I have a CentOS 4.5 Linux machine which acts as my connection to the internet and firewall. Behind that, I have a small set of machines which are masqueraded through it to the Internet,
using IPTABLES.

The Linux machine has a 'lo' interface, as well as an internal (INT) interface for the local machines, and an external (EXT) interface for the connection to the Internet.

This all works fine.

Now, I am trying to add a PPP connection from my office Linux
machine to my machine at home. The PPP connection comes up
properly, and routes are added as needed, and connectivity
from my home Linux machine to my office network works as expected.

The problem is that my local (masqueraded) machines at home are not able to get IP packets to the office machines and back again.

I've added the following IPTABLES commands to my firewall scripts, but still cannot get the packets through:

$IPTABLES -A INPUT -i ppp0 -j ACCEPT
$IPTABLES -A OUTPUT -o ppp0 -j ACCEPT
$IPTABLES -A FORWARD -o ppp0 -j ACCEPT

I believe the problem is that the IPTABLES firewall needs to do some special NATing for the PPP interface.

Is this something I can get some help with on this forum? I can provide more details about my configuration, of course, but wanted to keep this initial message short and readable.

Thanks,

the bold - try to replace with this line :

$IPTABLES -A FORWARD -i ppp0 -o <your_intintf> -j ACCEPT

and for the NAT -- i dont have a clue where the traffic will be redirect since you dont give any code.


HTH,

Cheers.

I changed that FORWARD rule as you've suggested, but no change. I think the problem is in the natting anyway, so let me show you what I'm doing there:

- PPPIP is the IP address for the PPP tunnel on the home side

$IPTABLES -A INPUT -i ppp0 -s 0.0.0.0/0 -d $PPPIP \
-m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -o $INTIF -j ACCEPT
This used to say ppp0, rather than $INTIF

$IPTABLES -t nat -A POSTROUTING -o ppp0 -j SNAT --to $PPPIP


If you need to see all my rules, I can provide them...

Thanks,

hi,

hmmm... OK, lets see whether the packet can go outside to the remote office using tcpdump on ppp0. or maybe it can go outside but your machine cant receive reply.

or for the simplicity --- just disable iptables first to check whether you can really send/receive the traffic (more over you use NAT).

i'll be waiting.

cheers.

I ran tcpdump -i ppp0 on my local Linux machine and saw that
when I pinged an IP at my office from the local Linux machine,
the packets were sent and received.

However, when I attempted to ping the same IP at my office from
my local masqueraded PC, there was no output from tcpdump.

I'm not sure what you are asking for here. If I disable iptables, I'll lose the NATting functionaltiy as well, won't I?


Thank you so much for taking the time to help me.

Incidentally, I've been reading through the iptables tutorial, but nothing helpful gained just yet. I'll also be ordering the Linux Firewalls book by Robert Ziegler, but would sure like to get this working in the meantime.

I know that my iptables rules are working to masquerade my in-home machines, so I went through all the rules and created similar rules for the PPP interface.

The result is that my in-home machines are now able to ping the machines located on my office network, via the PPP interface.

I really appreciate the help, and realize that I still need to learn more about how to configure the iptables rules, and will continue to do so.

Here are the rules that I added to my firewall script in support of the PPP tunnel. If you see anything wrong with these, I would sure like to hear about it.

Thanks again!

INTIF is my internal interface (eth0)
EXTIF is my external interface (eth1)
UNIVERSE=0.0.0.0/32
INTNET=is my internal network (10.1.1.0/24)
PPPIF=ppp0
PPPIP is the IP address of my local Linux machine on the home-end of the PPP tunnel

$IPTABLES -A INPUT -i $PPPIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
$IPTABLES -A INPUT -i $PPPIF -p ICMP -s $UNIVERSE -d $PPPIP -j ACCEPT
$IPTABLES -A INPUT -i $PPPIF -s $UNIVERSE -d $PPPIP -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A OUTPUT -o $PPPIF -s $PPPIP -d $UNIVERSE -j ACCEPT

$IPTABLES -A FORWARD -o $PPPIF -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $PPPIF -j ACCEPT
$IPTABLES -A FORWARD -i $PPPIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -t nat -A POSTROUTING -o $PPPIF -j SNAT --to $PPPIP

hi MarkEHansen,

sorry for the very late reply

"I know that my iptables rules are working to masquerade my in-home machines, so I went through all the rules and created similar rules for the PPP interface.

The result is that my in-home machines are now able to ping the machines located on my office network, via the PPP interface."

well, congrats then

from yours :
$IPTABLES -A INPUT -i $PPPIF -s $UNIVERSE -d $PPPIP -m state --state ESTABLISHED,RELATED -j ACCEPT

and

$IPTABLES -A FORWARD -i $PPPIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

and

$IPTABLES -t nat -A POSTROUTING -o $PPPIF -j SNAT --to $PPPIP


this is the key to succesfully accept a connection.

cheers.