Can anyone tell me whether I have a routing problem, or
an openVPN problem, or something else? I''ve stared at this
for so long I think I must be looking in the wrong place!
I have 3 machines:
Machine A has single ethernet card, eth0, 192.168.5.5
Machine B has eth0, 192.168.5.? on the local net,
eth1, 81.2.x.y to the internet, and
tun0, 10.8.?.?, an openVPN tunnel, to C
Machine C has eth0 to the internet and
tun0, 10.8.?.?, back to B.
Out on the internet is machine D, a publicly accessible
http server - say 64.233.167.99, port 80.
Machine B is set, as per the howto, to mark packets from
A destined for D and route them out over tun0. Machine
C then masquerades them out to D.
I should mention that the tunnel works fine for access between
A (or B) and C. In particular C can happily ping A over the tunnel.
(And "everything else" is fine. "Normal" traffic has no
problem.)
The problem is that A cannot get replies from D.
Using tcpdump and adding ''LOG'' rules to iptables on A, B
and C shows the packet going from A to B to C and out to
D. The reply packet returns to C, crosses the tunnel to B
and promptly vanishes. A log rule in the mangle prerouting
list on B shows the packet from the tunnel:
Feb 17 07:48:54 B kernel: [mangle prerouting src]: IN=tun0 OUT= \
MAC= SRC=64.233.167.99 DST=192.168.5.5 LEN=44 \
TOS=0x00 PREC=0x00 TTL=48 ID=34487 DF PROTO=TCP \
SPT=80 DPT=32882 WINDOW=8000 RES=0x00 ACK SYN URGP=0
Similar log rules in mangle-prerouting, and in the forward (and
input) chains never log anything. The packet is never seen again.
Can anyone tell me where to look next? Is this a routing problem
or is something happening because of the tunnel setup? Or
something else???
(Machine B is fairly vanilla Debian stable with 2.4.18 kernel.)
Thanks for your patience!
---------------------------------
Brings words and photos together (easily) with
PhotoMail - it''s free and works with Yahoo! Mail.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
On Friday 17 February 2006 09:28, Steve Tracey wrote:> The problem is that A cannot get replies from D. > Using tcpdump and adding ''LOG'' rules to iptables on A, B > and C shows the packet going from A to B to C and out to > D. The reply packet returns to C, crosses the tunnel to B > and promptly vanishes. A log rule in the mangle prerouting > list on B shows the packet from the tunnel: > Feb 17 07:48:54 B kernel: [mangle prerouting src]: IN=tun0 OUT= \ > MAC= SRC=64.233.167.99 DST=192.168.5.5 LEN=44 \ > TOS=0x00 PREC=0x00 TTL=48 ID=34487 DF PROTO=TCP \ > SPT=80 DPT=32882 WINDOW=8000 RES=0x00 ACK SYN URGP=0 > > Similar log rules in mangle-prerouting, and in the forward (and > input) chains never log anything. The packet is never seen again. > > Can anyone tell me where to look next? Is this a routing problem > or is something happening because of the tunnel setup? Or > something else???Looks like rp_filter catches this, try set rp_filter off on host B. Because packets from the internet normaly should come through eth1 on host B and not on tun0. see: http://ipsysctl-tutorial.frozentux.net/ipsysctl-tutorial.html#AEN634 greets, Tami
Got it in one! Thanks. All ok now.
I''ll go and read up on all the other conf variables.
Thanks again.
Paul Zirnik <tami@disconnected.de> wrote:
Looks like rp_filter catches this, try set rp_filter off on host B.
Because packets from the internet normaly should come through eth1 on
host B and not on tun0.
see: http://ipsysctl-tutorial.frozentux.net/ipsysctl-tutorial.html#AEN634
greets,
Tami
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
---------------------------------
Brings words and photos together (easily) with
PhotoMail - it''s free and works with Yahoo! Mail.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc