[Openswan Users] Connecting to other machines in subnet
Durwin
thecajun at nmia.com
Tue Feb 12 05:28:52 EST 2013
> On 02/11/2013 05:59 PM, Durwin wrote:
> > Here is my config. My right and left are opposite of yours but it looks
> > the same other wise.
> >
> > conn siteB
> > left=%defaultroute
> > leftsubnet=192.168.4.0/24
> > leftsourceip=192.168.4.100
> > right=public ip of hardware vpn
> > rightsubnet=172.23.93.0/24
> > type=tunnel
> > authby=secret
> > keyexchange=ike
> > auto=start
> > pfs=yes
> > ike=3des-sha1-modp1024
> > esp=3des-sha1
> >
> > I configured machine C to use machine B as gateway. I confirmed
> > forwarding is on (server B). But I can't connect to machine C from site
> > A. What else am I missing?
>
> Okay, with that let's look at Daniel Cave's suggestion now. What iptables rules do you have on server B? Anything that might be blocking it from forwarding?
> iptables -L -n -t nat
> iptables -L -n -t filter
I wasn't running iptables at the time. I have since found some rules
witch allow vpn to work. So here is the outp[ut from those 2 commands.
F17> iptables -L -n -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128
DNAT tcp -- !172.23.93.7 0.0.0.0/0 tcp dpt:80 to:172.23.93.7:3128
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
SNAT all -- 172.23.93.0/24 172.23.93.7 to:172.23.93.1
03:24 AM root at bayou ~
F17> iptables -L -n -t filter
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 172.23.93.0/24 0.0.0.0/0
ACCEPT all -- 192.168.4.0/24 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpts:1024:65535
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:6881:6999
icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 0
RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 172.23.93.0/24 172.23.93.7 tcp dpt:3128
RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:53
ACCEPT tcp -- 0.0.0.0/0 216.184.2.128 state NEW tcp dpt:110
ACCEPT tcp -- 0.0.0.0/0 216.184.2.128 state NEW tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:6881:6999
icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:500
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:4500
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:4500
ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:6277 dpts:1024:65535
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:24441 dpts:1024:65535
ACCEPT tcp -- 172.23.93.0/24 192.168.4.49 state NEW tcp dpt:1022
ACCEPT tcp -- 216.184.2.122 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10080
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
More information about the Users
mailing list