Iptables – Gateway can’t ping client

gatewayiptableslinux-networkingroutingvpn

I tried to setup a new gateway in my virtual network, but I'm sure I have a problem. The gateway cannot ping the client but the client can ping other clients and the gateway. I have checked my iptables rules (I don't see a problem).

Current iptables rules:

iptables -t nat -A POSTROUTING -s $VPN_SUBNET -o $NET_INTERFACE -j MASQUERADE
 -> Allow VPN Interface to access the whole world, back and forth.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s $VPN_SUBNET -m state --state NEW -j ACCEPT
iptables -A OUTPUT -s $VPN_SUBNET -m state --state NEW -j ACCEPT
iptables -A FORWARD -s $VPN_SUBNET -m state --state NEW -j ACCEPT

Current route (xxx.xxx.xxx.xxx is the public IP):

default via xxx.xxx.xxx.xxx dev eth0
xxx.xxx.xxx.xxx dev eth0  scope link
192.168.7.0/24 dev tap_soft  proto kernel  scope link  src 192.168.7.1

When I ping a client from the gateway, I see this from tcpdump:

IP xxx.xxx.xxx.xxx > 192.168.7.85: ICMP echo request, id 12176, seq 1, length 64

And no response back.

The problem is the same with all protocols like TCP, UDP, ICMP.

Best Answer

There is no rule that allows incoming traffic from your gateway, it only allows traffic when it is already established or related. If you want to only allow ping from the gateway you can use something like this:

iptables -A INPUT -s <GATEWAY-IP> -i <PUBLIC-INTERFACE> -d <PUBLIC-IP of the client> --icmp-type ping -j ACCEPT

Related Solutions

Linux – Ping reply not getting to LAN machines but getting in Linux router Gateway

Your modem doesn't know how to reach 192.168.122.0/24 network. You have to do NAT on your router or you have to tell your modem that 192.168.122.0/24 should be routed through 192.168.2.3.

For NAT try with these rules:

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE   
iptables -A FORWARD -i eth0 -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

Restart your firewall to flush old rules.

Iptables – RHEL 6 Having issues forwarding port 80 to port 8080

I would say this is wrong approach. In any case, I wouldn't want to have JBoss (nor tomcat) to manage direct connections other then for test purpose. It's not designed to manage directly outside connections.

Option 1 Have apache web server proxy to 127.0.0.1:8080

You need this somewhere in your apache setup

LoadModule proxy_module  {path-to-modules}/mod_proxy.so
AddModule  mod_proxy.c

Or with apache2

$ sudo a2enmod proxy
$ sudo apache2ctl restart

And in virtual hosts you could have several apps

ProxyPass         /myapp  http://localhost:8080/myapp
ProxyPassReverse  /myapp  http://localhost:8080/myapp

or have a unique one

ProxyPass         /  http://localhost:8080/
ProxyPassReverse  /  http://localhost:8080/

after changing virtual hosts setting, no need to restart apache

$ sudo apache2ctl graceful

will update settings without dropping ongoing connections.

Option 2, using mod_ajp

$ sudo a2enmod proxy_ajp
$ sudo apache2ctl restart

adding this to your virtualhost

ProxyPass /app ajp://backend.example.com:8009/app

Assuming tomcat instance is configured to have ajp connector on port 8009. Check tomcat settings.

http://httpd.apache.org/docs/2.2/mod/mod_proxy_ajp.html

Option 3, using mod_jk http://tomcat.apache.org/connectors-doc/

You'll still have the other issue that is to configure JBoss as to create links to :80, that will be a JBoss setting problem... can't remember where it's set, all I can remember is that it took me a while to find out. I've preferred using the ajp connector so far.

Sorry, I don't have have access to a JBoss setup right now, perhaps someone can point us where is that setting.

Best Answer

Related Solutions

Linux – Ping reply not getting to LAN machines but getting in Linux router Gateway

Iptables – RHEL 6 Having issues forwarding port 80 to port 8080

Related Topic