Hi Guys,
Two networks - 10.0.0.0/8 & 192.168.1.0/24 connected through VPN - GRE Tunnel. Machines of one network can ping the other network. Ipchains Firewall gateway 10.0.0.5 in 10.0.0.0 network. Proxy Squid running on 3128 on 10.0.0.5.

Rule for 10.* network in ipchains to access proxy 10.0.0.5

/sbin/ipchains -A input -i eth1 -s 10.0.0.0/255.0.0.0 -d 10.0.0.5 3128 -p tcp -j ACCEPT
/sbin/ipchains -A output -i eth1 -s 10.0.0.5 3128 -d 10.0.0.0/255.0.0.0 ! -y -p tcp -j ACCEPT

Rule for 192.* network in ipchains to access proxy 3128 in 10.0.0.5

/sbin/ipchains -A input -i eth1 -s 192.168.1.0/255.255.255.0 -d 10.0.0.5 3128 -p tcp -l -j ACCEPT
/sbin/ipchains -A output -i eth1 -s 10.0.0.5 3128 -d 192.168.1.0/255.255.255.0 ! -y -p tcp -l -j ACCEPT


Problem is that only one machine (Lets says abc machine IP - 192.168.1.1) from that network is able to browse the internet. None of the other machines 192.168.1.3, 192.168.1.4 etc are not able to browse. If 192.168.1.1 IP is given for any other machine then, that machine is not able to browse. If ABC machine is given 192.168.1.34 then it is able to browse.

How do we solve the problem. Route and reverse route for both networks are working perfectly.

Thanks,
Raghavan.S

Hope the default gateway for the machines on 192.168.1.0 are set to the gateway machine - the machine that participates in the VPN establishment.

VPN establishment gateway is 192.168.1.2 and all machines are set to this gateway. But the machine ABC on which 192.168.1.1 is working perfectly(Browsing). Even if we change the IP on the ABC machine it is working perfectly. But not another machine if we change the IP from 192.168.1.x to 192.168.1.1.

If you would like the TCPDUMP occuring when the ABC machine browses and other machines when it reaches the firewall, pls reply back.

Raghavan.S

//Looking more like a networking issue rather than security. Moving thread over to the Linux - Networking for more exposure.
-CC

I dont know whether it is a networking or Security issue. Because if I turn off firewall all machines are able to browse with the appropriate access in Squid ACL. But the strange issue is why is it browsing in ABC machine even when we change the IP and give the IP appropriate rights in ACL squid.

This is really strange and we are breaking our heads for the past 2 weeks.

Raghavan.S

One more small thing is that if I give access to a webserver running in Firewall all machines are able to hit the webserver. And even more so, If I remove access for the machines in ACL Squid, I am getting the page - Squid's Access Denied in the machines.

Raghavan.S

are these other machines - the ones other than ABC - able to ping the gateway?

All machines 192.168.1.x are able to ping machines in 10.x subnet.

Raghavan.S

I am running a Redhat 6.2. Kernel Version 2.2.14-5.0. Is there any bug with this version of Redhat Linux??

Raghavan.S

If only one machine works (ABC, regadless of its IP address) and all others don't, then obvioulsy you need to see what is different about ABC: Could be a physical issue? Something particular about the port (router, switch...)ABC is connected to?

Have you considered plugging ABC to a different port? Using a different network cable? (doesn't make sense, but when you're desperate, you'll try anything...)

I forgot to mention: How about using a newer kernel? You're running an old version, this could be an issue. Try a new kernel so you can rule out that possibility.

Have you tried iptables instead of ipchains? You did mention that when you turned off the firewall things seemed to work ok. Is the squid version you're using fairly new? It could have some issues with ipchains.

I am not sure it is a kernel issue. I had configured a similar setup, minus the VPN, while RH6.2 was in vogue. And everything held on fine.
Is this with the filters (firewall) on or off?

Please post the tcpdumps too - for 192.168.1.1 and another system, say 1.3 -
at the proxy machine and at the source (1.1 and 1.3) - with the firewall running and without.