Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to
LinuxQuestions.org , a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free.
Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please
contact us . If you need to reset your password,
click here .
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a
virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month.
Click here for more info.
07-17-2012, 06:03 AM
#1
Member
Registered: Oct 2005
Distribution: SuSe
Posts: 41
Rep:
PPTP VPN Ping Problem
I have installed PPTP on a suse 11.3 machine and can connect to it from a winxp client I cant get any further!
The server is on a public ip address ip forwarded to an internal address.
I can ping by ip address and netbios name the vpn server and the router but I cannot ping to any other machines on the network port 1723/GRE is open on the vpn server.
I'm not sure what I should have for "localip" in pptpd.conf
I have tried:
192.168.1.1 (router)
192.168.1.12 (vpn server)
xxx.xxx.xxx.xxx (vpn server public address)
192.168.1.12,192.168.1.14 (vpn and fixed ip machine)
but still I can't ping that machine at 192.168.1.14 but I can ping it locally.
name resolution is by LMHosts at present but I would like to set up browsing once the basics are running.
Any help greatfuly(desperately!) received.
07-17-2012, 09:58 AM
#2
Member
Registered: Jan 2010
Distribution: Debian, Centos, Ubuntu, Slackware
Posts: 361
Rep:
What about accepting traffic in the FORWARD, on the pptp-interface, of your iptables? Doesn't it block the traffic?
If you want to access other pptp-clients, you should allow it in iptables, and there is a specific option in the pptp-server, if I'm not mistaken.
If you want to access some other network behind the pptp-server through the pptp-tunnel, you also have to play with the routing table.
07-18-2012, 03:36 AM
#3
Member
Registered: Apr 2009
Location: Perth, Australia
Distribution: Ubuntu/CentOS
Posts: 208
Rep:
Please post the output of these two commands so that we can assist you further:
Code:
cat /proc/sys/net/ipv4/ip_forward
iptables-save
07-18-2012, 02:06 PM
#4
Member
Registered: Oct 2005
Distribution: SuSe
Posts: 41
Original Poster
Rep:
Quote:
Originally Posted by
SuperJediWombat!
Please post the output of these two commands so that we can assist you further:
Code:
cat /proc/sys/net/ipv4/ip_forward
iptables-save
I assume you mean the vpn server not the unreachable machine at .14
BTW, I dont see to be able to map a drive manually either although there are several shares on Echo1
Code:
Echo1:~ # cat /proc/sys/net/ipv4/ip_forward
1
Code:
Echo1:~ # iptables-save
# Generated by iptables-save v1.4.8 on Wed Jul 18 19:55:31 2012
*raw
:PREROUTING ACCEPT [447:78325]
:OUTPUT ACCEPT [327:33503]
-A PREROUTING -i lo -j NOTRACK
-A OUTPUT -o lo -j NOTRACK
COMMIT
# Completed on Wed Jul 18 19:55:31 2012
# Generated by iptables-save v1.4.8 on Wed Jul 18 19:55:31 2012
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forward_ext - [0:0]
:input_ext - [0:0]
:reject_func - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state RELATED -j ACCEPT
-A INPUT -i eth0 -j input_ext
-A INPUT -i ppp0 -j input_ext
-A INPUT -j input_ext
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth0 -j forward_ext
-A FORWARD -i ppp0 -j forward_ext
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A FORWARD -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-OUT-ERROR " --log-tcp-options --log-ip-options
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT
-A forward_ext -m pkttype --pkt-type multicast -j DROP
-A forward_ext -m pkttype --pkt-type broadcast -j DROP
-A forward_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -p udp -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -j DROP
-A input_ext -p udp -m pkttype --pkt-type broadcast -m udp --dport 137 -j ACCEPT
-A input_ext -p udp -m pkttype --pkt-type broadcast -m udp --dport 138 -j ACCEPT
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_ext -p udp -m udp --sport 137 -m state --state RELATED -j ACCEPT
-A input_ext -p gre -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 1723 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 1723 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 139 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 139 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 445 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 445 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 22 -j ACCEPT
-A input_ext -p udp -m udp --dport 137 -j ACCEPT
-A input_ext -p udp -m udp --dport 138 -j ACCEPT
-A input_ext -p udp -m limit --limit 3/min -m state --state NEW -m udp --dport 2049 -j LOG --log-prefix "SFW2-INext-ACC-RPC " --log-tcp-options --log-ip-options
-A input_ext -p udp -m udp --dport 2049 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m state --state NEW -m tcp --dport 2049 -j LOG --log-prefix "SFW2-INext-ACC-RPC " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 2049 -j ACCEPT
-A input_ext -p udp -m limit --limit 3/min -m state --state NEW -m udp --dport 60116 -j LOG --log-prefix "SFW2-INext-ACC-RPC " --log-tcp-options --log-ip-options
-A input_ext -p udp -m udp --dport 60116 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m state --state NEW -m tcp --dport 35657 -j LOG --log-prefix "SFW2-INext-ACC-RPC " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 35657 -j ACCEPT
-A input_ext -p udp -m limit --limit 3/min -m state --state NEW -m udp --dport 111 -j LOG --log-prefix "SFW2-INext-ACC-RPC " --log-tcp-options --log-ip-options
-A input_ext -p udp -m udp --dport 111 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m state --state NEW -m tcp --dport 111 -j LOG --log-prefix "SFW2-INext-ACC-RPC " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 111 -j ACCEPT
-A input_ext -p udp -m limit --limit 3/min -m state --state NEW -m udp --dport 52512 -j LOG --log-prefix "SFW2-INext-ACC-RPC " --log-tcp-options --log-ip-options
-A input_ext -p udp -m udp --dport 52512 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m state --state NEW -m tcp --dport 55994 -j LOG --log-prefix "SFW2-INext-ACC-RPC " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 55994 -j ACCEPT
-A input_ext -p udp -m limit --limit 3/min -m state --state NEW -m udp --dport 52512 -j LOG --log-prefix "SFW2-INext-ACC-RPC " --log-tcp-options --log-ip-options
-A input_ext -p udp -m udp --dport 52512 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m state --state NEW -m tcp --dport 55994 -j LOG --log-prefix "SFW2-INext-ACC-RPC " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 55994 -j ACCEPT
-A input_ext -p udp -m limit --limit 3/min -m state --state NEW -m udp --dport 58020 -j LOG --log-prefix "SFW2-INext-ACC-RPC " --log-tcp-options --log-ip-options
-A input_ext -p udp -m udp --dport 58020 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m state --state NEW -m tcp --dport 53517 -j LOG --log-prefix "SFW2-INext-ACC-RPC " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 53517 -j ACCEPT
-A input_ext -p udp -m limit --limit 3/min -m state --state NEW -m udp --dport 58020 -j LOG --log-prefix "SFW2-INext-ACC-RPC " --log-tcp-options --log-ip-options
-A input_ext -p udp -m udp --dport 58020 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m state --state NEW -m tcp --dport 53517 -j LOG --log-prefix "SFW2-INext-ACC-RPC " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 53517 -j ACCEPT
-A input_ext -m pkttype --pkt-type multicast -j DROP
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p udp -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
COMMIT
# Completed on Wed Jul 18 19:55:31 2012
Thanks for your help.
07-22-2012, 07:00 PM
#5
Member
Registered: Oct 2005
Distribution: SuSe
Posts: 41
Original Poster
Rep:
Quote:
Originally Posted by
PedFleming
Commands are ok, but version of
vpn australia is too old to pick the service pack. Update it from the site and restart it and make setup again.
Sorry Ped, I don't understand this. AFAIK I'm not running vpn australia but pptpd from the opensuse repository.
07-24-2012, 12:41 AM
#6
Member
Registered: Apr 2009
Location: Perth, Australia
Distribution: Ubuntu/CentOS
Posts: 208
Rep:
It looks as though your firewall is dropping all of the traffic from your VPN client, you should find some of the drops logged in /var/log/messages.
Is this a production machine? Is it OK to change the firewall temporarily for testing? If so, try this:
Code:
iptables -I FORWARD -s 192.168.1.14 -j ACCEPT
iptables -I FORWARD -d 192.168.1.14 -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I INPUT -s 192.168.1.14 -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 1723 -j ACCEPT
iptables -I INPUT -p gre -j ACCEPT
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Once you have added those rules, try the connections again.
If you still have issues, post the results of these commands:
- From the VPN client
Code:
iptables-save
ifconfig
ip route
ping 192.168.1.14 -c4
ping 8.8.8.8 -c4
- From the VPN server
Code:
iptables-save
ifconfig
ip route
ping 192.168.1.12 -c4
ping 8.8.8.8 -c4
07-25-2012, 03:47 AM
#7
Member
Registered: Oct 2005
Distribution: SuSe
Posts: 41
Original Poster
Rep:
Quote:
Originally Posted by
SuperJediWombat!
It looks as though your firewall is dropping all of the traffic from your VPN client, you should find some of the drops logged in /var/log/messages.
Is this a production machine? Is it OK to change the firewall temporarily for testing? If so, try this:
No its not a production machine - yet. It was an old machine which I chose to build the VPN server on.
Unfortunately the gremlins are temporarily winning. I was hoping to get this working before the vacation. I now sitting on the beach worrying about this and powerless to act. and only have a dialup connection at 36K!
I'll post a reply to you in about 3 weeks time if that is ok Thanks for your help.
08-15-2012, 05:45 AM
#8
Member
Registered: Oct 2005
Distribution: SuSe
Posts: 41
Original Poster
Rep:
Quote:
Originally Posted by
SuperJediWombat!
It looks as though your firewall is dropping all of the traffic from your VPN client, you should find some of the drops logged in /var/log/messages.
Is this a production machine? Is it OK to change the firewall temporarily for testing? If so, try this:
Code:
iptables -I FORWARD -s 192.168.1.14 -j ACCEPT
iptables -I FORWARD -d 192.168.1.14 -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I INPUT -s 192.168.1.14 -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 1723 -j ACCEPT
iptables -I INPUT -p gre -j ACCEPT
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Once you have added those rules, try the connections again.
If you still have issues, post the results of these commands:
- From the VPN client
Code:
iptables-save
ifconfig
ip route
ping 192.168.1.14 -c4
ping 8.8.8.8 -c4
- From the VPN server
Code:
iptables-save
ifconfig
ip route
ping 192.168.1.12 -c4
ping 8.8.8.8 -c4
OK back in the saddle.
I have added all iptable entries you suggested but the situation is no different.
The client is a windows box so I can't run the linux commands.
The server results have been produced using Putty, I hope this is what you meant.
Here are the results from the server:
Code:
Echo1:/etc # iptables-save
# Generated by iptables-save v1.4.8 on Wed Aug 15 11:27:20 2012
*raw
:PREROUTING ACCEPT [22:1488]
:OUTPUT ACCEPT [13:1078]
-A PREROUTING -i lo -j NOTRACK
-A OUTPUT -o lo -j NOTRACK
COMMIT
# Completed on Wed Aug 15 11:27:20 2012
# Generated by iptables-save v1.4.8 on Wed Aug 15 11:27:20 2012
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forward_ext - [0:0]
:input_ext - [0:0]
:reject_func - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state RELATED -j ACCEPT
-A INPUT -i eth0 -j input_ext
-A INPUT -j input_ext
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth0 -j forward_ext
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A FORWARD -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-OUT-ERROR " --log-tcp-options --log-ip-options
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT
-A forward_ext -m pkttype --pkt-type multicast -j DROP
-A forward_ext -m pkttype --pkt-type broadcast -j DROP
-A forward_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -p udp -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -j DROP
-A input_ext -p udp -m pkttype --pkt-type broadcast -m udp --dport 137 -j ACCEPT
-A input_ext -p udp -m pkttype --pkt-type broadcast -m udp --dport 138 -j ACCEPT
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_ext -p udp -m udp --sport 137 -m state --state RELATED -j ACCEPT
-A input_ext -p gre -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 1723 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 1723 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 139 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 139 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 445 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 445 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 22 -j ACCEPT
-A input_ext -p udp -m udp --dport 137 -j ACCEPT
-A input_ext -p udp -m udp --dport 138 -j ACCEPT
-A input_ext -p udp -m limit --limit 3/min -m state --state NEW -m udp --dport 2049 -j LOG --log-prefix "SFW2-INext-ACC-RPC " --log-tcp-options --log-ip-options
-A input_ext -p udp -m udp --dport 2049 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m state --state NEW -m tcp --dport 2049 -j LOG --log-prefix "SFW2-INext-ACC-RPC " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 2049 -j ACCEPT
-A input_ext -p udp -m limit --limit 3/min -m state --state NEW -m udp --dport 59845 -j LOG --log-prefix "SFW2-INext-ACC-RPC " --log-tcp-options --log-ip-options
-A input_ext -p udp -m udp --dport 59845 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m state --state NEW -m tcp --dport 60210 -j LOG --log-prefix "SFW2-INext-ACC-RPC " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 60210 -j ACCEPT
-A input_ext -p udp -m limit --limit 3/min -m state --state NEW -m udp --dport 111 -j LOG --log-prefix "SFW2-INext-ACC-RPC " --log-tcp-options --log-ip-options
-A input_ext -p udp -m udp --dport 111 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m state --state NEW -m tcp --dport 111 -j LOG --log-prefix "SFW2-INext-ACC-RPC " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 111 -j ACCEPT
-A input_ext -p udp -m limit --limit 3/min -m state --state NEW -m udp --dport 53638 -j LOG --log-prefix "SFW2-INext-ACC-RPC " --log-tcp-options --log-ip-options
-A input_ext -p udp -m udp --dport 53638 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m state --state NEW -m tcp --dport 32879 -j LOG --log-prefix "SFW2-INext-ACC-RPC " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 32879 -j ACCEPT
-A input_ext -p udp -m limit --limit 3/min -m state --state NEW -m udp --dport 53638 -j LOG --log-prefix "SFW2-INext-ACC-RPC " --log-tcp-options --log-ip-options
-A input_ext -p udp -m udp --dport 53638 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m state --state NEW -m tcp --dport 32879 -j LOG --log-prefix "SFW2-INext-ACC-RPC " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 32879 -j ACCEPT
-A input_ext -p udp -m limit --limit 3/min -m state --state NEW -m udp --dport 49075 -j LOG --log-prefix "SFW2-INext-ACC-RPC " --log-tcp-options --log-ip-options
-A input_ext -p udp -m udp --dport 49075 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m state --state NEW -m tcp --dport 52584 -j LOG --log-prefix "SFW2-INext-ACC-RPC " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 52584 -j ACCEPT
