Hallo list, I'm using openvpn and SuSEfirewall. Oenvpn is running fine, but my routing won't work. My local network (eth0) is 192.168.1.0/24 My tunnel net (tun1) is 192.168.2.0/24 So I'm trying to route the both nets, but I get for every protocol from the SuSEfirewall: SFW2-FWDint-DROP-DEFLT IN=tun1 OUT=eth0 SRC=192.168.2.1 DST=192.168.1.250 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=2 DF PROTO=ICMP TYPE=8 CODE=0 ID=2365 SEQ=3 Any Ideas, what is wrong? My SuSEfirewall config: My SuSEfirewall: FW_QUICKMODE="no" FW_DEV_EXT="ppp0" FW_DEV_INT="eth0 tun1" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="0/0" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="8890:8893 http https ssh" FW_SERVICES_EXT_UDP="isakmp" FW_SERVICES_EXT_IP="" FW_SERVICES_EXT_RPC="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_DMZ_RPC="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="esp" FW_SERVICES_INT_RPC="" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="192.168.1.0/24 192.168.2.0/24" FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="yes" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="yes" FW_FORWARD="" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_KERNEL_SECURITY="yes" FW_ANTISPOOF="no" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="int" FW_IGNORE_FW_BROADCAST="no" FW_ALLOW_CLASS_ROUTING="no" FW_CUSTOMRULES="" FW_REJECT="no" FW_HTB_TUNE_DEV="ppp0,125" FW_IPv6="" FW_IPv6_REJECT_OUTGOING="yes" FW_IPSEC_TRUST="int" FW_IPSEC_MARK="" FW_LOG="" My SuSEfirewall-custom: fw_custom_before_masq() { iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A INPUT -i tap+ -j ACCEPT iptables -A FORWARD -i tap+ -j ACCEPT true } Best regards, Hans
Quoting "Kaiser, Hans"
Hallo list,
I'm using openvpn and SuSEfirewall. Oenvpn is running fine, but my routing won't work. My local network (eth0) is 192.168.1.0/24 My tunnel net (tun1) is 192.168.2.0/24
So I'm trying to route the both nets, but I get for every protocol from the SuSEfirewall: SFW2-FWDint-DROP-DEFLT IN=tun1 OUT=eth0 SRC=192.168.2.1 DST=192.168.1.250 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=2 DF PROTO=ICMP TYPE=8 CODE=0 ID=2365 SEQ=3
[snip]
FW_DEV_EXT="ppp0" FW_DEV_INT="eth0 tun1"
As I understand it, SuSE Firewall was designed with the intention of only routing between Internal and External interfaces, not between two that are Internal or two that are External. So both eth0 and tun1 (shouldn't that be tun0?) should route out your ppp connection, but not between each other. What's the context of your environment? Offhand, I don't know the necessary changes to make those two route, perhaps someone else on the list does.
* suse@rio.vg;
Quoting "Kaiser, Hans"
: Hallo list,
I'm using openvpn and SuSEfirewall. Oenvpn is running fine, but my routing won't work. My local network (eth0) is 192.168.1.0/24 My tunnel net (tun1) is 192.168.2.0/24
So I'm trying to route the both nets, but I get for every protocol from the SuSEfirewall: SFW2-FWDint-DROP-DEFLT IN=tun1 OUT=eth0 SRC=192.168.2.1 DST=192.168.1.250 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=2 DF PROTO=ICMP TYPE=8 CODE=0 ID=2365 SEQ=3
[snip]
FW_DEV_EXT="ppp0" FW_DEV_INT="eth0 tun1"
As I understand it, SuSE Firewall was designed with the intention of only routing between Internal and External interfaces, not between two that are Internal or two that are External.
Well it can do the routing if you set the following to yes # 23.) # Allow same class routing per default? # REQUIRES: FW_ROUTE # # Do you want to allow routing between interfaces of the same class # (e.g. between all internet interfaces, or all internal network # interfaces) # be default (so without the need setting up FW_FORWARD definitions)? # # Choice: "yes" or "no", defaults to "no" # FW_ALLOW_CLASS_ROUTING="no" -- Togan Muftuoglu | Unofficial SuSE FAQ Maintainer | Please reply to the list; http://susefaq.sf.net | Please don't put me in TO/CC. Nisi defectum, haud refiecendum
Well it can do the routing if you set the following to yes # Do you want to allow routing between interfaces of the same class # (e.g. between all internet interfaces, or all internal network # interfaces) # be default (so without the need setting up FW_FORWARD definitions)? # # Choice: "yes" or "no", defaults to "no" # FW_ALLOW_CLASS_ROUTING="no"
Hello, thanks for the answers! Are there any security concerns if setting FW_ALLOW_CLASS_ROUTING="yes" ? Best regards, Hans
* Kaiser, Hans;
Well it can do the routing if you set the following to yes # Do you want to allow routing between interfaces of the same class # (e.g. between all internet interfaces, or all internal network # interfaces) # be default (so without the need setting up FW_FORWARD definitions)? # # Choice: "yes" or "no", defaults to "no" # FW_ALLOW_CLASS_ROUTING="no"
Hello,
thanks for the answers! Are there any security concerns if setting FW_ALLOW_CLASS_ROUTING="yes" ?
