RE: [LUGOS] VPN client mi ne dovoli pingati lokalnega omrežja!
Dejan Trop [Krofek]
email at krofek.net
Fri Jul 11 13:57:27 CEST 2003
Ja VPN server in firewal je eno in isto....
-----Original Message-----
From: gasper at bsnet.dhs.org [mailto:gasper at bsnet.dhs.org]
Sent: Friday, July 11, 2003 1:51 PM
To: lugos-list at lugos.si
Subject: RE: [LUGOS] VPN client mi ne dovoli pingati lokalnega omrežja!
Okej...
pri izpisu od iptables mi predvsem fali izpis od FORWARD chain-a.
Predvidevam kako zlgleda mreža, vendar mi ni čisto jasno, ker enkrat
praviš, da
sta "VPN mašina" in firewall eno in isto, nato pa da ne moreš pingat
"VPN
mašine" Si hotel reči, da sta VPN strežnik in firewall isto?
Lej...z routingom zgleda vse ok, nekaj si moral pozabit v konfiguraciji
shorewall-a (ne vem kako izgleda ta zadeva, vendar..) glede prepuščanja
paketov
med ppp0 device-om, ki se kreira ob vzpostavitvi VPN povezave in mrežo
za
firewall-om, se pravi tisto, ki je priklopljena na eth1. Verjetno boš
moral
najti kje kakšno konfiguracijo za dinamični device, kar ppp0 je.
lp,
G
Citiranje "Dejan Trop [Krofek]" <email at krofek.net>:
> 1. ko je VPN vzpostavljen. Lahko pingam VPN klienta [192.168.0.234] iz
> VPN strežnika [192.168.0.4], prav tako velja to tudi obratno.
> 2. VPN in firewall mađina je ena in ista. Torej lahko.
> 3. Firewall je z eno mrežno kartico vezan na lokalno omrežje, kjer so
> odale delovne postaje. Z drugo kartico pa na Internet.
> 3.1. Ne, ne morem pingati delovnih postaj v lokalnem omrežju.
> 3.2. Prav tako iz delovnih postaj ne morem pingati VPN mađine.
> 4. 'ifconfig'
> eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
> inet addr:212.118.x.x Bcast:212.118.x.x Mask:255.255.255.x
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:251484 errors:5962 dropped:0 overruns:0
> frame:10221
> TX packets:2133 errors:4 dropped:0 overruns:0 carrier:9
> collisions:31 txqueuelen:100
> RX bytes:181324566 (172.9 Mb) TX bytes:153437 (149.8 Kb)
> Interrupt:10 Base address:0xb000
>
> eth1 Link encap:Ethernet HWaddr 00:10:5C:AB:25:A1
> inet addr:192.168.0.4 Bcast:192.168.0.255
> Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:67203 errors:0 dropped:0 overruns:0 frame:0
> TX packets:7996 errors:0 dropped:0 overruns:0 carrier:0
> collisions:42 txqueuelen:100
> RX bytes:4977346 (4.7 Mb) TX bytes:1441544 (1.3 Mb)
> Interrupt:5 Base address:0xe400 Memory:f1101000-f1101038
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:323 errors:0 dropped:0 overruns:0 frame:0
> TX packets:323 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:173850 (169.7 Kb) TX bytes:173850 (169.7 Kb)
>
> ppp0 Link encap:Point-to-Point Protocol
> inet addr:192.168.0.4 P-t-P:192.168.0.234
> Mask:255.255.255.255
> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
> RX packets:54 errors:0 dropped:0 overruns:0 frame:0
> TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:3
> RX bytes:4936 (4.8 Kb) TX bytes:144 (144.0 b)
>
> 5. 'route -n'
> Destination Gateway Genmask Flags Metric Ref
> Use
> Iface
> 192.168.0.234 0.0.0.0 255.255.255.255 UH 0 0
> 0
> ppp0
> 212.118.x.x 0.0.0.0 255.255.255.x U 0 0
> 0
> eth0
> 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0
> 0
> eth1
> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0
> 0
> eth1
> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0
> 0
> lo
> 0.0.0.0 212.118.94.x 0.0.0.0 UG 0 0
> 0
> eth0
>
> 6. 'iptables -L'
> eth0_fwd all -- anywhere anywhere
> eth1_fwd all -- anywhere anywhere
> ppp0_fwd all -- anywhere anywhere
> common all -- anywhere anywhere
> LOG all -- anywhere anywhere LOG level
> info prefix `Shorewall:FORWARD:REJECT:'
> reject all -- anywhere anywhere
>
> Chain OUTPUT (policy DROP)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
> DROP !icmp -- anywhere anywhere state
> INVALID
> fw2net all -- anywhere anywhere
> fw2loc all -- anywhere anywhere
> fw2loc all -- anywhere anywhere
> common all -- anywhere anywhere
> LOG all -- anywhere anywhere LOG level
> info prefix `Shorewall:OUTPUT:REJECT:'
> reject all -- anywhere anywhere
> Chain all2all (3 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> newnotsyn tcp -- anywhere anywhere state NEW
