Hi! I''m using shorewall 2.0 and I have a VPN connection over SSH (in ppp1). From the server (where I have the ppp1) I can ping the other network (192.168.0.x) also as from the other side to my network (192.168.1.x). What I''m looking for is to ''MASQ'' all my network (where I have the VPN server) so from any of my computer I can ping to the other side (192.168.0.x) Any ideas?, I think that I can do this in the masq file, but I have no idea of doing this, any tip? Also, In shorewall exists a ''debug'' action? I''d like to print all the iptables commands when I run the shorewall start. Thanks! Pablo -- Pablo Fischer Sandoval (pablo [arroba/at] pablo.com.mx) Fingerprint: 5973 0F10 543F 54AE 1E41 EC81 0840 A10A 74A4 E5C0 http://www.pablo.com.mx http://www.debianmexico.org
Pablo Fischer wrote:> > Any ideas?, I think that I can do this in the masq file, but I have no > idea of doing this, any tip?I would need more details on your setup before I could possibly help. I don''t understand what SSH has to do with ppp1 for example...> > Also, In shorewall exists a ''debug'' action? I''d like to print all the > iptables commands when I run the shorewall start. >shorewall trace start 2> /tmp/trace The /tmp/trace will contain a shell trace. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hi!
Ok, Explaining:
I have two ''nets'', school and home.
school (server):
net: 10.49.25.0
netmask: 255.255.255.128
serverip: 10.49.25.21
home (client):
net: 192.168.1.0
netmask: 255.255.255.0
serverip: 192.168.1.1
vpnnet:
client: 192.168.3.2
server: 192.168.3.1
A VPN over SSH, is a simple ''call'' (pppd) to the server and
create a
tunnel with a ssh connection (port 22)
Information:
http://www.tldp.org/HOWTO/ppp-ssh/introduction.html
Today, I can connect my home server (client) to school server (server):
ppp2 Link encap:Point-to-Point Protocol
inet addr:192.168.3.2 P-t-P:192.168.3.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:18 errors:0 dropped:0 overruns:0 frame:0
TX packets:22 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:12285 (11.9 KiB) TX bytes:1493 (1.4 KiB)
And I can ping in both sides, and from any server I can ping the ''other
side'' desktops, for example: From the school server I can ping
192.168.1.2 (my desktop) without problems.
What I''m looking for? Well, I can only ping from server to server, and
I''d like to give this ''advantage'' to my desktops, so
from my desktop
(192.168.1.2) I can ping also to the school server (or desktops!).
I don''t know if I need to edit the masq or the policy files to do this.
In the policy file I have:
fw vpn ACCEPT
vpn all REJECT info
Where vpn (interfaces):
vpn ppp2 detect -
Any ideas?
Thanks!
Pablo
El dom, 16-05-2004 a las 16:48, Tom Eastep escribió:> Pablo Fischer wrote:
>
> >
> > Any ideas?, I think that I can do this in the masq file, but I have no
> > idea of doing this, any tip?
>
> I would need more details on your setup before I could possibly help. I
> don''t understand what SSH has to do with ppp1 for example...
>
> >
> > Also, In shorewall exists a ''debug'' action?
I''d like to print all the
> > iptables commands when I run the shorewall start.
> >
>
> shorewall trace start 2> /tmp/trace
>
> The /tmp/trace will contain a shell trace.
