--On Tuesday, November 12, 2002 10:04:20 AM -0600 "David A. Bright" <[EMAIL PROTECTED]> wrote:
This is an ICMP type 3, code 1 packet (Port Unreachable) packet being returned by 192.168.p.q. I suspect that box is behing a NAT gateway (or is the interal IP of a NAT gateway) and that gateway isn't handling NAT of ICMP properly so that the RFC 1918 address isn't being translated back into the external address of the gateway.I've been trying to set up a LEAF/Bering firewall at home to allow a connection to my employer's VPN (PPTP). Here is a rough picture of my connection:Win98 client ---> Bering ---> Router ---> ISP ---> Internet ---> Company My internal network (Win98 -> Bering) uses a private IP space (192.168.1.0/24). I'm connected to my ISP via a DSL connection in bridge mode, so my router also has a private IP (192.168.x.y, x != 1). The ISP then does NAT on that, so my packets are NAT'ed twice, once at the Bering firewall and again by my ISP. I've got a fairly straightforward Shorewall configuration on the Bering box, defining just two zones (net and loc). Outgoing traffic from loc to net is allowed, related traffic is allowed back in. RFC1918 addresses are not allowed to flow from net -> loc, except for those on my bridge connection (192.168.x.y) to the ISP. What I see happening is that packets coming back from the company are getting rejected by the "norfc1918" rule, as shown by the trace below (just two messages are shown, I get a bunch more but they are all pretty much the same): Nov 9 02:29:15 firewall kernel: Shorewall:rfc1918:DROP:IN=eth1 OUT=eth0 SRC=192.168.p.q DST=192.168.1.1 LEN=56 TOS=0x00 PREC=0x00 TTL=253 ID=20062 PROTO=ICMP TYPE=3 CODE=1 [SRC=192.168.x.y DST=a.b.c.d LEN=50 TOS=0x00 PREC=0x00 TTL=125 ID=28417 PROTO=47 ]
The packet is being trapped in your Shorewall rfc1918 chain because it has a source IP reserved by RFC 1918. The packet has already had its destination IP rewritten to 192.168.1.1 so it is that box who sent the original packet which we can see in square brackets (a GRE packet from 192.168.x.y to a.b.c.d).
Check the firewall configuration at the other end to be sure that it is accepting protocol 47.
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://shorewall.sf.net
ICQ: #60745924 \ [EMAIL PROTECTED]
-------------------------------------------------------
This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd522.html
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
