FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 07-27-2008, 05:03 PM
 
Default packet forwarding.

Alex,

> net.ipv4.ip_forward=1
as> This is allow the kernel to do packet forwarding

No problem there. My LAN machines have
no problems accessing the 'net for http,
pop3, ftp.

as> turn which on ?

TUN packet forwarding through the firewall
(ref. original message, last weekend.). I
want the pop3 connection from Cantor to Joule
to run through the tunnel; not directly
through the Internet.

SUMMARY
Internet access is no problem. I do not
understand routing through the tunnel,
dicussed under Routing in openvpn.man.

Tuesday afternoon, July 29, I'll scan a
diagram and put it at
http://carnot.yi.org/Network.jpg
.

Thanks, ... Peter E.

--
http://carnot.yi.org/
= http://carnot.pathology.ubc.ca/
Desktops.OpenDoc http://members.shaw.ca/peasthope/


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 07-27-2008, 09:32 PM
Alex Samad
 
Default packet forwarding.

On Sun, Jul 27, 2008 at 10:03:50AM -0700, peasthope@shaw.ca wrote:
> Alex,
>
> > net.ipv4.ip_forward=1
> as> This is allow the kernel to do packet forwarding
>
> No problem there. My LAN machines have
> no problems accessing the 'net for http,
> pop3, ftp.
>
> as> turn which on ?
>
> TUN packet forwarding through the firewall
> (ref. original message, last weekend.). I
> want the pop3 connection from Cantor to Joule
> to run through the tunnel; not directly
> through the Internet.
>
> SUMMARY
> Internet access is no problem. I do not
> understand routing through the tunnel,
> dicussed under Routing in openvpn.man.
>
> Tuesday afternoon, July 29, I'll scan a
> diagram and put it at
> http://carnot.yi.org/Network.jpg

just consider TUN devices as normal nic interfaces.

if i had

local lan A = 192.168.0.1/24 (ip address of the nic on the local lan)
local lan A openvpn TUN = 192.168.1.1/24 (ip address given to the
openvpn tun

local lan b openvpn TUN = 192.168.1.2/24 (ip address given to the
openvpn tun) this talks to lan a

local lab b = 192.168.2.1/24 ( ip address of the nic on the local lan at
B)


for a machine at local lan a (say 192.168.0.100) to talk to a machine at
local lab b ( say 192.168.2.200). I would need a route on the gateway
box in local lan A something like
ip r a 192.168.2.0/24 via 192.168.1.2

and on the gateway box at local lan b I would need a route something
like

ip r a 192.168.0.0/24 via 192.168.1.1


you will still need to look at your firewall

Alex


> .
>
> Thanks, ... Peter E.
>
> --
> http://carnot.yi.org/
> = http://carnot.pathology.ubc.ca/
> Desktops.OpenDoc http://members.shaw.ca/peasthope/
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>

--
"Russia's big and so is China."

- George W. Bush
06/16/2006
St. Petersburg, Russia
to Tony Blair at the G8 summit
 
Old 07-28-2008, 01:10 AM
 
Default packet forwarding.

Alex and others,

as> for a machine at local lan a (say 192.168.0.100)
to talk to a machine at local lab b ( say 192.168.2.200).
I would need a route on the gateway box in
local lan A something like
ip r a 192.168.2.0/24 via 192.168.1.2

That command uses iptables doesn't it?

It seems reasonable. Whereas in the Openvpn
mailing list, Tom Eastep said
"You don't specify routing in Shorewall or
using iptables. You specify routing via OpenVPN."

I assume he won't elaborate because he believes
the question is outside his scope; but what does
he mean?
How can I reconcile your instructions with Tom's
comment?

Thanks for any ideas, ... Peter E.

--
http://carnot.yi.org/
= http://carnot.pathology.ubc.ca/
Desktops.OpenDoc http://members.shaw.ca/peasthope/


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 07-28-2008, 03:21 AM
Alex Samad
 
Default packet forwarding.

On Sun, Jul 27, 2008 at 06:10:19PM -0700, peasthope@shaw.ca wrote:
> Alex and others,
>
> as> for a machine at local lan a (say 192.168.0.100)
> to talk to a machine at local lab b ( say 192.168.2.200).
> I would need a route on the gateway box in
> local lan A something like
> ip r a 192.168.2.0/24 via 192.168.1.2
>
> That command uses iptables doesn't it?
nope these are routing tables commands have a look at man ip

>
> It seems reasonable. Whereas in the Openvpn
> mailing list, Tom Eastep said
> "You don't specify routing in Shorewall or
> using iptables. You specify routing via OpenVPN."
>
> I assume he won't elaborate because he believes
> the question is outside his scope; but what does
> he mean?
> How can I reconcile your instructions with Tom's
> comment?
>
> Thanks for any ideas, ... Peter E.
>
> --
> http://carnot.yi.org/
> = http://carnot.pathology.ubc.ca/
> Desktops.OpenDoc http://members.shaw.ca/peasthope/
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>

--
You're at the end of the road again.
 
Old 08-03-2008, 01:31 AM
 
Default packet forwarding.

