Hi all I have an Untangle Box - which for those that don't know is a modified Debian Lenny used as a router, proxy, filter and much more - It has three physical interfaces on it eht0 (incoming traffic), eth1 (Outgoing to LAN after traffic filtered), and eth2 (Called a DMZ NIC, as Untangle can be used as a router). There is also a tun0 interface setup by Untangle for VPN (Not using the Openvpn in Untangle because I need bridged a bridged VPN and this is not an option in Untangles offering), a br0.eth setup by untangle to bridge eth0 and eth1 for traffic flow through as it is inline from router to switch and not acting as the router itself, and a br0 interface that I have setup by bridge script bridging eth2 and tap0 to run OpenVPN as a bridged VPN. The routes on the machine are as follow:
Code:
untangle:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.100.0 * 255.255.255.0 U 0 0 0 br.eth0
192.168.1.0 * 255.255.255.0 U 0 0 0 br0
192.0.2.0 * 255.255.255.0 U 0 0 0 dummy0
192.0.2.0 * 255.255.255.0 U 0 0 0 utun
untangle:~#
I don't see a default route listed here, however, I do have Internet connectivity on the Untangle box itself. I also know that by script to bridge the tap0 and eth2 interfaces adds a default route through the gateway on the network that eth2 is connected to. So the lack of a default route is somewhat puzzling to me, I do have the gateway set through the web based admin interface Untangle offers.
The iptables rules are as follow:
Code:
untangle:~# iptables --list-rules
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N alpaca-firewall
-N alpaca-nat-firewall
-A INPUT -i ! utun -p tcp -m tcp --dport 9500:9627 -m conntrack --ctstate INVALID,NEW -j DROP
-A INPUT -p udp -m multiport --dports 68 -j RETURN
-A INPUT -p udp -m mark --mark 0x2/0x2 -m multiport --dports 67 -j RETURN
-A INPUT -j alpaca-firewall
-A INPUT -p udp -m multiport --dports 67 -j DROP
-A FORWARD -m mark --mark 0x0/0x40000000 -j alpaca-firewall
-A FORWARD -i br.eth0 -g alpaca-nat-firewall
-A alpaca-firewall -m mark --mark 0x0/0xc000000 -j RETURN
-A alpaca-firewall -m mark --mark 0x8000000/0x8000000 -j DROP
-A alpaca-firewall -p tcp -m mark --mark 0x4000000/0x4000000 -j REJECT --reject-with tcp-reset
-A alpaca-firewall -m mark --mark 0x4000000/0x4000000 -j REJECT --reject-with icmp-port-unreachable
-A alpaca-nat-firewall -m conntrack --ctstate DNAT -j RETURN
-A alpaca-nat-firewall -m mark --mark 0x80000000/0x80000000 -j RETURN
-A alpaca-nat-firewall -o tun0 -j DROP
untangle:~# iptables -L -v
Chain INPUT (policy ACCEPT 3514K packets, 534M bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- !utun any anywhere anywhere tcp dpts:9500:9627 ctstate INVALID,NEW
142 47146 RETURN udp -- any any anywhere anywhere multiport dports bootpc
0 0 RETURN udp -- any any anywhere anywhere mark match 0x2/0x2 multiport dports bootps
1677K 254M alpaca-firewall all -- any any anywhere anywhere
0 0 DROP udp -- any any anywhere anywhere multiport dports bootps
Chain FORWARD (policy ACCEPT 1351 packets, 198K bytes)
pkts bytes target prot opt in out source destination
0 0 alpaca-firewall all -- any any anywhere anywhere mark match 0x0/0x40000000
0 0 alpaca-nat-firewall all -- br.eth0 any anywhere anywhere [goto]
Chain OUTPUT (policy ACCEPT 3610K packets, 711M bytes)
pkts bytes target prot opt in out source destination
Chain alpaca-firewall (2 references)
pkts bytes target prot opt in out source destination
1641K 248M RETURN all -- any any anywhere anywhere mark match 0x0/0xc000000
35363 5672K DROP all -- any any anywhere anywhere mark match 0x8000000/0x8000000
0 0 REJECT tcp -- any any anywhere anywhere mark match 0x4000000/0x4000000 reject-with tcp-reset
0 0 REJECT all -- any any anywhere anywhere mark match 0x4000000/0x4000000 reject-with icmp-port-unreachable
Chain alpaca-nat-firewall (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- any any anywhere anywhere ctstate DNAT
0 0 RETURN all -- any any anywhere anywhere mark match 0x80000000/0x80000000
0 0 DROP all -- any tun0 anywhere anywhere
There was an addition output rule in the alpaca-nat-firewall rule that said DROP outgoing interface eth2, I removed that rule with no change. I can ping out from the Untangle server to the eth2 LAN, I can access resources in the eth2 subnet. But I cannot get any reply from the server from anything either in that subnet or not. If I run iftop I can see the incoming traffic form my ping but the Server sends out no reply. I think this is a firewall issue. Any help would be greatly appreciated. I can access the server by connecting to the IP assigned to the eth0/br0.eth interface which is in my main LAN. Any help would be appreciated. I am also attaching a crude diagram of the previous setup and the new setup (Previous setup used a different server for my bridged VPN).
Is there a rule I can add to ensure that traffic coming in on an interface goes out the same interface? Do I have a rule blocking incoming traffic to eth2/br0? Do I have one blocking sending out on eth2/br0? Do I have a default rule that is killing the traffic on eth2/br0 and I need to add an accept rule for traffic coming in on eth2/br0? I tried adding an accept rule for traffic coming in on br0, but it didn't work. I tried an output rule, but that didn't work, but I may have been bungling these rules as I do not fully understand the syntax and function and body of an iptables rule.
The exact original iptables information before I modified anything can be viewed at
http://www.scheidel21.com/viewpage.php?page_id=4
Again thank you in advance for any assistance.