I tried to setup a new gateway in my virtual network, but I'm sure I have a problem. The gateway cannot ping the client but the client can ping other clients and the gateway. I have checked my iptables rules (I don't see a problem).
Current iptables rules:
iptables -t nat -A POSTROUTING -s $VPN_SUBNET -o $NET_INTERFACE -j MASQUERADE
-> Allow VPN Interface to access the whole world, back and forth.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s $VPN_SUBNET -m state --state NEW -j ACCEPT
iptables -A OUTPUT -s $VPN_SUBNET -m state --state NEW -j ACCEPT
iptables -A FORWARD -s $VPN_SUBNET -m state --state NEW -j ACCEPT
Current route (xxx.xxx.xxx.xxx is the public IP):
default via xxx.xxx.xxx.xxx dev eth0
xxx.xxx.xxx.xxx dev eth0 scope link
192.168.7.0/24 dev tap_soft proto kernel scope link src 192.168.7.1
When I ping a client from the gateway, I see this from tcpdump:
IP xxx.xxx.xxx.xxx > 192.168.7.85: ICMP echo request, id 12176, seq 1, length 64
And no response back.
The problem is the same with all protocols like TCP, UDP, ICMP.
Best Answer
There is no rule that allows incoming traffic from your gateway, it only allows traffic when it is already established or related. If you want to only allow ping from the gateway you can use something like this: