Networking in mol running on a firewalled machine

mol-general@lists.maconlinux.org mol-general@lists.maconlinux.org
Thu, 30 May 2002 17:09:00 +0200

Previous message: Networking in mol running on a firewalled machine
Next message: Networking in mol running on a firewalled machine
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, May 30, 2002 at 04:11:50PM +0200, Geert Janssens wrote:
> The box mol is running on also serves as a firewall/router for my local 
> network. I have mol setup via the tun/tap device, but I have read that 
> the default tunconfig file is not sufficient if mol is run on a firewall 
> box.
... 
> /etc/tunconfig is a copy of the tunconfig sample that comes with the mol 
> documentation in the source tarball. I did change the network addresses 
> from 192.168.1.0/24 to 192.168.0.0/24 though, because that's what my 
> local network is using.

The tun0 interface should have its own network address. For instance,
when I used my mac box as a gateway for the local network, I used
the following configuration:

	eth0		213.100.123.123	255.255.255.0
	eth0:1		192.168.0.1	255.255.255.0
	tun0		192.168.1.1	255.255.255.0

To enable masquerading for the tun0 device, I did the following:

	iptables -t nat -s 192.168.1.0/24 
			-d ! 192.168.1.0/24 -A POSTROUTING -j MASQUERADE

And similarly, to setup masquerading for the 192.168.0.0 network:

	iptables -t nat -s 192.168.0.0/24 
			-d ! 192.168.0.0/24 -A POSTROUTING -j MASQUERADE

If the machine is configured as a firewall, then the default policy is 
probably to drop packets. The following ought to open up for
the tun0 interface:

	iptables -o tun0 -s 0.0.0.0/0 -d 192.168.1.0/24 
			-t filter -A OUTPUT -j ACCEPT
	iptables -o tun0 -s 0.0.0.0/0 -d 192.168.1.0/24 
			-t filter -A FORWARD -j ACCEPT
	iptables -i tun0 -s 192.168.1.0/24 -d 0.0.0.0/0 
			-t filter -A FORWARD -j ACCEPT
	iptables -i tun0 -s 192.168.1.0/24 -d 0.0.0.0/0 
			-t filter -A INPUT -j ACCEPT

This might be sufficient, but I'm not completely sure.
If not, examine what rules you are using:

	/sbin/iptables -L
	/sbin/iptables -L -t nat

It might be a good idea to changing the default policy the 
various chains to ACCEPT in order to pinpoint the problem
(this will of course effectively disable your firewall).

	iptables -P OUTPUT ACCEPT
	iptables -P INPUT ACCEPT
	iptables -P FORWARD ACCEPT

	iptables -t nat -P PREROUTING ACCEPT
	iptables -t nat -P POSTROUTING ACCEPT
	iptables -t nat -P OUTPUT ACCEPT

Hope this helps,

/Samuel

Previous message: Networking in mol running on a firewalled machine
Next message: Networking in mol running on a firewalled machine
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]