FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian ISP

 
 
LinkBack Thread Tools
 
Old 02-04-2008, 04:37 AM
"Jim Popovitch"
 
Default iptables masquerading

(my fav linux list is missing in action... so I'm trying here)

What am I doing wrong.... :-)

ifconfig tap0 192.168.1.1 netmask 255.255.255.0 up
iptables -A FORWARD -i eth0 -o tap0 -m state --state
ESTABLISHED,RELATED -j ACCEPT;
iptables -A FORWARD -i tap0 -o eth0 -j ACCEPT;
iptables -t nat -A POSTROUTING -s 192.168.1.0 -o eth0 -j MASQUERADE;

>From a PC at 192.168.1.2 I can ping 192.168.1.1 over the vpn
(OpenVPN), but when I try to ping/telnet through the vpn I get
nowhere. When doing the following from 192.168.1.2:

telnet www.testing.com 80


on 192.168.1.1 I see this:

$ tcpdump -i any host www.testing.com
tcpdump: WARNING: Promiscuous mode not supported on the "any" device
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
00:12:49.535229 arp who-has papyrus.kattare.com tell 192.168.1.2
00:12:50.535768 arp who-has papyrus.kattare.com tell 192.168.1.2
00:12:51.535862 arp who-has papyrus.kattare.com tell 192.168.1.2

BTW, papyrus.kattare.com is aka www.testing.com

Tia,

--

-Jim P.


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-04-2008, 05:36 AM
Thomas Goirand
 
Default iptables masquerading

Jim Popovitch wrote:
> (my fav linux list is missing in action... so I'm trying here)
>
> What am I doing wrong.... :-)
>
> ifconfig tap0 192.168.1.1 netmask 255.255.255.0 up
> iptables -A FORWARD -i eth0 -o tap0 -m state --state
> ESTABLISHED,RELATED -j ACCEPT;
> iptables -A FORWARD -i tap0 -o eth0 -j ACCEPT;
> iptables -t nat -A POSTROUTING -s 192.168.1.0 -o eth0 -j MASQUERADE;
>
>>From a PC at 192.168.1.2 I can ping 192.168.1.1 over the vpn
> (OpenVPN), but when I try to ping/telnet through the vpn I get
> nowhere. When doing the following from 192.168.1.2:
>
> telnet www.testing.com 80
>
>
> on 192.168.1.1 I see this:
>
> $ tcpdump -i any host www.testing.com
> tcpdump: WARNING: Promiscuous mode not supported on the "any" device
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
> 00:12:49.535229 arp who-has papyrus.kattare.com tell 192.168.1.2
> 00:12:50.535768 arp who-has papyrus.kattare.com tell 192.168.1.2
> 00:12:51.535862 arp who-has papyrus.kattare.com tell 192.168.1.2
>
> BTW, papyrus.kattare.com is aka www.testing.com
>
> Tia,

Just in case: did you check that forwarding is activated in
/proc/sys/net/ipv4/ip_forward ? Do a cat of the file, check it has 1, if
not then configure it for next boot (best is to configure it using
/etc/sysctl.conf).

Thomas


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-04-2008, 06:00 AM
"Jim Popovitch"
 
Default iptables masquerading

Yes, ip_forward is set to 1.




