Can't get access remote LAN through firewall

Can't get access remote LAN through firewall

[piraguasu]

Hi All

I have two LAN, both connected to Internet through proxy/firewall on 
Linux. One is my working LAN and other remote. I want to see internal 
machines of remote LAN from any computers of my LAN, for this I setup a 
tunnel and when the  firewall  is down in both LAN, all OK.

When firewall is up, my problem is forwarding between tunnel device and 
internal card (eth1), I can't get pass through firewall, iptables rules 
don't work.

Forwarding is enabled in the systems "/proc/sys/net/ipv4/ip_forward = 1"

Why iptables FORWARD don't work.

Who can help me?

Re: Can't get access remote LAN through firewall

[Pascal Hambourg]

Hello,

piraguasu a écrit :
> 
> I have two LAN, both connected to Internet through proxy/firewall on 
> Linux. One is my working LAN and other remote. I want to see internal 
> machines of remote LAN from any computers of my LAN, for this I setup a 
> tunnel and when the  firewall  is down in both LAN, all OK.
> 
> When firewall is up, my problem is forwarding between tunnel device and 
> internal card (eth1), I can't get pass through firewall, iptables rules 
> don't work.

Does the FORWARD chain contains rules which accept packets between the 
tunnel interface and the LAN interface in both directions ?

Something like :
iptables -A FORWARD -i eth1 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o eth1 -j ACCEPT

Re: Re: Can't get access remote LAN through firewall

[piraguasu]

Pascal Hambourg wrote:
> Hello,
>
>
>>
>> I have two LAN, both connected to Internet through proxy/firewall on 
>> Linux. One is my working LAN and other remote. I want to see internal 
>> machines of remote LAN from any computers of my LAN, for this I setup 
>> a tunnel and when the  firewall  is down in both LAN, all OK.
>>
>> When firewall is up, my problem is forwarding between tunnel device 
>> and internal card (eth1), I can't get pass through firewall, iptables 
>> rules don't work.
>
> Does the FORWARD chain contains rules which accept packets between the 
> tunnel interface and the LAN interface in both directions ?
>
> Something like :
> iptables -A FORWARD -i eth1 -o tun0 -j ACCEPT
> iptables -A FORWARD -i tun0 -o eth1 -j ACCEPT
>
>
Hi Pascal

Yes, the rules are:
#
# On my LAN

iptables -A FORWARD -i eth1 -s $MY_LAN -d $REMOTE_LAN -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -s $REMOTE_LAN  -d $MY_LAN -o eth1 -j ACCEPT

#
# On remote LAN

iptables -A FORWARD -i eth1 -s $REMOTE_LAN -d $MY_LAN -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -s $MY_LAN  -d $REMOTE_LAN -o eth1 -j ACCEPT


The packets can't gain access to tunnel tcpdump say me.

If you have any idea, wellcome ........
Thank you
Gerardo

Re: Can't get access remote LAN through firewall

[Pascal Hambourg]

piraguasu a écrit :
> #
> # On my LAN
> 
> iptables -A FORWARD -i eth1 -s $MY_LAN -d $REMOTE_LAN -o tun0 -j ACCEPT
> iptables -A FORWARD -i tun0 -s $REMOTE_LAN  -d $MY_LAN -o eth1 -j ACCEPT
> 
> #
> # On remote LAN
> 
> iptables -A FORWARD -i eth1 -s $REMOTE_LAN -d $MY_LAN -o tun0 -j ACCEPT
> iptables -A FORWARD -i tun0 -s $MY_LAN  -d $REMOTE_LAN -o eth1 -j ACCEPT

What happens if you remove the -s and -d options ?
No SNAT/MASQUERADE on the tunnel ?
Could it be that the tunnel packets are dropped on the WAN interface ?
What kind of tunnel protocol is it ?

> The packets can't gain access to tunnel tcpdump say me.

Can you explain this please ? My tcpdump only shows packets which enter 
and leave a network interface, it does not tell anything about getting 
access or not.