I have setup a vpn between my home machine (SuSe Linux) and my office network (FreeeBSD). However, the vpn only works if I disable the firewall on my home machine.
When the firewall is active and I try to ping a host on my office network, I never get the ping replies, and I find many such lines in my /var/log/messages file:
Jul 18 22:46:47 linux kernel: SuSE-FW-ILLEGAL-TARGET IN=ppp1 OUT= MAC= SRC=192.168.229.1 DST=192.168.229.2 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=56225 DF PROTO=ICMP TYPE=0 CODE=0 ID=18198 SEQ=1
Some other details on my setup:
vpn method: ppp-over-ssh
interface to my ISP: ppp0
vpn interface: ppp1
local IP (ppp1): 192.168.229.2
remote IP (ppp1): 192.168.229.1
My firewall rules generated by SuSE Firewall2:
Output of "iptables -L":
Code:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
LOG all -- loopback/8 anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ANTI-SPOOFING '
LOG all -- anywhere loopback/8 LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ANTI-SPOOFING '
DROP all -- loopback/8 anywhere
DROP all -- anywhere loopback/8
LOG all -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-ILLEGAL-TARGET '
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
LOG icmp -- anywhere anywhere icmp time-exceeded LOG level warning tcp-options ip-options prefix `SuSE-FW-TRACEROUTE-ATTEMPT '
DROP icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed
ACCEPT icmp -- anywhere anywhere icmp network-prohibited
ACCEPT icmp -- anywhere anywhere icmp host-prohibited
ACCEPT icmp -- anywhere anywhere icmp communication-prohibited
DROP icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
LOG all -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-OUTPUT-ERROR '
Sure, iptables is something new to me (I am rather familiar with FreeBSD's ipfw), but I have been reading its howto for hours now, and I still cannot grasp why the ping replies (and any other traffic via the vpn) are dropped.
So far as I can judge based on the "SuSE-FW-ILLEGAL-TARGET" prefix in the logfile, the packages might be dropped by the last rule of the INPUT chain.
What I do not understand: How can those packages reach that rule, when they should match just the first (accept all anywhere anywhere) rule of the INPUT chain?
Am I overlooking something?
But the main question is: what rule to insert and where, to enable the vpn connection via ppp1 to my office network?