Mailinglist Archive: opensuse-security (88 mails)

< Previous Next >
Re: [Fwd: Re: [suse-security] VPN and SuSEfirewall2]
  • From: Jonathan Baxter <jbaxter@xxxxxxxxxxxxx>
  • Date: Thu, 27 Apr 2006 19:12:20 +0930
  • Message-id: <200604271912.20838.jbaxter@xxxxxxxxxxxxx>
I think the issue is almost certainly that the SuSE router is NATing the
packets from the internal network, rather than redirecting down the tunnel.

output of "iptables -t nat --list":

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.1.0/24 !192.168.200.0/24
MASQUERADE all -- anywhere anywhere

The first rule says don't masquerade packets headed for 192.168.200.0/24, but
the second rule says masquerade everything, which will still match (as Ludwig
pointed out). The first rule is the one I added, I guess the second is the
one SuSE automatically adds based on on the setting of FW_MASQ_NETS.

Problem is, if I set FW_MASQ_NETS to "0/0,!192.168.200.0/24", packets from
192.168.1.0/24 to 192.168.200.0/24 seem to get dropped by the firewall before
they get a chance to go down the tunnel.

- Jonathan

< Previous Next >
References