Alex & others,

My network is illustrated here now.
http://carnot.pathology.ubc.ca/Network.jpg

Forwarding is always on.
dalton:~# cat /proc/sys/net/ipv4/ip_forward
1

as> ... routing tables commands have a look at man ip

OK; I've read route.man and ip.man.

as> for a machine at local lan a (say 192.168.0.100)
...
ip r a 192.168.2.0/24 via 192.168.1.2

Even without such a command this is the routing
table on Dalton.

dalton:~# netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
joule.petershou * 255.255.255.255 UH 0 0 0 tun0
142.103.107.128 * 255.255.255.128 U 0 0 0 eth0
172.24.1.0 * 255.255.255.0 U 0 0 0 eth3
default 142.103.107.254 0.0.0.0 UG 0 0 0 eth0

According to the first line, Dalton knows
that the route to joule.petershouse.invalid
is through the tun0 interface.

To the best of my knowledge,"joule.petershouse.invalid"
appears only in /etc/hosts on joule. I'll guess that
openvpn sends it from Joule to Dalton.

So Cantor should be get a POP3 connection to
joule.petershouse.invalid? It gets only
"no connection".

as> you will still need to look at your firewall

I guess there are two possibilities. Either
(1) routing to the "invalid" domain is not allowed
or
(2) the firewall on Dalton or on Joule is blocking
the connection.

Dalton has this policy.
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc vpn ACCEPT

Joule has this rule.
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT PORT(S) DEST LIMIT GROUP
POP3/ACCEPT net $FW

Which rules out case (2) above.

So only (1) left?

Someone please shoot down one of my ideas
or give another hint.

Thanks, ... Peter E.

--
http://carnot.yi.org/
= http://carnot.pathology.ubc.ca/
Desktops.OpenDoc http://members.shaw.ca/peasthope/


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 08-03-2008, 05:18 AM
Mike Bird
 
Default packet forwarding.

On Sat August 2 2008 18:31:40 peasthope@shaw.ca wrote:
> My network is illustrated here now.
> http://carnot.pathology.ubc.ca/Network.jpg
>
> Forwarding is always on.
> dalton:~# cat /proc/sys/net/ipv4/ip_forward
> 1

<snip>

> Even without such a command this is the routing
> table on Dalton.

<snipped routing table, which does indeed show ...>

> According to the first line, Dalton knows
> that the route to joule.petershouse.invalid
> is through the tun0 interface.

<snip>

> So Cantor should be get a POP3 connection to
> joule.petershouse.invalid? It gets only
> "no connection".

That routing table shows that dalton knows the route to joule.
From the network diagram we see that dalton also knows the
(connected) route to cantor via eth3 (aka eth1). Assuming no
iptables blocks on any of the three systems, you still need to
ensure:

1) That cantor knows the route to joule (via dalton)
2) That joule knows the route to cantor (via dalton)

In short, every step along the way needs to know how to route
packets in both directions.

--Mike Bird


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 08-03-2008, 10:59 AM
Alex Samad
 
Default packet forwarding.

On Sat, Aug 02, 2008 at 10:18:17PM -0700, Mike Bird wrote:
> On Sat August 2 2008 18:31:40 peasthope@shaw.ca wrote:
> > My network is illustrated here now.
> > http://carnot.pathology.ubc.ca/Network.jpg

[snip]

> > "no connection".
>
> That routing table shows that dalton knows the route to joule.
> From the network diagram we see that dalton also knows the
> (connected) route to cantor via eth3 (aka eth1). Assuming no
> iptables blocks on any of the three systems, you still need to
> ensure:
>
> 1) That cantor knows the route to joule (via dalton)
> 2) That joule knows the route to cantor (via dalton)
>
> In short, every step along the way needs to know how to route
> packets in both directions.

something you can do to help track it down is start a ping from cantor
to joule and use tcpdump at each of the hop and do a

tcpdump -pni <in interface> icmp and host cantor -c 10

and then a

tcpdump -pni <out interface> icmp and host cantor -c 10

Trace the packet all the way.

on cantor you can start of with

ip r g <ip address of joule - note ip r g doesn't take hostname >

once you know the next hop then you can ssh to there and do the tcpdump
thing

Alex

>
> --Mike Bird
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>

--
Miksch's Law:
If a string has one end, then it has another end.
 
Old 08-03-2008, 07:13 PM
PETER EASTHOPE
 
Default packet forwarding.

Mike, Alex & others,

Sorry for the broken thread.

mb> 2) That joule knows the route to cantor (via dalton)

Just what I was missing; thanks!

Now, where to specify this route?

(1) "up route add ..." can not go in the eth0
stanza in /etc/network/interfaces because
tun0 is configured after eth0.
I wonder about adding a tun0 stanza to
/etc/network/interfaces.

(2) Perhaps a better candidate is the up
command in /etc/openvpn/myvpn.conf. Is
the following plausible?

joule:/etc/openvpn# cat myvpn.conf
# openvpn configuration for joule.
# Default protocol is udp.
# Default port is 1194.
# The following is dalton.pathology.ubc.ca.
remote 142.103.107.137
dev tun
ifconfig 10.4.0.1 10.4.0.2
verb 5
secret /root/key
up 'route add -host 172.24.1.2 gw 10.4.0.1; echo up'
down 'route del -host 172.24.1.2 gw 10.4.0.1; echo down'

If another route is added, I should find how
to continue the parameter over multiple lines.

Thanks, ... Peter E.


















--
http://members.shaw.ca/peasthope/
http://carnot.yi.org/ = http://carnot.pathology.ubc.ca/



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 12:02 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org