Using ipmasq and vtun
I have two hosts on the internet that masq connections for a network
of computers behind them and I want to setup a vtun tunnel between
the two networks. It looks something like this:
| ------- ------- |
192.168.0.0/24 |--eth1--|host1|-eth0-inet-ppp0-|host2|--eth0--|192.168.1.0/24
| ------- ------- |
|=vtun0====tunnel======|
The problem is that once I get the tunnel setup I can't seem to get either the
routing right or the ipchain rules right.
Here are my configuration files and output from ifconfig route -n and
ipchains-save while the tunnel is active. Can anyone give me some advice
on how to fix the problem.
ifconfig for the host1
eth0 Link encap:Ethernet HWaddr 00:20:AF:28:64:4A
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:275094 errors:0 dropped:0 overruns:0 frame:0
TX packets:191777 errors:0 dropped:0 overruns:0 carrier:0
collisions:4 txqueuelen:100
Interrupt:10 Base address:0x210
eth1 Link encap:Ethernet HWaddr 00:80:C8:3C:19:C5
inet addr:208.25.210.254 Bcast:208.25.210.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:153357 errors:69 dropped:0 overruns:0 frame:1
TX packets:121541 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:3 Base address:0x300
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:597 errors:0 dropped:0 overruns:0 frame:0
TX packets:597 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
tun0 Link encap:Point-to-Point Protocol
inet addr:10.0.0.2 P-t-P:10.0.0.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
ipchains-save for host1
:input DENY
:forward DENY
:output DENY
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i lo -j ACCEPT
-A input -s 127.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i !lo -j DENY -l
-A input -s 192.168.0.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j ACCEPT
-A input -s 10.0.0.1/255.255.255.255 -d 0.0.0.0/0.0.0.0 -i tun0 -j ACCEPT
-A input -s 192.168.0.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -i eth1 -j DENY -l
-A input -s 10.0.0.2/255.255.255.255 -d 0.0.0.0/0.0.0.0 -i eth1 -j DENY -l
-A input -s 0.0.0.0/0.0.0.0 -d 208.25.210.254/255.255.255.255 -i eth1 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 208.25.210.255/255.255.255.255 -i eth1 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -j DENY -l
-A forward -s 10.0.0.1/255.255.255.255 -d 192.168.0.0/255.255.255.0 -j ACCEPT
-A forward -s 0.0.0.0/0.0.0.0 -d 10.0.0.1/255.255.255.255 -j ACCEPT
-A forward -s 10.0.0.2/255.255.255.255 -d 192.168.0.0/255.255.255.0 -j ACCEPT
-A forward -s 192.168.0.0/255.255.255.0 -d 10.0.0.2/255.255.255.255 -j ACCEPT
-A forward -s 192.168.0.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -i eth1 -j MASQ
-A forward -s 10.0.0.1/255.255.255.255 -d 0.0.0.0/0.0.0.0 -i eth1 -j MASQ
-A forward -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -j DENY -l
-A output -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i lo -j ACCEPT
-A output -s 0.0.0.0/0.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j ACCEPT
-A output -s 0.0.0.0/0.0.0.0 -d 224.0.0.0/240.0.0.0 -i eth0 -p ! 6 -j ACCEPT
-A output -s 0.0.0.0/0.0.0.0 -d 10.0.0.1/255.255.255.255 -i tun0 -j ACCEPT
-A output -s 0.0.0.0/0.0.0.0 -d 224.0.0.0/240.0.0.0 -i tun0 -p ! 6 -j ACCEPT
-A output -s 0.0.0.0/0.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth1 -j DENY -l
-A output -s 0.0.0.0/0.0.0.0 -d 10.0.0.2/255.255.255.255 -i eth1 -j DENY -l
-A output -s 208.25.210.254/255.255.255.255 -d 0.0.0.0/0.0.0.0 -i eth1 -j ACCEPT
-A output -s 208.25.210.255/255.255.255.255 -d 0.0.0.0/0.0.0.0 -i eth1 -j ACCEPT
-A output -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -j DENY -l
route -n for host1
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.1.0 10.0.0.1 255.255.255.0 UG 0 0 0 tun0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
208.25.210.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 208.25.210.1 0.0.0.0 UG 1 0 0 eth1
vtun.conf for host1
options {
port 5000; # Listen on this port.
