RE: [LUGOS] VPN client mi ne dovoli pingati lokalnega omrežja!

Dejan Trop [Krofek] email at krofek.net
Fri Jul 11 13:57:27 CEST 2003


Ja VPN server in firewal je eno in isto....


-----Original Message-----
From: gasper at bsnet.dhs.org [mailto:gasper at bsnet.dhs.org] 
Sent: Friday, July 11, 2003 1:51 PM
To: lugos-list at lugos.si
Subject: RE: [LUGOS] VPN client mi ne dovoli pingati lokalnega omrežja!

Okej...
pri izpisu od iptables mi predvsem fali izpis od FORWARD chain-a.
Predvidevam kako zlgleda mreža, vendar mi ni čisto jasno, ker enkrat
praviš, da 
sta "VPN mašina" in firewall eno in isto, nato pa da ne moreš pingat
"VPN 
mašine" Si hotel reči, da sta VPN strežnik in firewall isto?
Lej...z routingom zgleda vse ok, nekaj si moral pozabit v konfiguraciji 
shorewall-a (ne vem kako izgleda ta zadeva, vendar..) glede prepuščanja
paketov 
med ppp0 device-om, ki se kreira ob vzpostavitvi VPN povezave in mrežo
za 
firewall-om, se pravi tisto, ki je priklopljena na eth1. Verjetno boš
moral 
najti kje kakšno konfiguracijo za dinamični device, kar ppp0 je.

lp,
G

Citiranje "Dejan Trop [Krofek]" <email at krofek.net>:

