<div dir="ltr">And this will be an ALE presentation....?<br><br>Good work!<br><br><div class="gmail_quote">On Wed, Oct 15, 2008 at 9:03 PM, Chris Fowler <span dir="ltr"><<a href="mailto:cfowler@outpostsentinel.com">cfowler@outpostsentinel.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">I've got my VPN working well and I want to test something unique.<br>
<br>
I'm creating a <a href="http://10.0.7.0/24" target="_blank">10.0.7.0/24</a> subnet for the Windows VPN clients.<br>
The server has many devices on <a href="http://10.0.5.0/24" target="_blank">10.0.5.0/24</a> and each of those<br>
devices are gateways to a remote network.<br>
<br>
In this scenario, I want to pretend that <a href="http://10.0.7.0/24" target="_blank">10.0.7.0/24</a> can only be<br>
allowed access to device behind <a href="http://10.0.5.100" target="_blank">10.0.5.100</a>. Not <a href="http://10.0.5.114" target="_blank">10.0.5.114</a>. Here<br>
is what I tried:<br>
<br>
*Chain FORWARD (policy ACCEPT)<br>
target prot opt source destination<br>
ACCEPT all -- <a href="http://10.0.7.0/24" target="_blank">10.0.7.0/24</a> <a href="http://10.0.5.100" target="_blank">10.0.5.100</a><br>
REJECT all -- <a href="http://10.0.7.0/24" target="_blank">10.0.7.0/24</a> <a href="http://10.0.5.0/24" target="_blank">10.0.5.0/24</a> reject-with<br>
icmp-port-unreachable *<br>
<br>
I can not ping anything other than <a href="http://10.0.5.100" target="_blank">10.0.5.100</a>.<br>
I have a device with an address of <a href="http://192.168.63.200" target="_blank">192.168.63.200</a> behind <a href="http://10.0.5.198" target="_blank">10.0.5.198</a>.<br>
I can ping that device from the server. And if I manually add a<br>
route on the windows box, I can ping it from the windows box even<br>
though I can not ping the gateway for that address.<br>
<br>
What I'm trying to accomplish is the ability to lock down a client to<br>
use a specific gateway(s). If that client decides to manually<br>
add a route because they know where other stuff is located, I do<br>
not want the Linux kernel to route those packets to other gateways.<br>
<br>
<br>
Confusing?<br>
<br>
Maybe this will make it more confusing :)<br>
<br>
*<br>
[root@demo etc]# route -n<br>
Kernel IP routing table<br>
Destination Gateway Genmask Flags Metric Ref Use<br>
Iface<br>
<a href="http://192.168.63.200" target="_blank">192.168.63.200</a> <a href="http://10.0.5.198" target="_blank">10.0.5.198</a> <a href="http://255.255.255.255" target="_blank">255.255.255.255</a> UGH 0 0 0<br>
ppp12<br>
<a href="http://192.168.100.1" target="_blank">192.168.100.1</a> <a href="http://0.0.0.0" target="_blank">0.0.0.0</a> <a href="http://255.255.255.255" target="_blank">255.255.255.255</a> UH 0 0 0 ppp0<br>
<a href="http://10.0.5.203" target="_blank">10.0.5.203</a> <a href="http://0.0.0.0" target="_blank">0.0.0.0</a> <a href="http://255.255.255.255" target="_blank">255.255.255.255</a> UH 0 0 0 ppp5<br>
<a href="http://10.0.5.91" target="_blank">10.0.5.91</a> <a href="http://0.0.0.0" target="_blank">0.0.0.0</a> <a href="http://255.255.255.255" target="_blank">255.255.255.255</a> UH 0 0 0<br>
ppp11<br>
<a href="http://10.0.5.89" target="_blank">10.0.5.89</a> <a href="http://0.0.0.0" target="_blank">0.0.0.0</a> <a href="http://255.255.255.255" target="_blank">255.255.255.255</a> UH 0 0 0 ppp2<br>
<a href="http://10.0.5.120" target="_blank">10.0.5.120</a> <a href="http://0.0.0.0" target="_blank">0.0.0.0</a> <a href="http://255.255.255.255" target="_blank">255.255.255.255</a> UH 0 0 0<br>
ppp13<br>
<a href="http://10.0.5.210" target="_blank">10.0.5.210</a> <a href="http://0.0.0.0" target="_blank">0.0.0.0</a> <a href="http://255.255.255.255" target="_blank">255.255.255.255</a> UH 0 0 0 ppp6<br>
<a href="http://10.0.5.211" target="_blank">10.0.5.211</a> <a href="http://0.0.0.0" target="_blank">0.0.0.0</a> <a href="http://255.255.255.255" target="_blank">255.255.255.255</a> UH 0 0 0 ppp8<br>
<a href="http://10.0.5.208" target="_blank">10.0.5.208</a> <a href="http://0.0.0.0" target="_blank">0.0.0.0</a> <a href="http://255.255.255.255" target="_blank">255.255.255.255</a> UH 0 0 0 ppp4<br>