On 2/3/08, Thomas Goirand <thomas@goirand.fr> wrote:
> Jim Popovitch wrote:
> > (my fav linux list is missing in action... so I'm trying here)
> >
> > What am I doing wrong.... :-)
> >
> > ifconfig tap0 192.168.1.1 netmask 255.255.255.0 up
> > iptables -A FORWARD -i eth0 -o tap0 -m state --state
> > ESTABLISHED,RELATED -j ACCEPT;
> > iptables -A FORWARD -i tap0 -o eth0 -j ACCEPT;
> > iptables -t nat -A POSTROUTING -s 192.168.1.0 -o eth0 -j MASQUERADE;
> >
> >>From a PC at 192.168.1.2 I can ping 192.168.1.1 over the vpn
> > (OpenVPN), but when I try to ping/telnet through the vpn I get
> > nowhere. When doing the following from 192.168.1.2:
> >
> > telnet www.testing.com 80
> >
> >
> > on 192.168.1.1 I see this:
> >
> > $ tcpdump -i any host www.testing.com
> > tcpdump: WARNING: Promiscuous mode not supported on the "any" device
> > tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> > listening on any, link-type LINUX_SLL (Linux cooked), capture size 96
> bytes
> > 00:12:49.535229 arp who-has papyrus.kattare.com tell 192.168.1.2
> > 00:12:50.535768 arp who-has papyrus.kattare.com tell 192.168.1.2
> > 00:12:51.535862 arp who-has papyrus.kattare.com tell 192.168.1.2
> >
> > BTW, papyrus.kattare.com is aka www.testing.com
> >
> > Tia,
>
> Just in case: did you check that forwarding is activated in
> /proc/sys/net/ipv4/ip_forward ? Do a cat of the file, check it has 1, if
> not then configure it for next boot (best is to configure it using
> /etc/sysctl.conf).
>
> Thomas
>


--

-Jim P.


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-04-2008, 06:01 AM
Damian Ryszka
 
Default iptables masquerading

Dnia Sun, 3 Feb 2008 21:37:52 -0800
"Jim Popovitch" <yahoo@jimpop.com> napisaƂ(a):

> iptables -t nat -A POSTROUTING -s 192.168.1.0 -o eth0 -j MASQUERADE;

You don't need to place here netmask ?

--
Damian Ryszka aka Rychu
rychu(at)sileman.net.pl
 
Old 02-04-2008, 11:09 AM
Stephen Gran
 
Default iptables masquerading

This one time, at band camp, Jim Popovitch said:
> (my fav linux list is missing in action... so I'm trying here)
>
> What am I doing wrong.... :-)
>
> ifconfig tap0 192.168.1.1 netmask 255.255.255.0 up
> iptables -A FORWARD -i eth0 -o tap0 -m state --state ESTABLISHED,RELATED -j ACCEPT;

Reply traffic is forwarded from eth0 to tap0.

> iptables -A FORWARD -i tap0 -o eth0 -j ACCEPT;

Inbound traffic on tap0 is accepted if it exits eth0.

> iptables -t nat -A POSTROUTING -s 192.168.1.0 -o eth0 -j MASQUERADE;

And traffic out eth0 is NAT'ted (wrongly - note the missing netmask)

So, I'm assuming that your network is something like:

---------- ----------- ------------
| LAN | | Router | | VPN LAN |
---------- ----------- ------------
eth0/ ap0/

and you want to route traffic from LAN to VPN LAN.

You need to accept traffic coming in eth0 and exiting tap0. You
currently only accept reply traffic.

You'll need to accept at least reply traffic coming in tap0 and exiting
eth0. You currently accept all traffic, so this works.

You'll find it easier to NAT traffic going out tap0 (SNAT instead of
DNAT).
--
-----------------------------------------------------------------
| ,'`. Stephen Gran |
| : :' : sgran@debian.org |
| `. `' Debian user, admin, and developer |
| `- http://www.debian.org |
-----------------------------------------------------------------
 
Old 02-04-2008, 01:28 PM
"Jim Popovitch"
 
Default iptables masquerading

On Feb 4, 2008 4:09 AM, Stephen Gran <sgran@debian.org> wrote:
> And traffic out eth0 is NAT'ted (wrongly - note the missing netmask)

Ahhh...that was an email typo, I was using a /24.

> So, I'm assuming that your network is something like:
>
> ---------- ----------- ------------
> | LAN | | Router | | VPN LAN |
> ---------- ----------- ------------
> eth0/ ap0/
>
> and you want to route traffic from LAN to VPN LAN.
>
> You need to accept traffic coming in eth0 and exiting tap0. You
> currently only accept reply traffic.

Which is fine, this is for outbound traffic from firewall'ed and vpn'ed clients

> You'll find it easier to NAT traffic going out tap0 (SNAT instead of
> DNAT).

I switched to SNAT (instead of MASQUERADE) and was able to get this to work.

Thanks all,

-Jim P.


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 12:59 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org