> 1. ko je VPN vzpostavljen. Lahko pingam VPN klienta [192.168.0.234] iz
> VPN strežnika [192.168.0.4], prav tako velja to tudi obratno.
> 2. VPN in firewall mađina je ena in ista. Torej lahko.
> 3. Firewall je z eno mrežno kartico vezan na lokalno omrežje, kjer so
> odale delovne postaje. Z drugo kartico pa na Internet.
> 3.1. Ne, ne morem pingati delovnih postaj v lokalnem omrežju.
> 3.2. Prav tako iz delovnih postaj ne morem pingati VPN mađine.
> 4. 'ifconfig'
> eth0      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
>           inet addr:212.118.x.x  Bcast:212.118.x.x Mask:255.255.255.x
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:251484 errors:5962 dropped:0 overruns:0
> frame:10221
>           TX packets:2133 errors:4 dropped:0 overruns:0 carrier:9
>           collisions:31 txqueuelen:100
>           RX bytes:181324566 (172.9 Mb)  TX bytes:153437 (149.8 Kb)
>           Interrupt:10 Base address:0xb000
> 
> eth1      Link encap:Ethernet  HWaddr 00:10:5C:AB:25:A1
>           inet addr:192.168.0.4  Bcast:192.168.0.255 
> Mask:255.255.255.0
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:67203 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:7996 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:42 txqueuelen:100
>           RX bytes:4977346 (4.7 Mb)  TX bytes:1441544 (1.3 Mb)
>           Interrupt:5 Base address:0xe400 Memory:f1101000-f1101038
> 
> lo        Link encap:Local Loopback
>           inet addr:127.0.0.1  Mask:255.0.0.0
>           UP LOOPBACK RUNNING  MTU:16436  Metric:1
>           RX packets:323 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:323 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes:173850 (169.7 Kb)  TX bytes:173850 (169.7 Kb)
> 
> ppp0      Link encap:Point-to-Point Protocol
>           inet addr:192.168.0.4  P-t-P:192.168.0.234
> Mask:255.255.255.255
>           UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
>           RX packets:54 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:3
>           RX bytes:4936 (4.8 Kb)  TX bytes:144 (144.0 b)
> 
> 5. 'route -n'
> Destination     Gateway         Genmask         Flags Metric Ref   
> Use
> Iface
> 192.168.0.234   0.0.0.0         255.255.255.255 UH    0      0       
> 0
> ppp0
> 212.118.x.x     0.0.0.0         255.255.255.x   U     0      0       
> 0
> eth0
> 192.168.0.0     0.0.0.0         255.255.255.0   U     0      0       
> 0
> eth1
> 169.254.0.0     0.0.0.0         255.255.0.0     U     0      0       
> 0
> eth1
> 127.0.0.0       0.0.0.0         255.0.0.0       U     0      0       
> 0
> lo
> 0.0.0.0         212.118.94.x    0.0.0.0         UG    0      0       
> 0
> eth0
> 
> 6. 'iptables -L'
> eth0_fwd   all  --  anywhere             anywhere
> eth1_fwd   all  --  anywhere             anywhere
> ppp0_fwd   all  --  anywhere             anywhere
> common     all  --  anywhere             anywhere
> LOG        all  --  anywhere             anywhere           LOG level
> info prefix `Shorewall:FORWARD:REJECT:'
> reject     all  --  anywhere             anywhere
> 
> Chain OUTPUT (policy DROP)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere
> DROP      !icmp --  anywhere             anywhere           state
> INVALID
> fw2net     all  --  anywhere             anywhere
> fw2loc     all  --  anywhere             anywhere
> fw2loc     all  --  anywhere             anywhere
> common     all  --  anywhere             anywhere
> LOG        all  --  anywhere             anywhere           LOG level
> info prefix `Shorewall:OUTPUT:REJECT:'
> reject     all  --  anywhere             anywhere
> Chain all2all (3 references)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere           state
> RELATED,ESTABLISHED
> newnotsyn  tcp  --  anywhere             anywhere           state NEW
> tcp flags:!SYN,RST,ACK/SYN
> common     all  --  anywhere             anywhere
> LOG        all  --  anywhere             anywhere           LOG level
> info prefix `Shorewall:all2all:REJECT:'
> reject     all  --  anywhere             anywhere
> 
> Chain common (5 references)
> target     prot opt source               destination
> icmpdef    icmp --  anywhere             anywhere
> reject     udp  --  anywhere             anywhere           udp
> dpt:135
> reject     udp  --  anywhere             anywhere           udp
> dpts:netbios-ns:netbios-ssn
> reject     udp  --  anywhere             anywhere           udp
> dpt:microsoft-ds
> 
> reject     tcp  --  anywhere             anywhere           tcp
> dpt:netbios-ssn
> reject     tcp  --  anywhere             anywhere           tcp
> dpt:microsoft-ds
> reject     tcp  --  anywhere             anywhere           tcp
> dpt:135
> DROP       udp  --  anywhere             anywhere           udp
> dpt:1900
> DROP       all  --  anywhere             255.255.255.255
> DROP       all  --  anywhere             base-address.mcast.net/4
> reject     tcp  --  anywhere             anywhere           tcp
> dpt:auth
> DROP       udp  --  anywhere             anywhere           udp