> tcp flags:!SYN,RST,ACK/SYN
> common all -- anywhere anywhere
> LOG all -- anywhere anywhere LOG level
> info prefix `Shorewall:all2all:REJECT:'
> reject all -- anywhere anywhere
>
> Chain common (5 references)
> target prot opt source destination
> icmpdef icmp -- anywhere anywhere
> reject udp -- anywhere anywhere udp
> dpt:135
> reject udp -- anywhere anywhere udp
> dpts:netbios-ns:netbios-ssn
> reject udp -- anywhere anywhere udp
> dpt:microsoft-ds
>
> reject tcp -- anywhere anywhere tcp
> dpt:netbios-ssn
> reject tcp -- anywhere anywhere tcp
> dpt:microsoft-ds
> reject tcp -- anywhere anywhere tcp
> dpt:135
> DROP udp -- anywhere anywhere udp
> dpt:1900
> DROP all -- anywhere 255.255.255.255
> DROP all -- anywhere base-address.mcast.net/4
> reject tcp -- anywhere anywhere tcp
> dpt:auth
> DROP udp -- anywhere anywhere udp
> spt:domain state NEW
>
> Chain dynamic (6 references)
> target prot opt source destination
>
> Chain eth0_fwd (1 references)
> target prot opt source destination
> dynamic all -- anywhere anywhere
> net2loc all -- anywhere anywhere
> net2loc all -- anywhere anywhere
>
> reject tcp -- anywhere anywhere tcp
> dpt:netbios-ssn
> reject tcp -- anywhere anywhere tcp
> dpt:microsoft-ds
> reject tcp -- anywhere anywhere tcp
> dpt:135
> DROP udp -- anywhere anywhere udp
> dpt:1900
> DROP all -- anywhere 255.255.255.255
> DROP all -- anywhere base-address.mcast.net/4
> reject tcp -- anywhere anywhere tcp
> dpt:auth
> DROP udp -- anywhere anywhere udp
> spt:domain state NEW
>
> Chain dynamic (6 references)
> target prot opt source destination
>
> Chain eth0_fwd (1 references)
> target prot opt source destination
> dynamic all -- anywhere anywhere
> net2loc all -- anywhere anywhere
> net2loc all -- anywhere anywhere
>
> Chain eth0_in (1 references)
> target prot opt source destination
> dynamic all -- anywhere anywhere
> net2fw all -- anywhere anywhere
>
> Chain eth1_fwd (1 references)
> target prot opt source destination
> dynamic all -- anywhere anywhere
> loc2net all -- anywhere anywhere
> loc2loc all -- anywhere anywhere
>
> Chain eth1_in (1 references)
> target prot opt source destination
> dynamic all -- anywhere anywhere
> loc2fw all -- anywhere anywhere
>
> Chain fw2loc (2 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> newnotsyn tcp -- anywhere anywhere state NEW
> tcp flags:!SYN,RST,ACK/SYN
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:domain
> ACCEPT udp -- anywhere anywhere state NEW
> udp dpt:domain
> ACCEPT icmp -- anywhere anywhere
> all2all all -- anywhere anywhere
>
> Chain fw2net (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> newnotsyn tcp -- anywhere anywhere state NEW
> tcp flags:!SYN,RST,ACK/SYN
> ACCEPT gre -- anywhere anywhere
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:http
> ACCEPT gre -- anywhere anywhere
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:domain
> ACCEPT udp -- anywhere anywhere state NEW
> udp dpt:domain
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:smtp
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:pop3
> ACCEPT icmp -- anywhere anywhere
> all2all all -- anywhere anywhere
>
> Chain icmpdef (1 references)
> target prot opt source destination
>
> Chain loc2fw (2 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> newnotsyn tcp -- anywhere anywhere state NEW
> tcp flags:!SYN,RST,ACK/SYN
> ACCEPT all -- anywhere anywhere
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:domain
> ACCEPT udp -- anywhere anywhere state NEW
> udp dpt:domain
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:smtp
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:pop3
> ACCEPT icmp -- anywhere anywhere
> all2all all -- anywhere anywhere
>
> Chain loc2loc (2 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> newnotsyn tcp -- anywhere anywhere state NEW
> tcp flags:!SYN,RST,ACK/SYN
> ACCEPT all -- anywhere anywhere
>
> Chain loc2net (2 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> newnotsyn tcp -- anywhere anywhere state NEW
> tcp flags:!SYN,RST,ACK/SYN
> ACCEPT icmp -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
>
