Connection Problem

Guus Sliepen guus at sliepen.warande.net
Thu Nov 22 10:56:57 CET 2001 

On Wed, Nov 21, 2001 at 06:28:44PM -0800, Daniel Holden wrote:

> Result of "iptables -t nat -L -v" on ServerB:
> 
> Chain PREROUTING (policy ACCEPT 4075 packets, 823K bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 DNAT       tcp  --  any    any     anywhere
> 209.1.1.0/24    tcp dpt:tinc to:192.168.1.253:655

This rule is not necessary.

> Chain POSTROUTING (policy ACCEPT 664 packets, 158K bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>   348 24626 MASQUERADE  all  --  any    eth0    anywhere
> anywhere

I think you better also specify eth2 as input device for this rule, to
avoid people from eth0 using you as a masquerader (unless you already
block this in the forwarding chaing).

>     0     0 ACCEPT     all  --  any    any     209.1.1.0/24
> anywhere

Useless rule.

> Result of "iptables -L -v" on ServerB:
> 
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>     2   118 ACCEPT     all  --  any    any     mail.idsb.net
> anywhere

The above one also covers...

>     0     0 ACCEPT     tcp  --  any    any     mail.idsb.net
> 209.1.1.0/24    tcp dpt:tinc
>     0     0 ACCEPT     udp  --  any    any     mail.idsb.net
> 209.1.1.0/24    udp dpt:tinc

...these rules, so the latter are useless.

> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 ACCEPT     all  --  any    eth0    office_vpn/24
> anywhere
>     0     0 ACCEPT     all  --  any    any     anywhere
> office_vpn/24

These rules cover the masqueraded traffic, but you forgot the VPN
traffic that has to be forwarded. So, add something like this:

iptables -A FORWARD -i office_vpn -o eth2 -j ACCEPT
iptables -A FORWARD -o office_vpn -i eth2 -j ACCEPT

If this doesn't help, resize your terminal to something that can hold
the output if iptables -L, and do the following:

watch -d -n 1 iptables -L -v -x

Then try to ping over the VPN. The rule which matches the VPN traffic
will light up.

-- 
Met vriendelijke groet / with kind regards,
  Guus Sliepen <guus at sliepen.warande.net>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://brouwer.uvt.nl/pipermail/tinc/attachments/20011122/cf64b10f/attachment.pgp

More information about the Tinc mailing list