> spt:domain state NEW
> 
> Chain dynamic (6 references)
> target     prot opt source               destination
> 
> Chain eth0_fwd (1 references)
> target     prot opt source               destination
> dynamic    all  --  anywhere             anywhere
> net2loc    all  --  anywhere             anywhere
> net2loc    all  --  anywhere             anywhere
> 
> reject     tcp  --  anywhere             anywhere           tcp
> dpt:netbios-ssn
> reject     tcp  --  anywhere             anywhere           tcp
> dpt:microsoft-ds
> reject     tcp  --  anywhere             anywhere           tcp
> dpt:135
> DROP       udp  --  anywhere             anywhere           udp
> dpt:1900
> DROP       all  --  anywhere             255.255.255.255
> DROP       all  --  anywhere             base-address.mcast.net/4
> reject     tcp  --  anywhere             anywhere           tcp
> dpt:auth
> DROP       udp  --  anywhere             anywhere           udp
> spt:domain state NEW
> 
> Chain dynamic (6 references)
> target     prot opt source               destination
> 
> Chain eth0_fwd (1 references)
> target     prot opt source               destination
> dynamic    all  --  anywhere             anywhere
> net2loc    all  --  anywhere             anywhere
> net2loc    all  --  anywhere             anywhere
> 
> Chain eth0_in (1 references)
> target     prot opt source               destination
> dynamic    all  --  anywhere             anywhere
> net2fw     all  --  anywhere             anywhere
> 
> Chain eth1_fwd (1 references)
> target     prot opt source               destination
> dynamic    all  --  anywhere             anywhere
> loc2net    all  --  anywhere             anywhere
> loc2loc    all  --  anywhere             anywhere
> 
> Chain eth1_in (1 references)
> target     prot opt source               destination
> dynamic    all  --  anywhere             anywhere
> loc2fw     all  --  anywhere             anywhere
> 
> Chain fw2loc (2 references)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere           state
> RELATED,ESTABLISHED
> newnotsyn  tcp  --  anywhere             anywhere           state NEW
> tcp flags:!SYN,RST,ACK/SYN
> ACCEPT     tcp  --  anywhere             anywhere           state NEW
> tcp dpt:domain
> ACCEPT     udp  --  anywhere             anywhere           state NEW
> udp dpt:domain
> ACCEPT     icmp --  anywhere             anywhere
> all2all    all  --  anywhere             anywhere
> 
> Chain fw2net (1 references)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere           state
> RELATED,ESTABLISHED
> newnotsyn  tcp  --  anywhere             anywhere           state NEW
> tcp flags:!SYN,RST,ACK/SYN
> ACCEPT     gre  --  anywhere             anywhere
> ACCEPT     tcp  --  anywhere             anywhere           state NEW
> tcp dpt:http
> ACCEPT     gre  --  anywhere             anywhere
> ACCEPT     tcp  --  anywhere             anywhere           state NEW
> tcp dpt:domain
> ACCEPT     udp  --  anywhere             anywhere           state NEW
> udp dpt:domain
> ACCEPT     tcp  --  anywhere             anywhere           state NEW
> tcp dpt:smtp
> ACCEPT     tcp  --  anywhere             anywhere           state NEW
> tcp dpt:pop3
> ACCEPT     icmp --  anywhere             anywhere
> all2all    all  --  anywhere             anywhere
> 
> Chain icmpdef (1 references)
> target     prot opt source               destination
> 
> Chain loc2fw (2 references)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere           state
> RELATED,ESTABLISHED
> newnotsyn  tcp  --  anywhere             anywhere           state NEW
> tcp flags:!SYN,RST,ACK/SYN
> ACCEPT     all  --  anywhere             anywhere
> ACCEPT     tcp  --  anywhere             anywhere           state NEW
> tcp dpt:domain
> ACCEPT     udp  --  anywhere             anywhere           state NEW
> udp dpt:domain
> ACCEPT     tcp  --  anywhere             anywhere           state NEW
> tcp dpt:smtp
> ACCEPT     tcp  --  anywhere             anywhere           state NEW
> tcp dpt:pop3
> ACCEPT     icmp --  anywhere             anywhere
> all2all    all  --  anywhere             anywhere
> 
> Chain loc2loc (2 references)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere           state
> RELATED,ESTABLISHED
> newnotsyn  tcp  --  anywhere             anywhere           state NEW
> tcp flags:!SYN,RST,ACK/SYN
> ACCEPT     all  --  anywhere             anywhere
> 
> Chain loc2net (2 references)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere           state
> RELATED,ESTABLISHED
> newnotsyn  tcp  --  anywhere             anywhere           state NEW
> tcp flags:!SYN,RST,ACK/SYN
> ACCEPT     icmp --  anywhere             anywhere
> ACCEPT     all  --  anywhere             anywhere
> 
> Chain net2all (2 references)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere           state
> RELATED,ESTABLISHED
> newnotsyn  tcp  --  anywhere             anywhere           state NEW
> tcp flags:!SYN,RST,ACK/SYN
> common     all  --  anywhere             anywhere
