tun interface and ipmasq
Alohá!
Without any idea on how to do anything "the ipmasq way" due to using
iptables all my Linux life I still have to set up a sarge box like this
|192.168.121.0/24|-|OpenVPN 10.8.0.5/24|
|
-------------|Internet|--------
|
|router|-|172.16.0.0/24|-|sarge 10.8.0.6/24|-|192.168.122.0/24|
The sarge machine is routing the 192.168.122.0/24 subnet to the router
for internet access while shielding it from access from the
172.16.0.0/24 and does so via ipmasq. There's an OpenVPN tunnel ending
on the sarge box and the 192.168.121.0/24 and 192.168.122.0/24 subnets
are to be routed back and forth through the 10.8.0.0/24 VPN - all set
and ready to go but ipmasq won't do it on the sarge box so far. Thanks
to UDP 1194 forwarded to the sarge box OpenVPN is up and running (ipmasq
doesn't seem to firewall anything), the tunnel is established, no
problem there. Routes are set
Destination Gateway Genmask Flags Iface
10.8.0.5 * 255.255.255.255 UH tun0
10.8.0.0 10.8.0.5 255.255.255.0 UG tun0
172.16.0.0 * 255.255.255.0 U eth0
192.168.121.0 10.8.0.5 255.255.255.0 UG tun0
192.168.122.0 * 255.255.255.0 U eth1
default 172.16.0.1 0.0.0.0 UG eth0
(Output altered for better viewing)
The big lot of files in /etc/ipmasq/rules make some kind of sense, I did
some RTFM and there already are some empty .rul files for the
input/output/forward chains waiting to be filled with, well with what?
Can I simply enter additional iptables rules here and ipmasq will pay
heed? Or can I change the OpenVPN tun interface an the sarge box to be
an internal one? If so, which file would I do that with?
ATM my 'iptables -L' looks like this and I can see that the tun
interface and the remote subnet are simply LOGged and DROPped - so how
do I best change this?
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
LOG all -- 127.0.0.0/8 anywhere LOG level
warning
DROP all -- 127.0.0.0/8 anywhere
ACCEPT all -- anywhere 255.255.255.255
ACCEPT all -- anywhere 255.255.255.255
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- 10.8.0.5 anywhere
ACCEPT !tcp -- anywhere BASE-ADDRESS.MCAST.NET/4
ACCEPT !tcp -- anywhere BASE-ADDRESS.MCAST.NET/4
LOG all -- 192.168.122.0/24 anywhere LOG level
warning
DROP all -- 192.168.122.0/24 anywhere
LOG all -- 10.8.0.6 anywhere LOG level
warning
DROP all -- 10.8.0.6 anywhere
ACCEPT all -- anywhere 255.255.255.255
ACCEPT all -- anywhere 172.16.0.2
ACCEPT all -- anywhere 172.16.0.255
LOG all -- anywhere anywhere LOG level
warning
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 10.8.0.5 192.168.122.0/24
ACCEPT all -- anywhere 10.8.0.5
ACCEPT all -- 10.8.0.6 192.168.122.0/24
ACCEPT all -- 192.168.122.0/24 10.8.0.6
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- 10.8.0.5 anywhere
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
LOG all -- anywhere 192.168.122.0/24 LOG level
warning
DROP all -- anywhere 192.168.122.0/24
LOG all -- anywhere 10.8.0.6 LOG level
warning
DROP all -- anywhere 10.8.0.6
LOG all -- anywhere anywhere LOG level
warning
DROP all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere 255.255.255.255
ACCEPT all -- anywhere 255.255.255.255
ACCEPT all -- anywhere 192.168.122.0/24
ACCEPT all -- anywhere 10.8.0.5
ACCEPT !tcp -- anywhere BASE-ADDRESS.MCAST.NET/4
ACCEPT !tcp -- anywhere BASE-ADDRESS.MCAST.NET/4
LOG all -- anywhere 192.168.122.0/24 LOG level
warning
DROP all -- anywhere 192.168.122.0/24
LOG all -- anywhere 10.8.0.6 LOG level
warning
DROP all -- anywhere 10.8.0.6
ACCEPT all -- anywhere 255.255.255.255
ACCEPT all -- 172.16.0.2 anywhere
ACCEPT all -- 172.16.0.255 anywhere
LOG all -- anywhere anywhere LOG level
warning
DROP all -- anywhere anywhere
If I could without fussing with IT policy guys for an hour I'd just get
rid of ipmasq and do it all the iptables way but I'm not sure that's
quicker than making tun0 an internal interface and 192.168.121.0/24 an
internal subnet from ipmasq's point of view - but how?
Thank You all very much in advance for Your help!
Martin
Reply to: