing some thing really simple btu now I am ready to pull my hairs if I
don't get the solution....  At this point my first target to setup my Linux box as a router and my machines behind the router with
Public IP should be available to the outside world. Below are my configuration. 

[root at bser2 sysconfig]# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    4   336 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
   45  3944 ACCEPT     tcp  --  *      *       0.0.0.0/0            216.209.3.192/26    tcp dpts:6000:65535
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            216.209.3.192/26    udp dpts:2048:5799 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            216.209.3.192/26    udp dpts:6000:65535
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            216.209.3.192/26    udp dpt:53
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.2.0/24      udp dpt:53
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            216.209.3.192/26     tcp dpt:53
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.2.0/24      tcp dpt:53
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            216.209.3.192/26    tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            216.209.3.192/26    tcp dpt:443
    0     0 ACCEPT     all  --  *      *       216.209.3.192/26     0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       216.209.3.192/26     216.209.3.192/26
    0     0 ACCEPT     all  --  *      *       192.168.2.0/24       192.168.2.0/24
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            255.255.255.255 
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 50 packets, 5644 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain spoof (0 references) 
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 5/min burst 5 LOG flags 0 level
4 prefix `Spoofing: '
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0 
[root at bser2 sysconfig]#
[root at bser2 sysconfig]# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:15:C5:EB:68:D0
          inet addr:216.209.3.212  Bcast: 216.209.3.223  Mask:255.255.255.224
          inet6 addr: fe80::215:c5ff:feeb:68d0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:23087 errors:0 dropped:0 overruns:0 frame:0 
          TX packets:21531 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2280064 (2.1 MiB)  TX bytes:5351240 (5.1 MiB)
          Interrupt:16 Memory:f4000000-f4011100 

[root at bser2 sysconfig]# ifconfig eth1
eth1      Link encap:Ethernet  HWaddr 00:15:C5:EB:68:CE
          inet addr:216.209.3.225  Bcast: 216.209.3.239   Mask:255.255.255.240
          inet6 addr: fe80::215:c5ff:feeb:68ce/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6479 errors:0 dropped:0 overruns:0 frame:0 
          TX packets:8083 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3309716 (3.1 MiB)  TX bytes:612572 (598.2 KiB)
          Interrupt:16 Memory:f8000000-f8011100 

[root at bser2 sysconfig]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
216.209.3.224   216.209.3.225   255.255.255.240 UG    0      0        0 eth1
216.209.3.192   *               255.255.255.224 U     0      0        0 eth0
169.254.0.0     *               255.255.0.0     U     0      0        0 eth1
default         216.209.3.193   0.0.0.0         UG    0      0        0 eth0
[root at bser2 sysconfig]#

I think I am missing something in my routing table. 

So my network are 

Internet <---------->  ( 216.209.3.192/27, GW 216.209.3.193 on Eth0 and 216.209.3.225 on eth1) <-----------> <Network behind the
router 216.209.3.224/28 >


Inernet configuration for internal machines are

C:\Documents and Settings\Jai Rangi>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection: 

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 216.209.3.235
        Subnet Mask . . . . . . . . . . . : 255.255.255.240
        Default Gateway . . . . . . . . . : 216.209.3.225

C:\Documents and Settings\Jai Rangi>

I can ping from internet to 216.209.3.192/27 network. 
I can not ping 216.209.3.225/28 network from internet which is behind internet. 
I can ping internal machine from router. 
I can ping router from internal machine. 


I will appreciate if you can please give me some hint what I am doing wrong here. 

Thank you,
-Jai






On 10/2/07, Peter McGill <petermcgill at goco.net> wrote: 

First method should work, and work easier because there is no NAT (Network Address Translation) to worry about.
No reason the FORWARD rules wouldn't work on Public IPs, I don't think they care at all what IP you give.
Make sure you don't use MASQUERADE, SNAT or DNAT rules.
-A adds the rules to the end of the chain, are there any earlier rules that might block the public traffic?
iptables -t filter -n -v -L
iptables -t nat -n -v -L
iptables -t mangle -n -v -L
Will show you all your firewall rule details.
 
Peter McGill
 



  _____  

From: users-bounces at openswan.org [mailto: users-bounces at openswan.org] On Behalf Of Jai Rangi
Sent: October 2, 2007 2:56 AM
To: users at openswan.org
Subject: [Openswan Users] Firewall,Routing and Tunneling between public networks



Hello List,
I am trying to set up a linux server as a router/firewall and set up a SIP tunneling between two public networks. 
My Diagram will be something like this
Internet <-----> Linux Router <--------------> My Internal Network with Public IPs. 
Say My Network IPs are 216.209.14.192/26 
I tried this setup.

Internet <----> 216.209.14.197 (ExtIP <- Default Gateway 216.209.14.193 Router -> Internal IP) 216.209.14.198 <------> My Servers
connected through a switch with IPs 216.209.14.199-254 with Default Gateway 216.209.14.198. 
This set up did not work. 

If I do this
Internet <----> 216.209.14.197 (ExtIP <- Default Gateway 216.209.14.193 Router -> Internal IP) 192.168.1.1 <------> My Servers
connected through a switch with IPs 192.168.1.199-254 with Default Gateway 192.168.1.1.

I can go out through ip forwarding like this... 
iptables -P FORWARD DROP
iptables -A FORWARD -s ${HUB_LAN} -j ACCEPT
iptables -A FORWARD -d ${HUB_LAN} -j ACCEPT 

These rules does not work with public IPs. 

My Other Questions are
1. Can I use racoon for SIP tunneling, is there any limit on number of sessions. Bought a juniper router and found out that the
router supports on 16 channels. I need to support at least 400 SIP channels. 
2. I have seen a lot of documentation of setting up Masquarding and IP Forwarding. I made it work but that does not solve my
purpose. I need to assign Public IP to the my machines behind the router so that outside world can access those machines through
router directly. 
3. I need to have tunneling with one service provider for network 56.211.34.23/27. For rest of the world I want the traffic to go
through the router without any modification. I might want to add some firewall rules later for some specific port. 

I will appreciate if some one can give me some lead on how can I achieve this. 

Thank you,
JP





-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20071005/c4107200/attachment-0001.html 


More information about the Users mailing list