>
> -Tom
--
Pablo Fischer Sandoval (pablo [arroba/at] pablo.com.mx)
Fingerprint: 5973 0F10 543F 54AE 1E41 EC81 0840 A10A 74A4 E5C0
http://www.pablo.com.mx
http://www.debianmexico.org
Pablo Fischer wrote:> Hi! > > Ok, Explaining: > > I have two ''nets'', school and home. > > school (server): > net: 10.49.25.0 > netmask: 255.255.255.128 > serverip: 10.49.25.21 > > home (client): > net: 192.168.1.0 > netmask: 255.255.255.0 > serverip: 192.168.1.1 > > vpnnet: > client: 192.168.3.2 > server: 192.168.3.1 > > A VPN over SSH, is a simple ''call'' (pppd) to the server and create a > tunnel with a ssh connection (port 22) > > Information: > http://www.tldp.org/HOWTO/ppp-ssh/introduction.html > > Today, I can connect my home server (client) to school server (server): > > ppp2 Link encap:Point-to-Point Protocol > inet addr:192.168.3.2 P-t-P:192.168.3.1 Mask:255.255.255.255 > UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 > RX packets:18 errors:0 dropped:0 overruns:0 frame:0 > TX packets:22 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:3 > RX bytes:12285 (11.9 KiB) TX bytes:1493 (1.4 KiB) > > And I can ping in both sides, and from any server I can ping the ''other > side'' desktops, for example: From the school server I can ping > 192.168.1.2 (my desktop) without problems. > > What I''m looking for? Well, I can only ping from server to server, and > I''d like to give this ''advantage'' to my desktops, so from my desktop > (192.168.1.2) I can ping also to the school server (or desktops!). > > I don''t know if I need to edit the masq or the policy files to do this. > In the policy file I have: > > fw vpn ACCEPT > vpn all REJECT info > > Where vpn (interfaces): > vpn ppp2 detect - > > Any ideas? >You will probably want to add this policy: loc vpn ACCEPT Before the the last one you show above. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> Pablo Fischer wrote: > >> Hi! >> >> Ok, Explaining: >> >> I have two ''nets'', school and home. >> >> school (server): >> net: 10.49.25.0 >> netmask: 255.255.255.128 >> serverip: 10.49.25.21 >> >> home (client): >> net: 192.168.1.0 >> netmask: 255.255.255.0 >> serverip: 192.168.1.1 >> >> vpnnet: >> client: 192.168.3.2 >> server: 192.168.3.1 >> >> A VPN over SSH, is a simple ''call'' (pppd) to the server and create a >> tunnel with a ssh connection (port 22) >> >> Information: >> http://www.tldp.org/HOWTO/ppp-ssh/introduction.html >> >> Today, I can connect my home server (client) to school server (server): >> >> ppp2 Link encap:Point-to-Point Protocol >> inet addr:192.168.3.2 P-t-P:192.168.3.1 Mask:255.255.255.255 >> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 >> RX packets:18 errors:0 dropped:0 overruns:0 frame:0 >> TX packets:22 errors:0 dropped:0 overruns:0 carrier:0 >> collisions:0 txqueuelen:3 >> RX bytes:12285 (11.9 KiB) TX bytes:1493 (1.4 KiB) >> >> And I can ping in both sides, and from any server I can ping the ''other >> side'' desktops, for example: From the school server I can ping >> 192.168.1.2 (my desktop) without problems. >> >> What I''m looking for? Well, I can only ping from server to server, and >> I''d like to give this ''advantage'' to my desktops, so from my desktop >> (192.168.1.2) I can ping also to the school server (or desktops!). >> >> I don''t know if I need to edit the masq or the policy files to do this. >> In the policy file I have: >> >> fw vpn ACCEPT >> vpn all REJECT info >> >> Where vpn (interfaces): >> vpn ppp2 detect - >> >> Any ideas? >> > > You will probably want to add this policy: > > loc vpn ACCEPT > > Before the the last one you show above. >And if the other end doesn''t know how to route back to your network, you can add this to /etc/shorewall/masq: ppp2 192.168.1.0/24 192.168.3.2 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Thanks!!! Pablo El lun, 17-05-2004 a las 15:21, Tom Eastep escribió:> Pablo Fischer wrote: > > Hi! > > > > Ok, Explaining: > > > > I have two ''nets'', school and home. > > > > school (server): > > net: 10.49.25.0 > > netmask: 255.255.255.128 > > serverip: 10.49.25.21 > > > > home (client): > > net: 192.168.1.0 > > netmask: 255.255.255.0 > > serverip: 192.168.1.1 > > > > vpnnet: > > client: 192.168.3.2 > > server: 192.168.3.1 > > > > A VPN over SSH, is a simple ''call'' (pppd) to the server and create a > > tunnel with a ssh connection (port 22) > > > > Information: > > http://www.tldp.org/HOWTO/ppp-ssh/introduction.html > > > > Today, I can connect my home server (client) to school server (server): > > > > ppp2 Link encap:Point-to-Point Protocol > > inet addr:192.168.3.2 P-t-P:192.168.3.1 Mask:255.255.255.255 > > UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 > > RX packets:18 errors:0 dropped:0 overruns:0 frame:0 > > TX packets:22 errors:0 dropped:0 overruns:0 carrier:0 > > collisions:0 txqueuelen:3 > > RX bytes:12285 (11.9 KiB) TX bytes:1493 (1.4 KiB) > > > > And I can ping in both sides, and from any server I can ping the ''other > > side'' desktops, for example: From the school server I can ping > > 192.168.1.2 (my desktop) without problems. > > > > What I''m looking for? Well, I can only ping from server to server, and > > I''d like to give this ''advantage'' to my desktops, so from my desktop > > (192.168.1.2) I can ping also to the school server (or desktops!). > > > > I don''t know if I need to edit the masq or the policy files to do this. > > In the policy file I have: > > > > fw vpn ACCEPT > > vpn all REJECT info > > > > Where vpn (interfaces): > > vpn ppp2 detect - > > > > Any ideas? > > > > You will probably want to add this policy: > > loc vpn ACCEPT > > Before the the last one you show above. > > -Tom-- Pablo Fischer Sandoval (pablo [arroba/at] pablo.com.mx) Fingerprint: 5973 0F10 543F 54AE 1E41 EC81 0840 A10A 74A4 E5C0 http://www.pablo.com.mx http://www.debianmexico.org
Ohh I forgot: I know that If I want vpn to be in all the ppp interfaces I just need this in interfaceS: vpn ppp+ But can I just want vpn to be ppp1, ppp2, ppp3, ppp4 So, is this valid: vpn ppp1 vpn ppp2 vpn ppp3 vpn ppp4 ?? Thanks!!!! Pablo El lun, 17-05-2004 a las 15:21, Tom Eastep escribió:> Pablo Fischer wrote: > > Hi! > > > > Ok, Explaining: > > > > I have two ''nets'', school and home. > > > > school (server): > > net: 10.49.25.0 > > netmask: 255.255.255.128 > > serverip: 10.49.25.21 > > > > home (client): > > net: 192.168.1.0 > > netmask: 255.255.255.0 > > serverip: 192.168.1.1 > > > > vpnnet: > > client: 192.168.3.2 > > server: 192.168.3.1 > > > > A VPN over SSH, is a simple ''call'' (pppd) to the server and create a > > tunnel with a ssh connection (port 22) > > > > Information: > > http://www.tldp.org/HOWTO/ppp-ssh/introduction.html > > > > Today, I can connect my home server (client) to school server (server): > > > > ppp2 Link encap:Point-to-Point Protocol > > inet addr:192.168.3.2 P-t-P:192.168.3.1 Mask:255.255.255.255 > > UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 > > RX packets:18 errors:0 dropped:0 overruns:0 frame:0 > > TX packets:22 errors:0 dropped:0 overruns:0 carrier:0 > > collisions:0 txqueuelen:3 > > RX bytes:12285 (11.9 KiB) TX bytes:1493 (1.4 KiB) > > > > And I can ping in both sides, and from any server I can ping the ''other > > side'' desktops, for example: From the school server I can ping > > 192.168.1.2 (my desktop) without problems. > > > > What I''m looking for? Well, I can only ping from server to server, and > > I''d like to give this ''advantage'' to my desktops, so from my desktop > > (192.168.1.2) I can ping also to the school server (or desktops!). > > > > I don''t know if I need to edit the masq or the policy files to do this. > > In the policy file I have: > > > > fw vpn ACCEPT > > vpn all REJECT info > > > > Where vpn (interfaces): > > vpn ppp2 detect - > > > > Any ideas? > > > > You will probably want to add this policy: > > loc vpn ACCEPT > > Before the the last one you show above. > > -Tom-- Pablo Fischer Sandoval (pablo [arroba/at] pablo.com.mx) Fingerprint: 5973 0F10 543F 54AE 1E41 EC81 0840 A10A 74A4 E5C0 http://www.pablo.com.mx http://www.debianmexico.org
Pablo Fischer wrote:> Ohh I forgot: > > I know that If I want vpn to be in all the ppp interfaces I just need > this in interfaceS: > > vpn ppp+ > > But can I just want vpn to be ppp1, ppp2, ppp3, ppp4 > > So, is this valid: > > vpn ppp1 > vpn ppp2 > vpn ppp3 > vpn ppp4 >Yes. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net