Home Page › Forums › Network Management › Networking › ip_conntrack working?
- This topic is empty.
-
AuthorPosts
-
March 26, 2007 at 10:48 am #40581
Simetrical
MemberHello guys,
I have zeroshell with:
LAN1 (172.22.0.0)
–Bridge Eth0-Eth1
|
|
ZeroShell 1
|
VPN-Eth1
|
Internet
|
VPN-Eth1
|
ZeroShell 2
|
|
–Bridge Eth0-Eth1
LAN2(172.22.0.0)Eth0 – Internal
Eth1 – External
VPN0 – Lan-to-Lan(eth1)
Bridge0 – Eth0&VPN0(eth1)We are trying same IP address in two different offices with a line Point to Point. Network 172.22.0.0/16.
We want to discard all inneccesary traffic in both offices, we are using firewall rules for it but ….. New, Stablished and Related connections dont work.Example:
9 BRIDGE00 * ACCEPT tcp opt — in BRIDGE00 out * 172.22.0.0/16 -> 172.22.0.0/16 state NEW,ESTABLISHED tcp dpt:22 no
10 * BRIDGE00 ACCEPT tcp opt — in * out BRIDGE00 172.22.0.0/16 -> 172.22.0.0/16 state NEW,ESTABLISHED tcp dpt:22This rules isnt working, i can send “SYN packet” but dont return “SYN ACK packet” because zeroshell iptables firewall with states NEW, STABLISHED and RELATED isnt working.
I can create a rule for return of packets and it work but i must have 4 rules for service and i dont want to have 80+ rules in zeroshell, because 50+ rules i have others problems with zeroshell.
Which is the problem??Sorry for my english and thanks for your time.
If need more info dont hesitate in ask me.Best regards.
March 28, 2007 at 7:58 pm #45235imported_fulvio
ParticipantYou should not use the BRIDGE00 interface in your iptables rules, but its components VPN00 and ETH00 and then make no sense to use NEW and ESTABLISHED together.
If for example you want that only the connections initiated from your LAN are forwarded to the VPN you just have to configure the firewall to look like the following:Chain FORWARD (policy ACCEPT 7 packets, 588 bytes)
pkts bytes target prot opt in out source destination
8 672 ACCEPT all — VPN00 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all — VPN00 * 0.0.0.0/0 0.0.0.0/0 -
AuthorPosts
- You must be logged in to reply to this topic.