<a href="http://10.0.5.100" target="_blank">10.0.5.100</a> <a href="http://0.0.0.0" target="_blank">0.0.0.0</a> <a href="http://255.255.255.255" target="_blank">255.255.255.255</a> UH 0 0 0 ppp1<br>
<a href="http://10.0.5.99" target="_blank">10.0.5.99</a> <a href="http://0.0.0.0" target="_blank">0.0.0.0</a> <a href="http://255.255.255.255" target="_blank">255.255.255.255</a> UH 0 0 0 ppp3<br>
<a href="http://10.0.5.198" target="_blank">10.0.5.198</a> <a href="http://0.0.0.0" target="_blank">0.0.0.0</a> <a href="http://255.255.255.255" target="_blank">255.255.255.255</a> UH 0 0 0<br>
ppp12<br>
<a href="http://10.0.5.214" target="_blank">10.0.5.214</a> <a href="http://0.0.0.0" target="_blank">0.0.0.0</a> <a href="http://255.255.255.255" target="_blank">255.255.255.255</a> UH 0 0 0 ppp9<br>
<a href="http://10.0.5.114" target="_blank">10.0.5.114</a> <a href="http://0.0.0.0" target="_blank">0.0.0.0</a> <a href="http://255.255.255.255" target="_blank">255.255.255.255</a> UH 0 0 0<br>
ppp10<br>
<a href="http://10.0.5.215" target="_blank">10.0.5.215</a> <a href="http://0.0.0.0" target="_blank">0.0.0.0</a> <a href="http://255.255.255.255" target="_blank">255.255.255.255</a> UH 0 0 0 ppp7<br>
<a href="http://10.0.7.2" target="_blank">10.0.7.2</a> <a href="http://0.0.0.0" target="_blank">0.0.0.0</a> <a href="http://255.255.255.255" target="_blank">255.255.255.255</a> UH 0 0 0 tun0<br>
<a href="http://209.168.246.192" target="_blank">209.168.246.192</a> <a href="http://0.0.0.0" target="_blank">0.0.0.0</a> <a href="http://255.255.255.192" target="_blank">255.255.255.192</a> U 0 0 0 eth0<br>
<a href="http://192.168.100.0" target="_blank">192.168.100.0</a> <a href="http://192.168.100.1" target="_blank">192.168.100.1</a> <a href="http://255.255.255.0" target="_blank">255.255.255.0</a> UG 0 0 0 ppp0<br>
<a href="http://10.0.7.0" target="_blank">10.0.7.0</a> <a href="http://10.0.7.2" target="_blank">10.0.7.2</a> <a href="http://255.255.255.0" target="_blank">255.255.255.0</a> UG 0 0 0 tun0<br>
<a href="http://192.168.2.0" target="_blank">192.168.2.0</a> <a href="http://10.0.5.100" target="_blank">10.0.5.100</a> <a href="http://255.255.255.0" target="_blank">255.255.255.0</a> UG 0 0 0 ppp1<br>
<a href="http://172.16.112.0" target="_blank">172.16.112.0</a> <a href="http://0.0.0.0" target="_blank">0.0.0.0</a> <a href="http://255.255.255.0" target="_blank">255.255.255.0</a> U 0 0 0<br>
vmnet8<br>
<a href="http://209.168.246.0" target="_blank">209.168.246.0</a> <a href="http://0.0.0.0" target="_blank">0.0.0.0</a> <a href="http://255.255.255.0" target="_blank">255.255.255.0</a> U 0 0 0 eth0<br>
<a href="http://169.254.0.0" target="_blank">169.254.0.0</a> <a href="http://0.0.0.0" target="_blank">0.0.0.0</a> <a href="http://255.255.0.0" target="_blank">255.255.0.0</a> U 0 0 0 eth0<br>
<a href="http://0.0.0.0" target="_blank">0.0.0.0</a> <a href="http://209.168.246.193" target="_blank">209.168.246.193</a> <a href="http://0.0.0.0" target="_blank">0.0.0.0</a> UG 0 0 0<br>
eth0*<br>
<br>
The ppp+ interfaces are all created via vtun. The tun interfaces<br>
are owned by OpenVPN for the purpose of giving Windows access.<br>
<br>
<a href="http://10.0.5.0/24" target="_blank">10.0.5.0/24</a> are embedded Linux devices that use vtun to get back<br>
to the demo server. The are configured for NAT with eth0 as their<br>
"public" interface. That is how I'm able to ping <a href="http://192.168.63.200" target="_blank">192.168.63.200</a> without<br>
teling <a href="http://192.168.63.200" target="_blank">192.168.63.200</a> where <a href="http://10.0.7.6" target="_blank">10.0.7.6</a> is at. The device is doing IP<br>
masquerading for me on the remote network.<br>
<br>
Thanks,<br>
Chris<br>
<br>
<br>
--<br>
<br>
Chris Fowler<br>
OutPost Sentinel, LLC<br>
Support @ SIP/<a href="mailto:support@pbx.opsdc.com">support@pbx.opsdc.com</a><br>
or 678-804-8193<br>
Email Support @ <a href="mailto:support@outpostsentinel.com">support@outpostsentinel.com</a><br>
<br>
<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>-- <br>James P. Kinney III <br><br>
</div>