Iptables troubles

J_Szucs · 07-18-2004, 05:42 PM

I have setup a vpn between my home machine (SuSe Linux) and my office network (FreeeBSD). However, the vpn only works if I disable the firewall on my home machine.
When the firewall is active and I try to ping a host on my office network, I never get the ping replies, and I find many such lines in my /var/log/messages file:

Jul 18 22:46:47 linux kernel: SuSE-FW-ILLEGAL-TARGET IN=ppp1 OUT= MAC= SRC=192.168.229.1 DST=192.168.229.2 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=56225 DF PROTO=ICMP TYPE=0 CODE=0 ID=18198 SEQ=1

Some other details on my setup:
vpn method: ppp-over-ssh
interface to my ISP: ppp0
vpn interface: ppp1
local IP (ppp1): 192.168.229.2
remote IP (ppp1): 192.168.229.1

My firewall rules generated by SuSE Firewall2:
Output of "iptables -L":

Code:

Chain INPUT (policy DROP) 
target     prot opt source               destination 
ACCEPT     all  --  anywhere             anywhere 
LOG        all  --  loopback/8           anywhere         LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ANTI-SPOOFING ' 
LOG        all  --  anywhere             loopback/8         LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ANTI-SPOOFING ' 
DROP       all  --  loopback/8           anywhere 
DROP       all  --  anywhere             loopback/8 
LOG        all  --  anywhere             anywhere           LOG level warning tcp-options ip-options prefix `SuSE-FW-ILLEGAL-TARGET ' 
DROP       all  --  anywhere             anywhere  

Chain FORWARD (policy DROP) 
target     prot opt source               destination 
TCPMSS     tcp  --  anywhere             anywhere           tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU  

Chain OUTPUT (policy ACCEPT) 
target     prot opt source               destination 
ACCEPT     all  --  anywhere             anywhere 
LOG        icmp --  anywhere             anywhere           icmp time-exceeded LOG level warning tcp-options ip-options prefix `SuSE-FW-TRACEROUTE-ATTEMPT ' 
DROP       icmp --  anywhere             anywhere           icmp time-exceeded 
ACCEPT     icmp --  anywhere             anywhere           icmp fragmentation-needed 
ACCEPT     icmp --  anywhere             anywhere           icmp network-prohibited 
ACCEPT     icmp --  anywhere             anywhere           icmp host-prohibited 
ACCEPT     icmp --  anywhere             anywhere           icmp communication-prohibited 
DROP       icmp --  anywhere             anywhere           icmp destination-unreachable 
ACCEPT     all  --  anywhere             anywhere           state NEW,RELATED,ESTABLISHED 
LOG        all  --  anywhere             anywhere           LOG level warning tcp-options ip-options prefix `SuSE-FW-OUTPUT-ERROR '

Sure, iptables is something new to me (I am rather familiar with FreeBSD's ipfw), but I have been reading its howto for hours now, and I still cannot grasp why the ping replies (and any other traffic via the vpn) are dropped.
So far as I can judge based on the "SuSE-FW-ILLEGAL-TARGET" prefix in the logfile, the packages might be dropped by the last rule of the INPUT chain.
What I do not understand: How can those packages reach that rule, when they should match just the first (accept all anywhere anywhere) rule of the INPUT chain?
Am I overlooking something?

But the main question is: what rule to insert and where, to enable the vpn connection via ppp1 to my office network?

ppuru · 07-18-2004, 09:59 PM

Giving you a stock answer...

iptables -nvL

would give you a better understanding of the ipfilter rules. Using iptables -L does not list the interfaces.

J_Szucs · 07-19-2004, 06:27 PM

Stock answer:
Thanks, it works now.