Not that I see ( note that does not mean it does note exist) since it only allows routing of the packets between the same class meaning if you have two devices for FW_DEV_INT then the routing between these two is allowed if you look at the script (around line 1595) test "$FW_ALLOW_CLASS_ROUTING" = yes && { for DEV1 in $FW_DEV_INT; do for DEV2 in $FW_DEV_INT; do test "$DEV1" = "$DEV2" || { $LAA $IPTABLES -A forward_int -j LOG ${LOG}"-ACCEPT-CLASS " -i $DEV1 -o $DEV2 $IPTABLES -A forward_int -j "$ACCEPT" -i $DEV1 -o $DEV2 } done .... It checks for FW_DEV_DMZ and FW_DEV_EXT also to see if there are more then one devices. Your other alternative is to define FW_FORWARD where you can define which ports are allowed to be forwarded to the other network. Hope this helps -- Togan Muftuoglu | Unofficial SuSE FAQ Maintainer | Please reply to the list; http://susefaq.sf.net | Please don't put me in TO/CC. Nisi defectum, haud refiecendum
Hello Hans, I dont know openvpn, but with FreeSwan i had the same troubles. To get an working Tunnel i have modifyed SuSEfirewall-custom: iptables -A INPUT -j ACCEPT -d 192.168.1.0/24 iptables -A OUTPUT -j ACCEPT -d 192.168.2.0/24 and the SuSEfirewall: FW_FORWARD="192.168.1.0/24,192.168.2.0/24 192.168.2.0/24,192.168.1.0/24 a.a.a.a/32,192.168.1.0/24 a.a.a.a/32,b.b.b.b/32 192.168.1.0/24,a.a.a.a/32" (a.a.a.a Gateway1 b.b.b.b Gateway2). try it. best regards. Am Donnerstag, 22. Juli 2004 22:40 schrieb Kaiser, Hans:
Hallo list,
I'm using openvpn and SuSEfirewall. Oenvpn is running fine, but my routing won't work. My local network (eth0) is 192.168.1.0/24 My tunnel net (tun1) is 192.168.2.0/24
So I'm trying to route the both nets, but I get for every protocol from the SuSEfirewall: SFW2-FWDint-DROP-DEFLT IN=tun1 OUT=eth0 SRC=192.168.2.1 DST=192.168.1.250 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=2 DF PROTO=ICMP TYPE=8 CODE=0 ID=2365 SEQ=3
Any Ideas, what is wrong?
My SuSEfirewall config:
My SuSEfirewall: FW_QUICKMODE="no" FW_DEV_EXT="ppp0" FW_DEV_INT="eth0 tun1" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="0/0" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="8890:8893 http https ssh" FW_SERVICES_EXT_UDP="isakmp" FW_SERVICES_EXT_IP="" FW_SERVICES_EXT_RPC="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_DMZ_RPC="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="esp" FW_SERVICES_INT_RPC="" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="192.168.1.0/24 192.168.2.0/24" FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="yes" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="yes" FW_FORWARD="" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_KERNEL_SECURITY="yes" FW_ANTISPOOF="no" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="int" FW_IGNORE_FW_BROADCAST="no" FW_ALLOW_CLASS_ROUTING="no" FW_CUSTOMRULES="" FW_REJECT="no" FW_HTB_TUNE_DEV="ppp0,125" FW_IPv6="" FW_IPv6_REJECT_OUTGOING="yes" FW_IPSEC_TRUST="int" FW_IPSEC_MARK="" FW_LOG=""
My SuSEfirewall-custom: fw_custom_before_masq() { iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A INPUT -i tap+ -j ACCEPT iptables -A FORWARD -i tap+ -j ACCEPT
true }
Best regards, Hans
-- Mit freundlichen Gruessen Andreas
participants (4)
-
Andreas
-
Kaiser, Hans
-
suse@rio.vg
-
Togan Muftuoglu