> LOG        all  --  anywhere             anywhere           LOG level
> info prefix `Shorewall:net2all:DROP:'
> DROP       all  --  anywhere             anywhere
> 
> Chain net2fw (1 references)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere           state
> RELATED,ESTABLISHED
> newnotsyn  tcp  --  anywhere             anywhere           state NEW
> tcp flags:!SYN,RST,ACK/SYN
> ACCEPT     gre  --  anywhere             anywhere
> ACCEPT     tcp  --  anywhere             anywhere           tcp
> dpt:1723
> ACCEPT     tcp  --  anywhere             anywhere           state NEW
> tcp dpt:http
> ACCEPT     tcp  --  anywhere             anywhere           state NEW
> tcp dpt:ssh
> ACCEPT     tcp  --  anywhere             anywhere           state NEW
> tcp dpt:10000
> ACCEPT     tcp  --  anywhere             anywhere           state NEW
> tcp dpt:1723
> ACCEPT     gre  --  anywhere             anywhere
> ACCEPT     tcp  --  anywhere             anywhere           state NEW
> tcp dpt:domain
> ACCEPT     udp  --  anywhere             anywhere           state NEW
> udp dpt:domain
> ACCEPT     tcp  --  anywhere             anywhere           state NEW
> tcp dpt:smtp
> 
> ACCEPT     tcp  --  anywhere             anywhere           state NEW
> tcp dpt:pop3
> ACCEPT     icmp --  anywhere             anywhere
> net2all    all  --  anywhere             anywhere
> 
> Chain net2loc (2 references)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere           state
> RELATED,ESTABLISHED
> newnotsyn  tcp  --  anywhere             anywhere           state NEW
> tcp flags:!SYN,RST,ACK/SYN
> ACCEPT     icmp --  anywhere             anywhere
> net2all    all  --  anywhere             anywhere
> 
> Chain newnotsyn (9 references)
> target     prot opt source               destination
> DROP       all  --  anywhere             anywhere
> Chain ppp0_fwd (1 references)
> target     prot opt source               destination
> dynamic    all  --  anywhere             anywhere
> loc2net    all  --  anywhere             anywhere
> loc2loc    all  --  anywhere             anywhere
> 
> Chain ppp0_in (1 references)
> target     prot opt source               destination
> dynamic    all  --  anywhere             anywhere
> loc2fw     all  --  anywhere             anywhere
> 
> Chain reject (11 references)
> target     prot opt source               destination
> REJECT     tcp  --  anywhere             anywhere          
> reject-with
> tcp-reset
> REJECT     udp  --  anywhere             anywhere          
> reject-with
> icmp-port-unreachable
> REJECT     icmp --  anywhere             anywhere          
> reject-with
> icmp-host-unreachable
> REJECT     all  --  anywhere             anywhere          
> reject-with
> icmp-host-prohibited
> 
> Chain shorewall (0 references)
> target     prot opt source               destination
> 
> 
> 
> Bo to sedaj?
> 
> 
> -----Original Message-----
> From: gasper at bsnet.dhs.org [mailto:gasper at bsnet.dhs.org] 
> Sent: Friday, July 11, 2003 12:27 PM
> To: lugos-list at lugos.si
> Subject: RE: [LUGOS] VPN client mi ne dovoli pingati lokalnega
> omrežja!
> 
> - A lahko pingaš to novo povezano VPN mašino s firewall mašine
> (predvidevam, 
> da - je to tudi pptp strežnik)?
> - a lahko pingaš z vpn mašine firewall mašino
> - imaš za firewall mašino še kakšno lokalno mrežo, če ja:
>    - a lahko pingaš iz vpn mašine katerokoli mašino v lokalni mreži za
> 
> firewallom
>    - a lahko pingaš iz mašine v lokalni mreži za firewallom VPN mašino
> ?
> 
> Zelo bi pomagalo, če bi sploh orisal kaj vse imaš tu vpleteno vmes...
> dej pošlji output od 'ifconfig', 'route -n', 'iptables -L'.
> 
> lp,
> G
> 
> Citiranje "Dejan Trop [Krofek]" <email at krofek.net>:
> 
> > To razumem... Toda nikakor se ne znajdem...
> > Uspelo mi je nastaviti, da iz linuxa pingam na vse strani... Prav
> > tako,
> > da lahko linux pingam od zunaj ali od notri...
> > NIkaor pa mi ne rata, da pingam v vpn omrežju!
> > 
> > -----Original Message-----
> > From: gasper at bsnet.dhs.org [mailto:gasper at bsnet.dhs.org] 
> > Sent: Friday, July 11, 2003 10:37 AM
> > To: lugos-list at lugos.si
> > Subject: Re: [LUGOS] VPN client mi ne dovoli pingati lokalnega
> > omrežja!
> > 
> > Jah...za ping se uporablja icmp in ne tcp.
> > Ti porti, ki jih imaš odprte, so potrebni za vzpostavitev povezave. 
> > 
> > Ti moraš sedaj omogočit, da se pravilno premikajo paketi iz ppp
> > device-a
> > (ki se 
> > ti je vzpostavil ob vzpostavitvi pptp povezave) na firewallu, do
> > svojega
> > 
> > networka in obratno.
> > 
> > lp,
> > G
> > 
> > 
> > > Uporabljam Shorewall in sem ga nastavil na:
> > > # za PPTP
> > > ACCEPT          net             fw              tcp     1723
> > > ACCEPT          net             fw              47
> > > ACCEPT          fw              net             47
> > >  
> > > Kaj bi moral še narediti, da bi lahko videl lokalno omrežje in
> pigal
> > v
> > > vse strani?
> > > 
> > > 
> > > 
> > > 
> > 
> > 
> > 
> 
> 




More information about the lugos-list mailing list