Hello,
I don't know if it is the right place to post this question, but here it is.
I have setup 2 servers that are doing mainly firewalling and VPN for two
interconnected private networks.
Each one having 2 network interfaces like this :
Host A Host B
| NAT BOX |
eth1 eth0 | eth0 eth1 | eth0 |eth1
Private |Internet | Internet|semi | semi |private
network | | |private | private|network
10.211.0.0/16|80.1.1.1 | 80.1.1.2|192.168.1.1 | 192.168.1.10|10.212.0.0/16
One machine is running linux-2.6.23 kernel, the other is running 2.6.24
kernel (both downloaded from kernel.org).
In this setup, I can't configure or manage anything with what I called the
NAT box. This is provided by the ISP as modem/router.
Firewalling works ok, I can browse internet pages send emails... from both
private nets.
I could setup the IPSEC tunnel and this is coming up correctly.
I did add one nat rule to prevent the packet that were to be encrypted
being SNATed (e.g. for host A):
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -d $HOST_B_LAN_RANGE -j ACCEPT
With this configuration I managed to send pings from eth1 on host A to
eth1 on host B and this works.
I did add one more nat rule (e.g. for host A) :
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -s $INET_IP -d
$HOST_B_LAN_RANGE -j SNAT --to-source $LAN_IP
to each host to be able to ping eth1 from host B from eth0 on host A and
vice versa. That works too.
Finally, I added a third rule to make the packets coming out of the
tunnel, being SNATed to the private lan IP address of the host on which it
came out (e.g. for host A) :
$IPTABLES -t nat -A POSTROUTING -s $HOST_B_LAN_RANGE -d $LAN_IP_RANGE -j
SNAT --to-source $LAN_IP
With this configuration, I'm able to ping from eth0 or 1 on host A to any
host on the private lan host B is connected to.
Now, if I try to ping from a host on private network host A is connected
to eth1 on host B or another host in host B private network, the packets
won't get through.
By adding some log targets to track down the packets, I could see that the
packet gets into eth1 of host A, crosses the raw prerouting table, crosses
the nat prerouting table, then disappear from host A (I assume at that
point the packet must have been encrypted and sent over the tunnel), and
does not appears at host B.
Anybody can tell what I am doing wrong ?
Thanks a lot
François
Message scanned by ClamAV engine (http://www.clamav.net)
--------------------------------------------------------
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