-A input_ext -p udp -m limit --limit 3/min -m state --state NEW -m udp --dport 49075 -j LOG --log-prefix "SFW2-INext-ACC-RPC " --log-tcp-options --log-ip-options
-A input_ext -p udp -m udp --dport 49075 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m state --state NEW -m tcp --dport 52584 -j LOG --log-prefix "SFW2-INext-ACC-RPC " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 52584 -j ACCEPT
-A input_ext -m pkttype --pkt-type multicast -j DROP
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p udp -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
COMMIT
# Completed on Wed Aug 15 11:27:20 2012]
Code:
Echo1:/etc # ifconfig
eth0 Link encap:Ethernet HWaddr 00:48:54:51:C9:CB
inet addr:192.168.1.12 Bcast:192.168.1.127 Mask:255.255.255.128
inet6 addr: fe80::248:54ff:fe51:c9cb/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:62217 errors:0 dropped:0 overruns:0 frame:0
TX packets:62576 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:30099034 (28.7 Mb) TX bytes:10752615 (10.2 Mb)
Interrupt:11 Base address:0x8000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:515 errors:0 dropped:0 overruns:0 frame:0
TX packets:515 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:56336 (55.0 Kb) TX bytes:56336 (55.0 Kb)
ppp0 Link encap:Point-to-Point Protocol
inet addr:192.168.1.1 P-t-P:192.168.1.112 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1396 Metric:1
RX packets:37 errors:0 dropped:0 overruns:0 frame:0
TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:3938 (3.8 Kb) TX bytes:108 (108.0 b)
Code:
Echo1:/etc # ip route
192.168.1.0/25 dev eth0 proto kernel scope link src 192.168.1.12
169.254.0.0/16 dev eth0 scope link
127.0.0.0/8 dev lo scope link
default via 192.168.1.1 dev eth0
Code:
Echo1:/etc # ping 192.168.1.14 -c4
PING 192.168.1.14 (192.168.1.14) 56(84) bytes of data.
64 bytes from 192.168.1.14: icmp_seq=1 ttl=64 time=0.637 ms
64 bytes from 192.168.1.14: icmp_seq=2 ttl=64 time=0.534 ms
64 bytes from 192.168.1.14: icmp_seq=3 ttl=64 time=0.533 ms
64 bytes from 192.168.1.14: icmp_seq=4 ttl=64 time=0.534 ms
--- 192.168.1.14 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2998ms
rtt min/avg/max/mdev = 0.533/0.559/0.637/0.050 ms
Code:
Echo1:/etc # ping 8.8.8.8 -c4
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=55 time=38.8 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=55 time=38.7 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=55 time=37.8 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=55 time=38.2 ms
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 37.832/38.435/38.871/0.480 ms
The Client Pings are:
Code:
C:\Documents and Settings\Rick>ping 192.168.1.12
Pinging 192.168.1.12 with 32 bytes of data:
Reply from 192.168.1.12: bytes=32 time=84ms TTL=64
Reply from 192.168.1.12: bytes=32 time=163ms TTL=64
Reply from 192.168.1.12: bytes=32 time=124ms TTL=64
Reply from 192.168.1.12: bytes=32 time=129ms TTL=64
Ping statistics for 192.168.1.12:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 84ms, Maximum = 163ms, Average = 125ms
With "Use remote gateway enabled"...
Code:
C:\Documents and Settings\Rick>ping 8.8.8.8
Pinging 8.8.8.8 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Using local gateway...
Code:
C:\Documents and Settings\Rick>ping 8.8.8.8
Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=56ms TTL=52
Reply from 8.8.8.8: bytes=32 time=58ms TTL=52
Reply from 8.8.8.8: bytes=32 time=57ms TTL=52
Reply from 8.8.8.8: bytes=32 time=56ms TTL=52
Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 4, Lost = 0 (0% l
Approximate round trip times in milli-seconds:
Minimum = 56ms, Maximum = 58ms, Average = 56ms
10-02-2012, 04:16 AM
#9
Member
Registered: Oct 2005
Distribution: SuSe
Posts: 41
Original Poster
Rep:
BTW, I gave up with this installation and upgraded to SUSE 12.1. That was not easy in itself but I have finally got it working. When I can get a round toit I'll post a Wiki but the guts of how to do it are on the opensuse networking forum. I have one final issue how to set up the hosts and lmhosts files on my laptop which is the subject of a new post.
Thanks for the help.
All times are GMT -5. The time now is 09:41 PM .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know .
Latest Threads
LQ News