In article <TxY%a.58270$PD3.4597523@nnrp1.uunet.ca>, lucas wrote:
> the only difference between the two is the dest port and the protocol. i
> can't figure out why it doesn't work for UDPs. there's nothing else in my

Try the "iptables -vL" and "iptables -t nat -vL" output. Look at packet
and byte counters. Attempt a UDP connection, does it increment the
counters? Look in /proc/net/ip_conntrack for your UDP port. Is it there?
What's the state? Use a packet sniffer (ethereal, tethereal) and try it
again. Are the packets coming in? going out?

I suspect this UDP daemon (what is it, anyway?) really isn't running, is
not working properly, or is for some reason not NAT'able. Try nmap'ing
that UDP port, from the firewall to the receiver, and from the outside
to the firewall. Is it open? If not, there's your problem.
--
/dev/rob0 - preferred_email=i$((28*28+28))@softhome.net
or put "not-spam" or "/dev/rob0" in Subject header to reply

/dev/rob0 wrote:

> In article <TxY%a.58270$PD3.4597523@nnrp1.uunet.ca>, lucas wrote:
>> the only difference between the two is the dest port and the protocol. i
>> can't figure out why it doesn't work for UDPs. there's nothing else in
>> my
>
> Try the "iptables -vL" and "iptables -t nat -vL" output. Look at packet
> and byte counters. Attempt a UDP connection, does it increment the
> counters? Look in /proc/net/ip_conntrack for your UDP port. Is it there?
> What's the state? Use a packet sniffer (ethereal, tethereal) and try it
> again. Are the packets coming in? going out?
>
> I suspect this UDP daemon (what is it, anyway?) really isn't running, is
> not working properly, or is for some reason not NAT'able. Try nmap'ing
> that UDP port, from the firewall to the receiver, and from the outside
> to the firewall. Is it open? If not, there's your problem.

can't find udp port in ip_conntrack

the daemon is openvpn. it does work. openvpn is currently running on my
server (where firewall is located), but i wish to move it to 192.168.1.4
for reasons i wont get into right now.

you're right. the problem does sound like there isn't a receiving port, but
the daemon is running there fine, and i can nmap it from the firewall

i'll have to get back to you on the iptables -L part...hard to find a friend
at this time to send some udp's my way
--
lucas
-------------------------
Perl Coder since 2001
shift || die;
-------------------------

In article <7Ee0b.58599$PD3.4602307@nnrp1.uunet.ca>, lucas wrote:
> can't find udp port in ip_conntrack
>
> the daemon is openvpn. it does work. openvpn is currently running on my

Fortunately this is one with which I am familiar. Not having the port in
the connection tracking list suggests that the internal openvpn machine
may have a routing problem: packets get there but it doesn't know where/
how to reply.

> server (where firewall is located), but i wish to move it to 192.168.1.4
> for reasons i wont get into right now.

I run most of my openvpn's behind firewalls, because that way if the fw
machine is compromised, the VPN traffic is still completely secure. It's
simpler to get working on the firewall box because that's already the
default route for all the client machines. You have to add static routes
to the clients for VPN destinations.

> i'll have to get back to you on the iptables -L part...hard to find a friend
> at this time to send some udp's my way

To set these things up it REALLY helps to have shell access and root on
both ends. Otherwise the troubleshooting will take forever.
--
/dev/rob0 - preferred_email=i$((28*28+28))@softhome.net
or put "not-spam" or "/dev/rob0" in Subject header to reply

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 19 Aug 2003 19:13:53 -0400, lucas <aolblowz@yahoo.com> wrote:
> i thought the rules i posted:
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p udp -s $UNIVERSE -d 192.168.1.3
> -j ACCEPT
> $IPTABLES -t nat -A PREROUTING -i $EXTIF -p udp --dport 1515 -j DNAT --to
> 192.168.1.3
>
> where the static routes i needed

I think he went a step beyond that and was talking about routing in a
different sense. What you have there is port forwarding stuff, what he
was talking about was actual routing (like you do with a gateway and
stuff).

OpenVPN is good stuff - tons of fun, and quite powerful (yet simple). I
like it, myself. :-)

- --
Rob | If not safe,
Email and Jabber: | one can never be free.
athlonrob at data dot 4t3 dot com |
-----BEGIN PGP SIGNATURE-----
Comment: Key ID 0x838E01ED - Available from www.keyserver.net

iD8DBQE/Qrf5hm6KEoOOAe0RArkAAJ0YA82FQR6KRmVelsy5JWTOtTKIoQ Cggjoo
OnxmIv4L4Ar8yd9dc3Hijug=
=UBF7
-----END PGP SIGNATURE-----

In article <Oay0b.59012$PD3.4607470@nnrp1.uunet.ca>, lucas wrote:
>> may have a routing problem: packets get there but it doesn't know where/
>> how to reply.
>
> as i understand it, i obviously have openvpn configed for udp

And you have still not posted your iptables -vnL output! Are packets
getting there or not?

>> default route for all the client machines. You have to add static routes
>> to the clients for VPN destinations.
>
> i thought the rules i posted:
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p udp -s $UNIVERSE -d 192.168.1.3

BTW you've given 2 different IP's for the receiving machine: .3 and .4.
Perhaps one was just a typo, but if that typo is repeated in the wrong
place everything will be buggered.

> -j ACCEPT
> $IPTABLES -t nat -A PREROUTING -i $EXTIF -p udp --dport 1515 -j DNAT --to
> 192.168.1.3
>
> where the static routes i needed

iptables manages packet filtering and NAT only. See "man route" and the
Net-HOWTO, section 5.7. You'll need a much better understanding of
TCP/IP to make this work, unless all you want is a peer-to-peer
connection. My openvpn boxes are routers for the local networks wherein
they are situated, connecting those machines to other local networks.
--
/dev/rob0 - preferred_email=i$((28*28+28))@softhome.net
or put "not-spam" or "/dev/rob0" in Subject header to reply

AthlonRob wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Tue, 19 Aug 2003 19:13:53 -0400, lucas <aolblowz@yahoo.com> wrote:
>> i thought the rules i posted:
>> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p udp -s $UNIVERSE -d
>> 192.168.1.3 -j ACCEPT
>> $IPTABLES -t nat -A PREROUTING -i $EXTIF -p udp --dport 1515 -j DNAT --to
>> 192.168.1.3
>>
>> where the static routes i needed
>
> I think he went a step beyond that and was talking about routing in a
> different sense. What you have there is port forwarding stuff, what he
> was talking about was actual routing (like you do with a gateway and
> stuff).
>
> OpenVPN is good stuff - tons of fun, and quite powerful (yet simple). I
> like it, myself. :-)

i appreciate everyones help. I'll get on the netfilter mailing list and see
what they have to say. and in the meantime, i'll keep working on a udp
forwarding app (in perl of course

--
lucas
-------------------------
Perl Coder since 2001
shift || die;
-------------------------