Richard,
On Mon, Jan 07, 2002 at 07:20:38PM +0000, richard wrote:
> Thanks to everyone who helped with this, Peter, Stil & co.
No probs.
> a mixture of 3 problems all interacting
> 1. the issue of bastille-netfilter that supplied with the mandrake 8.1
> distro is very long in the tooth 0.99-beta7, upgrading to 1.26 allowed
> the following additions to work.
Yes, annoyingly some distributions have little "oldnesses" about them
like this. Red Hat 7.x, for instance, still has Perl 5.6.0 despite
5.6.1 being current for some time. Then again, with the myriad
combinations possible, they can't test for everything, and commercial
pressures to get the next version out before their competitors means
that only core elements get a thorough treatment...
> 2 needed to add to the custom section the following rules
> #----------------IPIP tunneling--------------------------------
> ${IPTABLES} -A PUB_IN -p 93 -i eth1 -j ACCEPT
> ${IPTABLES} -A PUB_IN -p 4 -i eth1 -j ACCEPT
> 3. not a bastille problem but one of the tunnels appeared to be using
> both ip-protocol 4 & 93, strange thing was tcpdump continually showed it
> as proto 93, the bastille fail log showed it as ip proto 4 !!!
Ah! Now here's something I didn't spot before, doubtless due to my
lack of specific experience with IPIP.
Looking in my Red Hat-ish /etc/protocols, which is where the protocol
names are translated into numbers, i notice the following lines (shown
here out of context):
ipencap 4 IP-ENCAP # IP encapsulated in IP (officially ``IP'')
ax.25 93 AX.25 # AX.25 Frames
ipip 94 IPIP # Yet Another IP encapsulation
Presumably "The Third Tunnel" is carrying AX.25 frames (unencrypted?)
as well as IP-ENCAP?
> there still some minor tweaks needed as the occasional block of data
> gets dropped.
Yes, this is the general trouble-shooting process from here on in. Most
things are working, but occasionally things get blocked. You check the
logs to see *where* they were blocked, figure out what the traffic is
and decide whether it's something you wish to allow, and add a rule if
you do.
Best of luck!
Stil
--
: Stilgherrian, Director of Operations, prussia.net
: Internet infrastructure services focussing on the essentials
: http://www.prussia.net/
: ARBN BN97858688, ABN 15 148 757 893
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
