Networking in mol running on a firewalled machine

Geert Janssens mol-general@lists.maconlinux.org
Thu, 30 May 2002 18:05:49 +0200 

samuel@ibrium.se wrote:

>The tun0 interface should have its own network address. For instance,
>when I used my mac box as a gateway for the local network, I used
>the following configuration:
>
Yes, that was it ! I used the same 192.168.0.1 address for both the tun0 
device and my eth0. I changed the ifconfig entry in the tunconfig script 
and now all works fine.

I chose 192.168.0.2 as ip address, so the tun0 device gets the same 
ruling in my firewall.

Thanks for your fast response,

Geert Janssens

>
>	eth0		213.100.123.123	255.255.255.0
>	eth0:1		192.168.0.1	255.255.255.0
>	tun0		192.168.1.1	255.255.255.0
>
>To enable masquerading for the tun0 device, I did the following:
>
>	iptables -t nat -s 192.168.1.0/24 
>			-d ! 192.168.1.0/24 -A POSTROUTING -j MASQUERADE
>
>And similarly, to setup masquerading for the 192.168.0.0 network:
>
>	iptables -t nat -s 192.168.0.0/24 
>			-d ! 192.168.0.0/24 -A POSTROUTING -j MASQUERADE
>
>If the machine is configured as a firewall, then the default policy is 
>probably to drop packets. The following ought to open up for
>the tun0 interface:
>
>	iptables -o tun0 -s 0.0.0.0/0 -d 192.168.1.0/24 
>			-t filter -A OUTPUT -j ACCEPT
>	iptables -o tun0 -s 0.0.0.0/0 -d 192.168.1.0/24 
>			-t filter -A FORWARD -j ACCEPT
>	iptables -i tun0 -s 192.168.1.0/24 -d 0.0.0.0/0 
>			-t filter -A FORWARD -j ACCEPT
>	iptables -i tun0 -s 192.168.1.0/24 -d 0.0.0.0/0 
>			-t filter -A INPUT -j ACCEPT
>
>This might be sufficient, but I'm not completely sure.
>If not, examine what rules you are using:
>
>	/sbin/iptables -L
>	/sbin/iptables -L -t nat
>
>It might be a good idea to changing the default policy the 
>various chains to ACCEPT in order to pinpoint the problem
>(this will of course effectively disable your firewall).
>
>	iptables -P OUTPUT ACCEPT
>	iptables -P INPUT ACCEPT
>	iptables -P FORWARD ACCEPT
>
>	iptables -t nat -P PREROUTING ACCEPT
>	iptables -t nat -P POSTROUTING ACCEPT
>	iptables -t nat -P OUTPUT ACCEPT
>
>Hope this helps,
>
>/Samuel
>
>_______________________________________________
>mol-general mailing list
>mol-general@lists.maconlinux.org
>http://lists.maconlinux.org/mailman/listinfo/mol-general
>
>
>  
>