[opensuse] Firewall / routing problem
Hi I'm missing something obvious here, but what. I've configured a combined firewall/openvpn server. The client has the ip 10.8.0.2 and the server has 10.8.0.1. Server has another ip 192.168.1.1. It also has a SuSEFirewall2 with openvpn open for UDP. Now, I can ping and ssh from the client to 192.168.1.1. And I can ssh from 192.168.1.10, another machine. From that machine I can ping 192.168.1.1 and 10.8.0.1 but NOT 10.8.0.2. That means that I can't ssh from the client to 192.168.1.10. and it seems the problem is that packets don't return from 192.168.1.10, but why? -- Med venlig hilsen Kaare Rasmussen, Jasonic Jasonic Telefon: +45 3816 2582 Nordre Fasanvej 12 2000 Frederiksberg Email: kaare@jasonic.dk -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Kaare Rasmussen wrote:
Hi
I'm missing something obvious here, but what.
I've configured a combined firewall/openvpn server.
The client has the ip 10.8.0.2 and the server has 10.8.0.1. Server has another ip 192.168.1.1. It also has a SuSEFirewall2 with openvpn open for UDP.
Now, I can ping and ssh from the client to 192.168.1.1. And I can ssh from 192.168.1.10, another machine. From that machine I can ping 192.168.1.1 and 10.8.0.1 but NOT 10.8.0.2.
That means that I can't ssh from the client to 192.168.1.10. and it seems the problem is that packets don't return from 192.168.1.10, but why?
What is the output of the command sysctl net.ipv4.ip_forward when issued at the server? Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1 -- Med venlig hilsen Kaare Rasmussen, Jasonic Jasonic Telefon: +45 3816 2582 Nordre Fasanvej 12 2000 Frederiksberg Email: kaare@jasonic.dk -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Den Saturday 12 July 2008 20:26:43 skrev Joe Sloan:
Kaare Rasmussen wrote:
sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
Is the server NATing the client IP?
Joe
Yes. -- Med venlig hilsen Kaare Rasmussen, Jasonic Jasonic Telefon: +45 3816 2582 Nordre Fasanvej 12 2000 Frederiksberg Email: kaare@jasonic.dk -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Kaare Rasmussen wrote:
Den Saturday 12 July 2008 20:26:43 skrev Joe Sloan:
Kaare Rasmussen wrote:
sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1 Is the server NATing the client IP?
Joe
That could be a problem. You need to nat packets going to the outside world, but not necessarily for internal networks. For instance my nat rule says something like: iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -d "!" 192.168.0.0/16 -o $EXT_IF -j SNAT --to $EXT_ADDR Since there is traffic passing through the firewall among different internal lans which would be very confused if natted. That said, your setup probably should work, even with natting, but it does add en extra layer of complexity to the problem. If nothing comes to mind, it might be instructive to run tcpdump on the server while attempting to make a connection from the client, and see what is going on with the packets. Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
If nothing comes to mind, it might be instructive to run tcpdump on the server while attempting to make a connection from the client, and see what is going on with the packets.
I wonder why the firewall drops the packages from 192.168.1.10 to 10.8.0.2 giving that buth eth0 and tun0 are supposed to be on the inner side. Jul 12 21:20:27 server kernel: SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=tun0 SRC=192.168.1.10 DST=10.8.0.2 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=63343 SEQ=1 But perhaps it's better to put it away and look at it tomorrow when fresh. -- Med venlig hilsen Kaare Rasmussen, Jasonic Jasonic Telefon: +45 3816 2582 Nordre Fasanvej 12 2000 Frederiksberg Email: kaare@jasonic.dk -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Kaare Rasmussen wrote:
If nothing comes to mind, it might be instructive to run tcpdump on the server while attempting to make a connection from the client, and see what is going on with the packets.
I wonder why the firewall drops the packages from 192.168.1.10 to 10.8.0.2 giving that buth eth0 and tun0 are supposed to be on the inner side.
Jul 12 21:20:27 server kernel: SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=tun0 SRC=192.168.1.10 DST=10.8.0.2 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=63343 SEQ=1
But perhaps it's better to put it away and look at it tomorrow when fresh.
FWIW I've never had any luck with the suse firewall for anything other than the dead simple default case. I've been using the webmin iptables module, which I found easy to understand, quite flexible and capable. Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 07/13/2008 03:24 AM, Kaare Rasmussen wrote:
I wonder why the firewall drops the packages from 192.168.1.10 to 10.8.0.2 giving that buth eth0 and tun0 are supposed to be on the inner side.
Jul 12 21:20:27 server kernel: SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=tun0 SRC=192.168.1.10 DST=10.8.0.2 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=63343 SEQ=1
But perhaps it's better to put it away and look at it tomorrow when fresh.
Perhaps, this is the setting you need. # 23.) # Allow same class routing per default? # REQUIRES: FW_ROUTE # # Do you want to allow routing between interfaces of the same class # (e.g. between all internet interfaces, or all internal network interfaces) # be default (so without the need setting up FW_FORWARD definitions)? # # Choice: "yes" or "no", if not set defaults to "no" # # Defaults to "no" if not set # FW_ALLOW_CLASS_ROUTING="" Try setting this to yes. -- Joe Morris Registered Linux user 231871 running openSUSE 10.3 x86_64 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
But perhaps it's better to put it away and look at it tomorrow when fresh.
Perhaps, this is the setting you need. FW_ALLOW_CLASS_ROUTING=""
It was, and now I've had a sleep I can see it :-) Thanks for the help to you and Joe. -- Med venlig hilsen Kaare Rasmussen, Jasonic Jasonic Telefon: +45 3816 2582 Nordre Fasanvej 12 2000 Frederiksberg Email: kaare@jasonic.dk -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (3)
-
Joe Morris
-
Joe Sloan
-
Kaare Rasmussen