RE: [LUGOS] VPN client mi ne dovoli pingati lokalnega omrežja!
Dejan Trop [Krofek]
email at krofek.net
Fri Jul 11 13:22:37 CEST 2003
1. ko je VPN vzpostavljen. Lahko pingam VPN klienta [192.168.0.234] iz
VPN strežnika [192.168.0.4], prav tako velja to tudi obratno.
2. VPN in firewall mađina je ena in ista. Torej lahko.
3. Firewall je z eno mrežno kartico vezan na lokalno omrežje, kjer so
odale delovne postaje. Z drugo kartico pa na Internet.
3.1. Ne, ne morem pingati delovnih postaj v lokalnem omrežju.
3.2. Prav tako iz delovnih postaj ne morem pingati VPN mađine.
4. 'ifconfig'
eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet addr:212.118.x.x Bcast:212.118.x.x Mask:255.255.255.x
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:251484 errors:5962 dropped:0 overruns:0 frame:10221
TX packets:2133 errors:4 dropped:0 overruns:0 carrier:9
collisions:31 txqueuelen:100
RX bytes:181324566 (172.9 Mb) TX bytes:153437 (149.8 Kb)
Interrupt:10 Base address:0xb000
eth1 Link encap:Ethernet HWaddr 00:10:5C:AB:25:A1
inet addr:192.168.0.4 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:67203 errors:0 dropped:0 overruns:0 frame:0
TX packets:7996 errors:0 dropped:0 overruns:0 carrier:0
collisions:42 txqueuelen:100
RX bytes:4977346 (4.7 Mb) TX bytes:1441544 (1.3 Mb)
Interrupt:5 Base address:0xe400 Memory:f1101000-f1101038
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:323 errors:0 dropped:0 overruns:0 frame:0
TX packets:323 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:173850 (169.7 Kb) TX bytes:173850 (169.7 Kb)
ppp0 Link encap:Point-to-Point Protocol
inet addr:192.168.0.4 P-t-P:192.168.0.234
Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:54 errors:0 dropped:0 overruns:0 frame:0
TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:4936 (4.8 Kb) TX bytes:144 (144.0 b)
5. 'route -n'
Destination Gateway Genmask Flags Metric Ref Use
Iface
192.168.0.234 0.0.0.0 255.255.255.255 UH 0 0 0
ppp0
212.118.x.x 0.0.0.0 255.255.255.x U 0 0 0
eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0
eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0
eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0
lo
0.0.0.0 212.118.94.x 0.0.0.0 UG 0 0 0
eth0
6. 'iptables -L'
eth0_fwd all -- anywhere anywhere
eth1_fwd all -- anywhere anywhere
ppp0_fwd all -- anywhere anywhere
common all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level
info prefix `Shorewall:FORWARD:REJECT:'
reject all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP !icmp -- anywhere anywhere state
INVALID
fw2net all -- anywhere anywhere
fw2loc all -- anywhere anywhere
fw2loc all -- anywhere anywhere
common all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level
info prefix `Shorewall:OUTPUT:REJECT:'
reject all -- anywhere anywhere
Chain all2all (3 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW
tcp flags:!SYN,RST,ACK/SYN
common all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level
info prefix `Shorewall:all2all:REJECT:'
reject all -- anywhere anywhere
Chain common (5 references)
target prot opt source destination
icmpdef icmp -- anywhere anywhere
reject udp -- anywhere anywhere udp dpt:135
reject udp -- anywhere anywhere udp
dpts:netbios-ns:netbios-ssn
reject udp -- anywhere anywhere udp
dpt:microsoft-ds
reject tcp -- anywhere anywhere tcp
dpt:netbios-ssn
reject tcp -- anywhere anywhere tcp
dpt:microsoft-ds
reject tcp -- anywhere anywhere tcp dpt:135
DROP udp -- anywhere anywhere udp dpt:1900
DROP all -- anywhere 255.255.255.255
DROP all -- anywhere base-address.mcast.net/4
reject tcp -- anywhere anywhere tcp dpt:auth
DROP udp -- anywhere anywhere udp
spt:domain state NEW
Chain dynamic (6 references)
target prot opt source destination
Chain eth0_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere
net2loc all -- anywhere anywhere
net2loc all -- anywhere anywhere
reject tcp -- anywhere anywhere tcp
dpt:netbios-ssn
reject tcp -- anywhere anywhere tcp
dpt:microsoft-ds
reject tcp -- anywhere anywhere tcp dpt:135
DROP udp -- anywhere anywhere udp dpt:1900
DROP all -- anywhere 255.255.255.255
DROP all -- anywhere base-address.mcast.net/4
reject tcp -- anywhere anywhere tcp dpt:auth
DROP udp -- anywhere anywhere udp
spt:domain state NEW
Chain dynamic (6 references)
target prot opt source destination
Chain eth0_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere
net2loc all -- anywhere anywhere
net2loc all -- anywhere anywhere
Chain eth0_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere
net2fw all -- anywhere anywhere
Chain eth1_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere
loc2net all -- anywhere anywhere
loc2loc all -- anywhere anywhere
Chain eth1_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere
loc2fw all -- anywhere anywhere
Chain fw2loc (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW
tcp flags:!SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:domain
ACCEPT udp -- anywhere anywhere state NEW
udp dpt:domain
ACCEPT icmp -- anywhere anywhere
all2all all -- anywhere anywhere
Chain fw2net (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW
tcp flags:!SYN,RST,ACK/SYN
ACCEPT gre -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:http
ACCEPT gre -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:domain
ACCEPT udp -- anywhere anywhere state NEW
udp dpt:domain
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:pop3
ACCEPT icmp -- anywhere anywhere
all2all all -- anywhere anywhere
Chain icmpdef (1 references)
target prot opt source destination
Chain loc2fw (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW
tcp flags:!SYN,RST,ACK/SYN
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:domain
ACCEPT udp -- anywhere anywhere state NEW
udp dpt:domain
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:pop3
ACCEPT icmp -- anywhere anywhere
all2all all -- anywhere anywhere
Chain loc2loc (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW
tcp flags:!SYN,RST,ACK/SYN
ACCEPT all -- anywhere anywhere
Chain loc2net (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW
tcp flags:!SYN,RST,ACK/SYN
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain net2all (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW
tcp flags:!SYN,RST,ACK/SYN
common all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level
info prefix `Shorewall:net2all:DROP:'
DROP all -- anywhere anywhere
Chain net2fw (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW
tcp flags:!SYN,RST,ACK/SYN
ACCEPT gre -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:1723
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:10000
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:1723
ACCEPT gre -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:domain
ACCEPT udp -- anywhere anywhere state NEW
udp dpt:domain
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:pop3
ACCEPT icmp -- anywhere anywhere
net2all all -- anywhere anywhere
Chain net2loc (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW
tcp flags:!SYN,RST,ACK/SYN
ACCEPT icmp -- anywhere anywhere
net2all all -- anywhere anywhere
Chain newnotsyn (9 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ppp0_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere
loc2net all -- anywhere anywhere
loc2loc all -- anywhere anywhere
Chain ppp0_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere
loc2fw all -- anywhere anywhere
Chain reject (11 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with
tcp-reset
REJECT udp -- anywhere anywhere reject-with
icmp-port-unreachable
REJECT icmp -- anywhere anywhere reject-with
icmp-host-unreachable
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited
Chain shorewall (0 references)
target prot opt source destination
Bo to sedaj?
-----Original Message-----
From: gasper at bsnet.dhs.org [mailto:gasper at bsnet.dhs.org]
Sent: Friday, July 11, 2003 12:27 PM
To: lugos-list at lugos.si
Subject: RE: [LUGOS] VPN client mi ne dovoli pingati lokalnega omrežja!
- A lahko pingaš to novo povezano VPN mašino s firewall mašine
(predvidevam,
da - je to tudi pptp strežnik)?
- a lahko pingaš z vpn mašine firewall mašino
- imaš za firewall mašino še kakšno lokalno mrežo, če ja:
- a lahko pingaš iz vpn mašine katerokoli mašino v lokalni mreži za
firewallom
- a lahko pingaš iz mašine v lokalni mreži za firewallom VPN mašino ?
Zelo bi pomagalo, če bi sploh orisal kaj vse imaš tu vpleteno vmes...
dej pošlji output od 'ifconfig', 'route -n', 'iptables -L'.
lp,
G
Citiranje "Dejan Trop [Krofek]" <email at krofek.net>:
> To razumem... Toda nikakor se ne znajdem...
> Uspelo mi je nastaviti, da iz linuxa pingam na vse strani... Prav
> tako,
> da lahko linux pingam od zunaj ali od notri...
> NIkaor pa mi ne rata, da pingam v vpn omrežju!
>
> -----Original Message-----
> From: gasper at bsnet.dhs.org [mailto:gasper at bsnet.dhs.org]
> Sent: Friday, July 11, 2003 10:37 AM
> To: lugos-list at lugos.si
> Subject: Re: [LUGOS] VPN client mi ne dovoli pingati lokalnega
> omrežja!
>
> Jah...za ping se uporablja icmp in ne tcp.
> Ti porti, ki jih imaš odprte, so potrebni za vzpostavitev povezave.
>
> Ti moraš sedaj omogočit, da se pravilno premikajo paketi iz ppp
> device-a
> (ki se
> ti je vzpostavil ob vzpostavitvi pptp povezave) na firewallu, do
> svojega
>
> networka in obratno.
>
> lp,
> G
>
>
> > Uporabljam Shorewall in sem ga nastavil na:
> > # za PPTP
> > ACCEPT net fw tcp 1723
> > ACCEPT net fw 47
> > ACCEPT fw net 47
> >
> > Kaj bi moral še narediti, da bi lahko videl lokalno omrežje in pigal
> v
> > vse strani?
> >
> >
> >
> >
>
>
>
More information about the lugos-list
mailing list