[Openswan Users] We can NOT ping from the firewall, But can ping from LAN Pcs.

Indunil Jayasooriya indunil75 at gmail.com
Mon Dec 8 05:47:50 EST 2008 

Hi All,

I am running OpenSwan on Centos 5x . It works fine. All the Pcs behind
LAN can ping all the destinations @ the rempte sites.
Firewall where OpenSwan running can NOT ping all the destinations @
the rempte sites.

Could you pls let me know why?

@ the remote sites, there are web sites running on port 80. So clients
behind the firewall can access due to NAT rules. Squid also runs on
the firewall. If firewall can ping all the remotes sites, I think
Clients will be able to access throigh squid proxy server.

That's what I want?

I hope you will be able to help me to solve this problem.

These are a few rules added on the firewall. I think these are very
important rules.


[root at firewall ~]# cat /etc/sysctl.conf
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls IP packet forwarding
#net.ipv4.ip_forward = 0

# Controls source route verification
#net.ipv4.conf.default.rp_filter = 1

# Do not accept source routing
#net.ipv4.conf.default.accept_source_route = 0

#FOR VPN SETUP - UTI - 27 june 2008
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
#END OF VPN SETUP

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename
# Useful for debugging multi-threaded applications
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1

# Controls the maximum size of a message, in bytes
kernel.msgmnb = 65536

# Controls the default maxmimum size of a mesage queue
kernel.msgmax = 65536

# Controls the maximum shared segment size, in bytes
kernel.shmmax = 4294967295

# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 268435456


these are in the firewall script.

iptables -t nat -A POSTROUTING -o eth1 -d 196.4.49.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -d 196.4.51.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -d 10.10.99.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -d 10.10.250.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -d 10.254.0.0/16 -j ACCEPT

$IPTABLES -t nat -A POSTROUTING -o eth1  -s 10.48.0.0/16 -j SNAT
--to-source 220.247.213.202
$IPTABLES -t nat -A POSTROUTING -o eth1  -s 192.168.1.0/24 -j SNAT
--to-source 220.247.213.202


Where have I gone wrong ?

Hope to hear from you.


-- 
Thank you
Indunil Jayasooriya

More information about the Users mailing list