From: O-Zone <liste@zerozone.it>
To: netfilter@lists.netfilter.org
Subject: Re: DMZ to DMT through ROUTER problem !
Date: Fri, 21 May 2004 16:08:37 +0200 [thread overview]
Message-ID: <200405211608.42467.liste@zerozone.it> (raw)
In-Reply-To: <200405211119.14458.Antony@Soft-Solutions.co.uk>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Friday 21 May 2004 12:19, Antony Stone wrote:
> How do you route reply packets from those two public IPs back to the
> sender?
Ok problem with UDP solved...again many many thanks ! But a little problem
still remain with IPSEC.
On Firewall we have OpenSwan to connect from remote places. Inside our
INTRANET, however some of us use IPSEC clients, such SSH Sentinel or SafeNet
LT, to connect to remote IPSEC (using NAT-T Encapsulation).
What happens when an intranet's user (10.0.0.40) try to connect to remote
IPSEC server (81.113.x.y) ?
10.0.0.40 -----> [MASQ - 10.0.0.1] ----> 81.113.x.y
10.0.0.40 <-xx- [MASQ - 10.0.0.1] <--- 81.113.x.y
the reply to IPSEC packet was NOT forwarded and take by OpenSwan on 10.0.0.1
with, of course, "who are you and why the f&%k calling me ?".
To enable firewall (10.0.0.1) accepting IPSEC connection i've used the
following rules:
# IPSEC
$IPTABLES -A INPUT -i $INET_IFACE -p udp --dport 500 -j ACCEPT
$IPTABLES -A INPUT -i $INET_IFACE -p 50 -j ACCEPT
$IPTABLES -A INPUT -i $INET_IFACE -p 51 -j ACCEPT
How i can keep working correctly MASQ ?
Oz
- --
I always had a repulsive need to be something more than human.
-- David Bowie
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFArg1oYuBSFbgkEysRAn8EAKDftszKctvX4gDK8G98HEDqllCvxgCguUy6
sZQ3BxQzAEucvi8yXa0XAbE=
=cPye
-----END PGP SIGNATURE-----
prev parent reply other threads:[~2004-05-21 14:08 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-05-20 11:18 DMZ to DMT through ROUTER problem ! O-Zone
2004-05-20 12:30 ` Antony Stone
2004-05-20 12:54 ` O-Zone
2004-05-20 13:22 ` Antony Stone
2004-05-20 14:37 ` O-Zone
2004-05-20 14:45 ` Antony Stone
2004-05-20 14:58 ` O-Zone
2004-05-20 15:07 ` Antony Stone
2004-05-20 15:53 ` O-Zone
2004-05-20 16:07 ` Antony Stone
2004-05-20 16:32 ` O-Zone
2004-05-20 17:34 ` Antony Stone
2004-05-20 17:44 ` Antony Stone
2004-05-21 9:30 ` O-Zone
2004-05-21 10:19 ` Antony Stone
2004-05-21 14:08 ` O-Zone [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200405211608.42467.liste@zerozone.it \
--to=liste@zerozone.it \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.