# Path to various programs
ppp /usr/sbin/pppd;
ifconfig /sbin/ifconfig;
route /sbin/route;
firewall /sbin/ipchains;
}
# Default host options
default {
compress no; # Compression is off by default
speed 0; # By default maximum speed, NO shaping
}
# TUN example. Host 'cobra'.
zero_one {
pass xxxxxxx; # Password
type tun; # IP tunnel
proto udp; # UDP protocol
comp lzo:1; # LZO compression level 9
encr no; # Encryption
keepalive yes; # Keep connection alive
up {
# Connection is Up
# 10.3.0.1 - local, 10.3.0.2 - remote
ifconfig "%% 10.0.0.2 pointopoint 10.0.0.1 mask 255.255.255.255 mtu 1450";
route "add -net 192.168.1.0 netmask 255.255.255.0 gw 10.0.0.1";
# route "add -net 192.168.1.0 gw 192.168.0.11";
};
down {
# disable interface
ifconfig "%% down";
}
}
ifconfig for host2
eth0 Link encap:Ethernet HWaddr 00:40:33:D2:B1:16
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:335062 errors:60 dropped:0 overruns:0 frame:0
TX packets:319567 errors:13798 dropped:0 overruns:0 carrier:27596
collisions:1718 txqueuelen:100
Interrupt:9 Base address:0xe800
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:1636030 errors:0 dropped:0 overruns:0 frame:0
TX packets:1636030 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
ppp0 Link encap:Point-to-Point Protocol
inet addr:63.202.177.89 P-t-P:63.202.179.254 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:190829 errors:0 dropped:0 overruns:0 frame:0
TX packets:154499 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
tun0 Link encap:Point-to-Point Protocol
inet addr:10.0.0.1 P-t-P:10.0.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
ipchains-save for host2
:input DENY
:forward DENY
:output DENY
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i lo -j ACCEPT
-A input -s 127.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i !lo -j DENY -l
-A input -s 192.168.1.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j ACCEPT
-A input -s 10.0.0.2/255.255.255.255 -d 0.0.0.0/0.0.0.0 -i tun0 -j ACCEPT
-A input -s 192.168.1.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -i ppp0 -j DENY -l
-A input -s 10.0.0.1/255.255.255.255 -d 0.0.0.0/0.0.0.0 -i ppp0 -j DENY -l
-A input -s 0.0.0.0/0.0.0.0 -d 63.202.177.89/255.255.255.255 -i ppp0 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -j DENY -l
-A forward -s 10.0.0.2/255.255.255.255 -d 192.168.1.0/255.255.255.0 -j ACCEPT
-A forward -s 0.0.0.0/0.0.0.0 -d 10.0.0.2/255.255.255.255 -j ACCEPT
-A forward -s 10.0.0.1/255.255.255.255 -d 192.168.1.0/255.255.255.0 -j ACCEPT
-A forward -s 192.168.1.0/255.255.255.0 -d 10.0.0.1/255.255.255.255 -j ACCEPT
-A forward -s 192.168.1.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -i ppp0 -j MASQ
-A forward -s 10.0.0.2/255.255.255.255 -d 0.0.0.0/0.0.0.0 -i ppp0 -j MASQ
-A forward -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -j DENY -l
-A output -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i lo -j ACCEPT
-A output -s 0.0.0.0/0.0.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j ACCEPT
-A output -s 0.0.0.0/0.0.0.0 -d 224.0.0.0/240.0.0.0 -i eth0 -p ! 6 -j ACCEPT
-A output -s 0.0.0.0/0.0.0.0 -d 10.0.0.2/255.255.255.255 -i tun0 -j ACCEPT
-A output -s 0.0.0.0/0.0.0.0 -d 224.0.0.0/240.0.0.0 -i tun0 -p ! 6 -j ACCEPT
-A output -s 0.0.0.0/0.0.0.0 -d 192.168.1.0/255.255.255.0 -i ppp0 -j DENY -l
-A output -s 0.0.0.0/0.0.0.0 -d 10.0.0.1/255.255.255.255 -i ppp0 -j DENY -l
-A output -s 63.202.177.89/255.255.255.255 -d 0.0.0.0/0.0.0.0 -i ppp0 -j ACCEPT
-A output -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -j DENY -l
route -n for host2
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
63.202.179.254 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.0.0 10.0.0.2 255.255.255.0 UG 0 0 0 tun0
0.0.0.0 63.202.179.254 0.0.0.0 UG 0 0 0 ppp0
vtun.conf for host2
options {
port 5000; # Listen on this port.
# Path to various programs
ppp /usr/sbin/pppd;
ifconfig /sbin/ifconfig;
route /sbin/route;
firewall /sbin/ipchains;
}
# Default host options
default {
compress no; # Compression is off by default
speed 0; # By default maximum speed, NO shaping
}
# TUN example. Host 'cobra'.
zero_one {
pass xxxxxxxx; # Password
type tun; # IP tunnel
proto udp; # UDP protocol
comp lzo:1; # LZO compression level 9
encr no; # Encryption
keepalive yes; # Keep connection alive
up {
# Connection is Up
# 10.3.0.1 - local, 10.3.0.2 - remote
ifconfig "%% 10.0.0.1 pointopoint 10.0.0.2 mask 255.255.255.255 mtu 1450";
route "add -net 192.168.0.0 netmask 255.255.255.0 gw 10.0.0.2";
# route "add -net 192.168.0.0 gw 192.168.0.10";
};
down {
# disable interface
ifconfig "%% down";
}
}
Reply to: