Discussion:
iptables guru's
Barry R Cisna
2012-03-03 18:20:48 UTC
Permalink
Hello All,

Can anyone give me some pointers on an iptables setup?

Doing an site-to-site IPsec vpn from Openswan/local site to racoon/
remote site.
The vpn connects ,& I can ping from remote site to my local site.
With iptables running on local machine I can NOT ping to remote site.
If I shut off iptables on local machine I can ping and browse remote
site fine.
Only existing iptables rules are MASQ on eth1 out.
This is a two nic machine.

local subnet 192.168.0.0/24
remote subnet 192.168.1.0/24
local public ip 1.2.3.4
remote public ip 4.5.6.7

With iptables running when I ping 192.168.1.1 remote gateway I get a no
response from local public nic ip address.
It seems I need yet another forwarding rule
I did make an static route from local gateway/internal,to remote network
to make pinging work with firewall off.
I know this type of thing is very tricky without being in front of the
machine.

Thank You,
Barry
Barry R Cisna
2012-03-03 20:09:43 UTC
Permalink
Hello All,

Sorry for replying to my own post.

After I posted my initial post here I found that if I simply shut off
nat service I can ping from local net to remote net with iptables
running. I can ping both directions with this setup.
I'm not sure what I need in iptables to remedy this?(nat enabled)

Thanks,
BC
Jim Kinney
2012-03-03 20:23:15 UTC
Permalink
Put a rule of prerouting -d remote -j accept and postrouting -s remote -j
accept befor the pre/post nat rules.
Post by Barry R Cisna
Hello All,
Sorry for replying to my own post.
After I posted my initial post here I found that if I simply shut off
nat service I can ping from local net to remote net with iptables
running. I can ping both directions with this setup.
I'm not sure what I need in iptables to remedy this?(nat enabled)
Thanks,
BC
_______________________________________________
K12OSN mailing list
https://www.redhat.com/mailman/listinfo/k12osn
For more info see <http://www.k12os.org>
Burke Almquist
2012-03-04 01:04:34 UTC
Permalink
Are you denying all traffic by default?
Ping uses ICMP and not UDP or TCP, might that be an issue?
And why use masq instead of snat?

http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.html
http://tldp.org/HOWTO/IP-Masquerade-HOWTO/
Post by Barry R Cisna
Hello All,
Can anyone give me some pointers on an iptables setup?
Doing an site-to-site IPsec vpn from Openswan/local site to racoon/
remote site.
The vpn connects ,& I can ping from remote site to my local site.
With iptables running on local machine I can NOT ping to remote site.
If I shut off iptables on local machine I can ping and browse remote
site fine.
Only existing iptables rules are MASQ on eth1 out.
This is a two nic machine.
local subnet 192.168.0.0/24
remote subnet 192.168.1.0/24
local public ip 1.2.3.4
remote public ip 4.5.6.7
With iptables running when I ping 192.168.1.1 remote gateway I get a no
response from local public nic ip address.
It seems I need yet another forwarding rule
I did make an static route from local gateway/internal,to remote network
to make pinging work with firewall off.
I know this type of thing is very tricky without being in front of the
machine.
Thank You,
Barry
_______________________________________________
K12OSN mailing list
https://www.redhat.com/mailman/listinfo/k12osn
For more info see <http://www.k12os.org>
Barry R Cisna
2012-03-05 01:08:08 UTC
Permalink
Hello All,

Thank You to all,,,who gave useful information, suggestions. Much
appreciated.

jimk, your iptables rules suggestion worked a treat! I am able to ping
from localhost to the remote end node,just like it should now!

Take Care,
Barry

Loading...