ip_conntrack working?

Home Page Forums Network Management Networking ip_conntrack working?

This topic contains 0 replies, has 0 voices, and was last updated by  Simetrical 12 years, 2 months ago.

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #40581

    Simetrical
    Member

    Hello guys,

    I have zeroshell with:

    LAN1 (172.22.0.0)
    –Bridge Eth0-Eth1
    |
    |
    ZeroShell 1
    |
    VPN-Eth1
    |
    Internet
    |
    VPN-Eth1
    |
    ZeroShell 2
    |
    |
    –Bridge Eth0-Eth1
    LAN2(172.22.0.0)

    Eth0 – Internal
    Eth1 – External
    VPN0 – Lan-to-Lan(eth1)
    Bridge0 – Eth0&VPN0(eth1)

    We are trying same IP address in two different offices with a line Point to Point. Network 172.22.0.0/16.
    We want to discard all inneccesary traffic in both offices, we are using firewall rules for it but ….. New, Stablished and Related connections dont work.

    Example:

    9 BRIDGE00 * ACCEPT tcp opt — in BRIDGE00 out * 172.22.0.0/16 -> 172.22.0.0/16 state NEW,ESTABLISHED tcp dpt:22 no
    10 * BRIDGE00 ACCEPT tcp opt — in * out BRIDGE00 172.22.0.0/16 -> 172.22.0.0/16 state NEW,ESTABLISHED tcp dpt:22

    This rules isnt working, i can send “SYN packet” but dont return “SYN ACK packet” because zeroshell iptables firewall with states NEW, STABLISHED and RELATED isnt working.

    I can create a rule for return of packets and it work but i must have 4 rules for service and i dont want to have 80+ rules in zeroshell, because 50+ rules i have others problems with zeroshell.
    Which is the problem??

    Sorry for my english and thanks for your time.
    If need more info dont hesitate in ask me.

    Best regards.

    #45235

    imported_fulvio
    Participant

    You should not use the BRIDGE00 interface in your iptables rules, but its components VPN00 and ETH00 and then make no sense to use NEW and ESTABLISHED together.
    If for example you want that only the connections initiated from your LAN are forwarded to the VPN you just have to configure the firewall to look like the following:

    Chain FORWARD (policy ACCEPT 7 packets, 588 bytes)
    pkts bytes target prot opt in out source destination
    8 672 ACCEPT all — VPN00 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 DROP all — VPN00 * 0.0.0.0/0 0.0.0.0/0

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.