cipe + iptables

cipe + iptables

Post by K. David Princ » Wed, 26 Dec 2001 02:36:19



I sent this query to the debian.user group, but couldn't find any help
there....

I'm installing the debian/testing cipe package.  I'm using kernel version
2.4.17-rc1, which is 2.4.16 pre-patched for 17.  The kernel is configured
for iptables support on two identical masquerading firewall machines.  I
installed the cipe package, compiled, and installed the resulting
cipe*.deb package.  All's well, so far:

Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
192.168.2.100   *               255.255.255.255 UH    0      0        0 cipcb0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth1
rel.subnet.ad.0 *               255.255.255.0   U     0      0        0 eth0
default         gw.machine1     0.0.0.0         UG    0      0        0 eth0

Now, I need to insert the appropriate chains so that packets can pass
between the two private LANs.  I have read through "The Linux
Cipe+Masquerading mini-HOWTO", and I see how the chains are inserted via
the sample ip-up script for kernel 2.1/2.2 with ipchains.  But, before I
try to translate all their ipchains rules into iptables rules ....

Is there anyone out there that has created cipe ip-up/down scripts that
will insert _iptables_ chains that will bring up the cipcb0 interfaces
properly?

My setup is like this:

LAN-1 (192.168.1.xxx) <==>
        FW-1 <===>
                Internet <==>
                        FW-2 <==> LAN-2 (192.168.2.xxx)
Thanks,
Dave

 
 
 

1. CIPE, IPTABLES, Masquerading

Can someone please help with how to configure iptables with a cipe link
connecting two ethernet networks.  The following is a rough diagram of how
the networks are configured

192.168.2.0/24 Ethernet Network
||
192.168.2.1 - Redhat 7.2 Linux Server
| Dial up link 1.2.3.4 real IP, 10.0.0.2 CIPE IP
|
ISP
|
| Dial up link 4.3.2.1 real IP, 10.0.0.1 CIPE IP
192.168.1.1 - Redhat 7.2 Linux Server
||
192.168.1.0/24 Ethernet Network

Basically I want all computers on 192.168.2.0/24 to be able to see all
computers on 192.168.1.0/24 and vice versa.  Also, the 192.168.x.0 computers
need to be able to have masqueraded internet access.

I have managed to get CIPE up and running and 192.168.2.1 and 192.168.1.1
can see each other just nicely.  I have managed to get routing set up
properly, and with no iptables set up at all, both networks communicate
together just nicely.  The trouble is though, I then don't have any
masqueraded internet access.  As soon as I turn on iptables for
masquerading, 192.168.1.1 and 192.168.2.1 can still see each other, but none
of the network computers can see the other network.  What do i need to do to
my iptables to get masquerading working AND have the networks be able to see
each other properly?

currently my /etc/sysconfig/iptables file is:
# Generated by iptables-save v1.2.3 on Tue Mar 19 17:12:34 2002
*nat
:PREROUTING ACCEPT [10168:715722]
:POSTROUTING ACCEPT [851:94961]
:OUTPUT ACCEPT [1540:144302]
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Tue Mar 19 17:12:34 2002
# Generated by iptables-save v1.2.3 on Tue Mar 19 17:12:34 2002
*filter
:INPUT ACCEPT [287217:51887269]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [335706:261610800]

I tried adding the following to the output section under *nat but it made no
difference:
-A POSTROUTING -s 192.168.2.0/24 -d 192.168.1.0/24 -j ACCEPT
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.2.0/24 -j ACCEPT

2. help: 3.2v5.0.2 popper/port 110 dies

3. cannot connect from linux cipe server to windows cipe client

4. Printing to NT printer

5. Ftp over cipe(VPN)

6. How to make Sound Device?

7. IPTABLES problem with iptables: Index of insertion too big

8. Help with sendmail on 3B2

9. CIPE with linux kernel 2.4 - a few problems

10. CIPE on older Red Hat

11. CIPE on Alpha

12. CIPE user authentication

13. cipe