Re: [leaf-user] nat between gateways ???

Thu, 14 Nov 2002 07:52:11 -0800 

Michael D. Schleif wrote:

Charles Steinkuehler wrote:

ipchains -I input -j MASQ -s 192.168.11.0/24 -d 192.168.1.0/24 -i ipsec0

Will this work?  man ipchains(8) states, ``MASQ is only legal for the
forward and user defined chains ...''
No...it will fail miserably. That's what I get for answering e-mail early in the AM. You really want:

ipchains -I forward-j MASQ -s 192.168.11.0/24 -d 192.168.1.0/24 \
-i ipsec0

As you realized...sorry. :<

At this point, you should be able to ping 192.168.1.0/24 network systems
from systems on the 192.168.11.0/24 behind pinktrout.  You should also
be able to ping pinktrout's public IP from systems behind bluetrout,
with all traffic going through the VPN.

What I'm trying to show on <http://www.helices.org/tmP/pinktrout.txt> is
192.168.11.10 pinging 192.168.1.40 -- which does *NOT* work, nor can I
find any dump nor log to illustrate the nature of the failure.
This won't work until the MASQ rules are properly in place. I'd try pinging from 192.168.1.40 to pinktrout, or from pinktrout to 192.168.1.40 to verify the VPN is up & working properly first. THEN you can try adding the MASQ rule and pinging from 192.168.11.10 to 192.168.1.40.

IMPORTANT:  At *NO TIME* will you be able to directly ping (or otherwise
talk to) any systems behind pinktrout from systems behind bluetrout, due
to the masquerading rules in place.  As far as the systems behind
bluetrout are concerend, they are communicating with one, and only one,
IP, which is the public IP of pinktrout.  In other words, the systems
behind pinktrout are hidden from the systems behind bluetrout the same
way all internal networks are hidden from the internet in general by a
masquerading firewall.

I am pretty sure that I'm coming to grasp all of the ramifications of
this vpn.  My illustrations attempt to maintain a sort of symmetry,
pinging from similar positions on each opposing network, &c.

Is this a forward chain that you had in mind?

$IPCH -I forward -j MASQ -d 192.168.1.0/24 -s 192.168.11.0/24
Yes.

--
Charles Steinkuehler
[EMAIL PROTECTED]




-------------------------------------------------------
This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd524.html
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Reply via email to