[plug] packets not coming through

Jon Miller jlmiller at mmtnetworks.com.au
Thu Feb 20 06:36:42 WST 2003 

We have a situation where we are running a program that has a console that runs on a server at one end of a VPN and an agent that runs on the other server at the other end of the VPN.  Both servers sits behind firewalls.

SrvA---LinuxFWA---router-------Internet-----router----LinuxFWB---SrvB

SrvA=192.168.1.9
LinuxFWA=192.168.1.3
LinuxFWB=192.168.0.1
SrvB=192.168.0.5
Ports that are required to be opened:
111(tcp), 1804 (udp), 20481(tcp), 20482(tcp), 20484(tcp)

On LinuxFWA the firewall is using iptables, LinuxFWB is using ipchains.
I've run iptables -L and can see the ports listed and ipchains -L which also shows the ports listed. Using a portscan I can only see 2 ports on the LinuxFWA side.

Iptables listing:
iptables -A INPUT -p udp --dport 1804 -j ACCEPT
iptables -A INPUT -p tcp --dport 111  -j ACCEPT
iptables -A INPUT -p tcp --dport 20481 -j ACCEPT
iptables -A INPUT -p tcp --dport 20482 -j ACCEPT
iptables -A INPUT -p tcp --dport 20484 -j ACCEPT

Ipchains listing:
/sbin/ipchains -A input -p tcp -s 192.168.1.3 -d 192.168.0.5 111  -j ACCEPT
/sbin/ipchains -A input -p udp -s 192.168.1.3 -d 192.168.0.5 1804 -j ACCEPT
/sbin/ipchains -A input -p tcp -s 192.168.1.3 -d 192.168.0.5 20481 -j ACCEPT
/sbin/ipchains -A input -p tcp -s 192.168.1.3 -d 192.168.0.5 20482 -j ACCEPT
/sbin/ipchains -A input -p tcp -s 192.168.1.3 -d 192.168.0.5 20484 -j ACCEPT


My question is do I need to have the iptables listing similiar to the ipchains where we are directing the packets to the server (-s 192.168.1.9) to it's destination (-d 192.168.0.5) or keep it like it the iptables listings (--dport [port number]). Also should the -d be 192.168.0.1 (LinuxFWB). I'm thinking it should be to the LinuxFWA because there is a NAT running on both ends and the sending/receiving of packets should be directed to sending/receiving devices since the inside address is be translated to the Firewall address.  Is this a correct?

Thanks


Jon L. Miller, MCNE, CNS
Director/Sr Systems Consultant
MMT Networks Pty Ltd
http://www.mmtnetworks.com.au

"I don't know the key to success, but the key to failure
 is trying to please everybody." -Bill Cosby

More information about the plug mailing list