Re: packet forwarding.
Mike, Alex & others, Sorry for the broken thread. mb> 2) That joule knows the route to cantor (via dalton) Just what I was missing; thanks! Now, where to specify this route? (1) "up route add ..." can not go in the eth0 stanza in /etc/network/interfaces because tun0 is configured after eth0. I wonder about adding a tun0 stanza to /etc/network/interfaces. (2) Perhaps a better candidate is the up command in /etc/openvpn/myvpn.conf. Is the following plausible? joule:/etc/openvpn# cat myvpn.conf # openvpn configuration for joule. # Default protocol is udp. # Default port is 1194. # The following is dalton.pathology.ubc.ca. remote 142.103.107.137 dev tun ifconfig 10.4.0.1 10.4.0.2 verb 5 secret /root/key up 'route add -host 172.24.1.2 gw 10.4.0.1; echo up' down 'route del -host 172.24.1.2 gw 10.4.0.1; echo down' If another route is added, I should find how to continue the parameter over multiple lines. Thanks, ... Peter E. -- http://members.shaw.ca/peasthope/ http://carnot.yi.org/ = http://carnot.pathology.ubc.ca/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: packet forwarding.
On Sat, Aug 02, 2008 at 10:18:17PM -0700, Mike Bird wrote: > On Sat August 2 2008 18:31:40 [EMAIL PROTECTED] wrote: > > My network is illustrated here now. > > http://carnot.pathology.ubc.ca/Network.jpg [snip] > > "no connection". > > That routing table shows that dalton knows the route to joule. > From the network diagram we see that dalton also knows the > (connected) route to cantor via eth3 (aka eth1). Assuming no > iptables blocks on any of the three systems, you still need to > ensure: > > 1) That cantor knows the route to joule (via dalton) > 2) That joule knows the route to cantor (via dalton) > > In short, every step along the way needs to know how to route > packets in both directions. something you can do to help track it down is start a ping from cantor to joule and use tcpdump at each of the hop and do a tcpdump -pni icmp and host cantor -c 10 and then a tcpdump -pni icmp and host cantor -c 10 Trace the packet all the way. on cantor you can start of with ip r g once you know the next hop then you can ssh to there and do the tcpdump thing Alex > > --Mike Bird > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- Miksch's Law: If a string has one end, then it has another end. signature.asc Description: Digital signature
Re: packet forwarding.
On Sat August 2 2008 18:31:40 [EMAIL PROTECTED] wrote: > My network is illustrated here now. > http://carnot.pathology.ubc.ca/Network.jpg > > Forwarding is always on. > dalton:~# cat /proc/sys/net/ipv4/ip_forward > 1 > Even without such a command this is the routing > table on Dalton. > According to the first line, Dalton knows > that the route to joule.petershouse.invalid > is through the tun0 interface. > So Cantor should be get a POP3 connection to > joule.petershouse.invalid? It gets only > "no connection". That routing table shows that dalton knows the route to joule. From the network diagram we see that dalton also knows the (connected) route to cantor via eth3 (aka eth1). Assuming no iptables blocks on any of the three systems, you still need to ensure: 1) That cantor knows the route to joule (via dalton) 2) That joule knows the route to cantor (via dalton) In short, every step along the way needs to know how to route packets in both directions. --Mike Bird -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: packet forwarding.
