[ previous ] [ next ] [ threads ]
 
 From:  Horst dot Ritter at mach dot com
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Blocked traffic even proper rules on the WAN Interface
 Date:  Thu, 14 Oct 2004 18:26:58 +0200
Dear community,

Due to the fact that m0n0wall canot handle NAT in combination with VPN
(see
http://m0n0.ch/wall/list/?action=show_msg&actionargs[]=96&actionargs[]=82)
I attempt to solve it like follows. I've applied one private IP for the
transfer
network and one public IP on the same device as shown below:

root@vpn:~#ip address show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:xx:yy:cc:ff:aa brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.2/30 scope global eth1
    inet 217.xx.yy.zz/32 scope global eth1

To make the linux server using the public IP address all the time I applied
the following command:

root@vpn:~# ip route ch default via 10.0.0.1 src 217.xx.yy.zz

root@vpn:~# ip rou li
10.0.0.0/30 dev eth0  proto kernel  scope link  src 10.0.0.2
127.0.0.0/8 dev lo  scope link
default via 10.0.0.1 dev eth0  src 217.xx.yy.zz
root@vpn:~#

This means that all IP traffic will be routed by default to the gateway
10.0.0.1 (LAN Interface@m0n0wall)
using the public IP address 217.xx.yy.zz.

So, this workaround works fine for VPN as well as for traffic from
217.xx.yy.zz to the public internet.
But all other attempts coming from the public Internet to the inside LAN
(IP address 217.xx.yy.zz) doesn't
work. Neither FTP nor SSH (even ping) has been successfull. Here are the
rules on the m0n0wall:

SYSTEM|STATIC ROUTES:
(Send all traffic addressed to 217.xx.yy.zz to the transfer network
'10.0.0.2:eth0@linux-server')
Interface   Network           Gateway     Description
DMZ         217.xx.yy.zz            10.0.0.2    Route to DMZ if

FIREWALL|RULES|WAN interface:
Proto       Source            Port        Destination       Port
Description
TCP   194.237.xx.yy     *           217.xx.yy.zz      22 (SSH)    Permit
SSH from public internet
TCP   *           *           217.xx.yy.zz      21 (FTP)    Permit FTP from
public internet
ICMP        *           *           217.xx.yy.zz      *           Permit
Ping from public internet


FIREWALL|RULES|DMZ interface:
Proto       Source            Port        Destination       Port
Description
TCP   217.xx.yy.zz      22 (SSH)    194.237.xx.yy     *           Permit
SSH from public internet
TCP   217.xx.yy.zz      21 (FTP)    *           *           Permit FTP from
public internet
ICMP        217.xx.yy.zz      *           *           *           Permit
Ping from public internet


Does anybody has an idea why it is not permitted to connect from the public
internet to 217.xx.yy.zz, even
if it is permitted on the WAN interface as shown above?

Thank you in advance for any hints and comments.

Best regards,
H.