> Chain net2all (2 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> newnotsyn tcp -- anywhere anywhere state NEW
> tcp flags:!SYN,RST,ACK/SYN
> common all -- anywhere anywhere
> LOG all -- anywhere anywhere LOG level
> info prefix `Shorewall:net2all:DROP:'
> DROP all -- anywhere anywhere
>
> Chain net2fw (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> newnotsyn tcp -- anywhere anywhere state NEW
> tcp flags:!SYN,RST,ACK/SYN
> ACCEPT gre -- anywhere anywhere
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:1723
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:http
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:ssh
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:10000
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:1723
> ACCEPT gre -- anywhere anywhere
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:domain
> ACCEPT udp -- anywhere anywhere state NEW
> udp dpt:domain
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:smtp
>
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:pop3
> ACCEPT icmp -- anywhere anywhere
> net2all all -- anywhere anywhere
>
> Chain net2loc (2 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> newnotsyn tcp -- anywhere anywhere state NEW
> tcp flags:!SYN,RST,ACK/SYN
> ACCEPT icmp -- anywhere anywhere
> net2all all -- anywhere anywhere
>
> Chain newnotsyn (9 references)
> target prot opt source destination
> DROP all -- anywhere anywhere
> Chain ppp0_fwd (1 references)
> target prot opt source destination
> dynamic all -- anywhere anywhere
> loc2net all -- anywhere anywhere
> loc2loc all -- anywhere anywhere
>
> Chain ppp0_in (1 references)
> target prot opt source destination
> dynamic all -- anywhere anywhere
> loc2fw all -- anywhere anywhere
>
> Chain reject (11 references)
> target prot opt source destination
> REJECT tcp -- anywhere anywhere
> reject-with
> tcp-reset
> REJECT udp -- anywhere anywhere
> reject-with
> icmp-port-unreachable
> REJECT icmp -- anywhere anywhere
> reject-with
> icmp-host-unreachable
> REJECT all -- anywhere anywhere
> reject-with
> icmp-host-prohibited
>
> Chain shorewall (0 references)
> target prot opt source destination
>
>
>
> Bo to sedaj?
>
>
> -----Original Message-----
> From: gasper at bsnet.dhs.org [mailto:gasper at bsnet.dhs.org]
> Sent: Friday, July 11, 2003 12:27 PM
> To: lugos-list at lugos.si
> Subject: RE: [LUGOS] VPN client mi ne dovoli pingati lokalnega
> omrežja!
>
> - A lahko pingaš to novo povezano VPN mašino s firewall mašine
> (predvidevam,
> da - je to tudi pptp strežnik)?
> - a lahko pingaš z vpn mašine firewall mašino
> - imaš za firewall mašino še kakšno lokalno mrežo, če ja:
> - a lahko pingaš iz vpn mašine katerokoli mašino v lokalni mreži za
>
> firewallom
> - a lahko pingaš iz mašine v lokalni mreži za firewallom VPN mašino
> ?
>
> Zelo bi pomagalo, če bi sploh orisal kaj vse imaš tu vpleteno vmes...
> dej pošlji output od 'ifconfig', 'route -n', 'iptables -L'.
>
> lp,
> G
>
> Citiranje "Dejan Trop [Krofek]" <email at krofek.net>:
>
> > To razumem... Toda nikakor se ne znajdem...
> > Uspelo mi je nastaviti, da iz linuxa pingam na vse strani... Prav
> > tako,
> > da lahko linux pingam od zunaj ali od notri...
> > NIkaor pa mi ne rata, da pingam v vpn omrežju!
> >
> > -----Original Message-----
> > From: gasper at bsnet.dhs.org [mailto:gasper at bsnet.dhs.org]
> > Sent: Friday, July 11, 2003 10:37 AM
> > To: lugos-list at lugos.si
> > Subject: Re: [LUGOS] VPN client mi ne dovoli pingati lokalnega
> > omrežja!
> >
> > Jah...za ping se uporablja icmp in ne tcp.
> > Ti porti, ki jih imaš odprte, so potrebni za vzpostavitev povezave.
> >
> > Ti moraš sedaj omogočit, da se pravilno premikajo paketi iz ppp
> > device-a
> > (ki se
> > ti je vzpostavil ob vzpostavitvi pptp povezave) na firewallu, do
> > svojega
> >
> > networka in obratno.
> >
> > lp,
> > G
> >
> >
> > > Uporabljam Shorewall in sem ga nastavil na:
> > > # za PPTP
> > > ACCEPT net fw tcp 1723
> > > ACCEPT net fw 47
> > > ACCEPT fw net 47
> > >
> > > Kaj bi moral še narediti, da bi lahko videl lokalno omrežje in
> pigal
> > v
> > > vse strani?
> > >
> > >
> > >
> > >
> >
> >
> >
>
>
More information about the lugos-list
mailing list