Alex & others, My network is illustrated here now. http://carnot.pathology.ubc.ca/Network.jpg Forwarding is always on. dalton:~# cat /proc/sys/net/ipv4/ip_forward 1 as> ... routing tables commands have a look at man ip OK; I've read route.man and ip.man. as> for a machine at local lan a (say 192.168.0.100) ... ip r a 192.168.2.0/24 via 192.168.1.2 Even without such a command this is the routing table on Dalton. dalton:~# netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface joule.petershou * 255.255.255.255 UH0 0 0 tun0 142.103.107.128 * 255.255.255.128 U 0 0 0 eth0 172.24.1.0 * 255.255.255.0 U 0 0 0 eth3 default 142.103.107.254 0.0.0.0 UG0 0 0 eth0 According to the first line, Dalton knows that the route to joule.petershouse.invalid is through the tun0 interface. To the best of my knowledge,"joule.petershouse.invalid" appears only in /etc/hosts on joule. I'll guess that openvpn sends it from Joule to Dalton. So Cantor should be get a POP3 connection to joule.petershouse.invalid? It gets only "no connection". as> you will still need to look at your firewall I guess there are two possibilities. Either (1) routing to the "invalid" domain is not allowed or (2) the firewall on Dalton or on Joule is blocking the connection. Dalton has this policy. #SOURCE DESTPOLICY LOG LEVEL LIMIT:BURST loc vpn ACCEPT Joule has this rule. #ACTION SOURCE DESTPROTO DESTSOURCE ORIGINALRATEUSER/ MARK # PORTPORT(S) DESTLIMIT GROUP POP3/ACCEPT net $FW Which rules out case (2) above. So only (1) left? Someone please shoot down one of my ideas or give another hint. Thanks,... Peter E. -- http://carnot.yi.org/ = http://carnot.pathology.ubc.ca/ Desktops.OpenDoc http://members.shaw.ca/peasthope/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: packet forwarding.
On Sun, Jul 27, 2008 at 06:10:19PM -0700, [EMAIL PROTECTED] wrote: > Alex and others, > > as> for a machine at local lan a (say 192.168.0.100) > to talk to a machine at local lab b ( say 192.168.2.200). > I would need a route on the gateway box in > local lan A something like > ip r a 192.168.2.0/24 via 192.168.1.2 > > That command uses iptables doesn't it? nope these are routing tables commands have a look at man ip > > It seems reasonable. Whereas in the Openvpn > mailing list, Tom Eastep said > "You don't specify routing in Shorewall or >using iptables. You specify routing via OpenVPN." > > I assume he won't elaborate because he believes > the question is outside his scope; but what does > he mean? > How can I reconcile your instructions with Tom's > comment? > > Thanks for any ideas,... Peter E. > > -- > http://carnot.yi.org/ > = http://carnot.pathology.ubc.ca/ > Desktops.OpenDoc http://members.shaw.ca/peasthope/ > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- You're at the end of the road again. signature.asc Description: Digital signature
Re: packet forwarding.
Alex and others, as> for a machine at local lan a (say 192.168.0.100) to talk to a machine at local lab b ( say 192.168.2.200). I would need a route on the gateway box in local lan A something like ip r a 192.168.2.0/24 via 192.168.1.2 That command uses iptables doesn't it? It seems reasonable. Whereas in the Openvpn mailing list, Tom Eastep said "You don't specify routing in Shorewall or using iptables. You specify routing via OpenVPN." I assume he won't elaborate because he believes the question is outside his scope; but what does he mean? How can I reconcile your instructions with Tom's comment? Thanks for any ideas,... Peter E. -- http://carnot.yi.org/ = http://carnot.pathology.ubc.ca/ Desktops.OpenDoc http://members.shaw.ca/peasthope/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: packet forwarding.
On Sun, Jul 27, 2008 at 10:03:50AM -0700, [EMAIL PROTECTED] wrote: > Alex, > > > net.ipv4.ip_forward=1 > as> This is allow the kernel to do packet forwarding > > No problem there. My LAN machines have > no problems accessing the 'net for http, > pop3, ftp. > > as> turn which on ? > > TUN packet forwarding through the firewall > (ref. original message, last weekend.). I > want the pop3 connection from Cantor to Joule > to run through the tunnel; not directly > through the Internet. > > SUMMARY > Internet access is no problem. I do not > understand routing through the tunnel, > dicussed under Routing in openvpn.man. > > Tuesday afternoon, July 29, I'll scan a > diagram and put it at > http://carnot.yi.org/Network.jpg just consider TUN devices as normal nic interfaces. if i had local lan A = 192.168.0.1/24 (ip address of the nic on the local lan) local lan A openvpn TUN = 192.168.1.1/24 (ip address given to the openvpn tun local lan b openvpn TUN = 192.168.1.2/24 (ip address given to the openvpn tun) this talks to lan a local lab b = 192.168.2.1/24 ( ip address of the nic on the local lan at B) for a machine at local lan a (say 192.168.0.100) to talk to a machine at local lab b ( say 192.168.2.200). I would need a route on the gateway box in local lan A something like ip r a 192.168.2.0/24 via 192.168.1.2 and on the gateway box at local lan b I would need a route something like ip r a 192.168.0.0/24 via 192.168.1.1 you will still need to look at your firewall Alex > . > > Thanks,... Peter E. > > -- > http://carnot.yi.org/ > = http://carnot.pathology.ubc.ca/ > Desktops.OpenDoc http://members.shaw.ca/peasthope/ > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- "Russia's big and so is China." - George W. Bush 06/16/2006 St. Petersburg, Russia to Tony Blair at the G8 summit signature.asc Description: Digital signature
Re: packet forwarding.
