On Sep 27, 2016, at 8:21 AM, Armin Tüting <armin.tuet...@tueting-online.com> wrote:
> On Di, 2016-09-27 at 07:35 -0500, Lonnie Abelbeck wrote: > > ... > >>> I've made the suggested changes, but still no joy! >>> I'm seeing the traffic arriving with tcpdump, but the chain >>> 'EXT_INPUT_CHAIN' doesn't show the packet. >> >> Please be more precise, from what source IP are you trying to reach >> which destination IP using which service (SSH, SIP, etc.). Precisely >> what Firewall rule is defined to allow that on the external interface >> ? > I'm trying to reach 192.168.60.6 (EXTIP) from 192.168.10/24 or > 192.168.50/24 on tcp port ssh and tcp port sip. > Excerpt from "arno-iptables-firewall status EXT_INPUT_CHAIN" >> 0 0 ACCEPT udp > -- + * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 >> 0 0 ACCEPT tcp > - + * 0.0.0.0/0 0.0.0.0/0 tcp > dpt:5060 Are you really doing SIP over TCP on port 5060 ? Or do you want UDP ? Also, you do not want to access AstLinux's SIP from 192.168.10/24 and 192.168.50/24 to 192.168.60.6 which adds 1 level of NAT, instead use 192.168.40.6 which is not NAT'ed. >>> From a 192.168.10.0/24 or 192.168.50.0/24 network does "ssh >>> root@192.168.40.6" work ? > Yup - that's fine! Good, 192.168.40.6 should be the address used by 192.168.10.0/24 and 192.168.50.0/24 networks for AstLinux services. >> Without NAT_FOREIGN_NETWORK your 192.168.10.0/24 and 192.168.50.0/24 >> networks could not ping www.google.com (upstream from eth0), does >> that work now ? > ping google.com goes a different route - I'm afraid! > I want to do a simple ping 192.168.60.6 from 192.168.10/24 or > 192.168.50/24. I'm able to see them arriving on eth0 with tcpdump! > Do these packets need to pass EXT_INT_CHAIN? The EXT_INPUT_CHAIN is followed if the destination is 192.168.60.6 which is on eth0. Display INPUT chain: -- iptables -nvL INPUT -- > Does EXTIF allow any "private" addresses? My assumption is as follow - > they'll be processed within iptables and won't be discarded. Yes, by default private addresses are allowed. Lonnie ------------------------------------------------------------------------------ _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