Alex, > net.ipv4.ip_forward=1 as> This is allow the kernel to do packet forwarding No problem there. My LAN machines have no problems accessing the 'net for http, pop3, ftp. as> turn which on ? TUN packet forwarding through the firewall (ref. original message, last weekend.). I want the pop3 connection from Cantor to Joule to run through the tunnel; not directly through the Internet. SUMMARY Internet access is no problem. I do not understand routing through the tunnel, dicussed under Routing in openvpn.man. Tuesday afternoon, July 29, I'll scan a diagram and put it at http://carnot.yi.org/Network.jpg . Thanks,... Peter E. -- http://carnot.yi.org/ = http://carnot.pathology.ubc.ca/ Desktops.OpenDoc http://members.shaw.ca/peasthope/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: packet forwarding
On Tue, Jul 15, 2008 at 06:28:03PM -0700, PETER EASTHOPE wrote: > Folk, > > In Lenny, "man openvpn" states, > "First, ensure that IP forwarding is enabled on both peers. On Linux, >enable routing: > > echo 1 > /proc/sys/net/ipv4/ip_forward" > > That is an interactive approach whereas in /etc/sysctl.conf I set > net.ipv4.ip_forward=1 This is allow the kernel to do packet forwarding > . > > "man openvpn" continues, > "... enable TUN packet forwarding through the firewall: > > iptables -A FORWARD -i tun+ -j ACCEPT" > > >From this I infer that permission for TUN packet forwarding > is distinct from general packet forwarding. Correct? This is allowing it in iptables (presuming you have diss allow by default) > What would be the conventional way to turn this on > permanently in Lenny? turn which on ? > > Thanks for any help, ... Peter E. > > -- > http://members.shaw.ca/peasthope/ > http://carnot.yi.org/ = http://carnot.pathology.ubc.ca/ > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- "We've got hundreds of sites to exploit, looking for the chemical and biological weapons that we know Saddam Hussein had prior to our entrance into Iraq." - George W. Bush 05/02/2003 Santa Clara, CA signature.asc Description: Digital signature
Re: packet forwarding
Andrew Critchlow <[EMAIL PROTECTED]> wrote:P { margin:0px; padding:0px } body { FONT-SIZE: 10pt; FONT-FAMILY:Tahoma }Hello everyone, I am trying to set up a debian proxy such as this: USERDEBIANINTERNET The debian box will have two network cards. How can I set up the debian box to forward packets between the two networks? Do I have to set up packet forwarding by adding: net.ipv4.ip_forward=1 into /etc/sysctl.conf ? Many thanks andrew. You can use something like be below script to accomplish what you want. This script assumes that you have dhcp3-server installed and configured to give your internal systems a private IP address and DNS routing information. You can also configure them manually. I usually name this script "local" and add it to init.d. #!/bin/sh # Setting up IP Fowarding - Firewall Rules - and starting DHCP server. #Flush chains iptables -F #enable masquerade and forwarding iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE iptables --append FORWARD --in-interface eth1 -j ACCEPT echo 1 > /proc/sys/net/ipv4/ip_forward #for dynamic IP on external interface echo 1 > /proc/sys/net/ipv4/ip_dynaddr #denial of service protection echo 1 > /proc/sys/net/ipv4/tcp_syncookies #turn on source address verification echo 1 > proc/sys/net/ipv4/conf/eth0/rp_filter #add route for DHCP clients /sbin/route add -host 255.255.255.255 dev eth1 #Firewall Rules #allow self access by loopback interface iptables -A INPUT -i lo -p all -j ACCEPT iptables -A OUTPUT -o lo -p all -j ACCEPT #allow internal network #iptables -A INPUT -i eth1 -p all -j ACCEPT #allow established connections iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset #Allow Web iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT iptables -A INPUT -p udp -i eth0 --dport 80 -j ACCEPT #allow DHCP iptables -A INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth0 -j ACCEPT iptables -A INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth1 -j ACCEPT #drops all other connections #iptables -p INPUT DROP #or Firewall Rules iptables -A INPUT -i eth0 -p tcp -m tcp --dport 0:1023 --syn -j REJECT iptables -A INPUT -i eth0 -p tcp -m tcp --dport 2049 --syn -j REJECT iptables -A INPUT -i eth0 -p udp -m udp --dport 0:1023 -j REJECT iptables -A INPUT -i eth0 -p udp -m udp --dport 2049 -j REJECT iptables -A INPUT -i eth0 -p tcp -m tcp --dport 6000:6009 --syn -j REJECT iptables -A INPUT -i eth0 -p tcp -m tcp --dport 7100 --syn -j REJECT #turn on DHCP for the internal net /usr/sbin/dhcpd3 eth1 exit 0
Re: packet forwarding
On Mon, 29 Jan 2007 17:06:24 -0200 cassiano <[EMAIL PROTECTED]> wrote: > Speaking of which... > > How do I de-activate logging to stdout in shorewall? It´s very > annoying to have all firewall logged activity popping out on > whichever tty I´m working on... This is in sid (etch is probably the same) from /etc/sysctl.conf # Uncomment the following to stop low-level messages on console kernel.printk = 4 4 1 7 Of course, this is just one way to do it. HTH, Andrei -- If you can't explain it simply, you don't understand it well enough. (Albert Einstein)
Re: packet forwarding
Roberto C. Sanchez wrote: On Mon, Jan 29, 2007 at 01:29:56PM +, Andrew Critchlow wrote: Hello everyone, I am trying to set up a debian proxy such as this: USERDEBIANINTERNET The debian box will have two network cards. How can I set up the debian box to forward packets between the two networks? Do I have to set up packet forwarding by adding: net.ipv4.ip_forward=1 into /etc/sysctl.conf You really want shorewall. Trust me on this. Once you have it installed, go to http://www.shorewall.net and look under the documentation for the two-interface firewall. Regards, -Roberto Speaking of which... How do I de-activate logging to stdout in shorewall? It´s very annoying to have all firewall logged activity popping out on whichever tty I´m working on... Cheers Cassiano Leal -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: packet forwarding
On Mon, Jan 29, 2007 at 01:29:56PM +, Andrew Critchlow wrote: > Hello everyone, > > I am trying to set up a debian proxy such as this: > > USERDEBIANINTERNET > > The debian box will have two network cards. > > How can I set up the debian box to forward packets between the two networks? > Do I have to set up packet forwarding by adding: > net.ipv4.ip_forward=1 > into /etc/sysctl.conf > You really want shorewall. Trust me on this. Once you have it installed, go to http://www.shorewall.net and look under the documentation for the two-interface firewall. Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Re: packet forwarding
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/29/07 07:29, Andrew Critchlow wrote: > Hello everyone, > > I am trying to set up a debian proxy such as this: > > USERDEBIANINTERNET > > The debian box will have two network cards. > > How can I set up the debian box to forward packets between the > two networks? Do I have to set up packet forwarding by adding: > net.ipv4.ip_forward=1 into /etc/sysctl.conf > > ? Google is your friend. http://www.google.com/search?q=linux+enable+ip+forwarding The 2nd link tells you exactly what to do. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFvfuLS9HxQb37XmcRAjJaAKDd8fNbhEbP5DZnz4LcnIisM9Yg8wCeOafm 6PHS1Zjbgh1hkbgaDhEcfvM= =lKZN -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]