[leaf-user] shorewall masquerading packets behind ipsec tunnel

Erich Titl Sun, 16 Feb 2003 14:48:43 -0800

Hi everybody

I am still trying to figure out how to (correctly) set up the following.

Basic Info:
Bering 1_0.stable 2.4.18 with shorewall 1.3.13

network crude ascii art:

internet
|
dynamic IP
------------------
| bering box | this is my standard gateway, operational
------------------
194.124.158.99
|
194.124.158.98 --- eth0
------------------
| bering box | valleygate ipsec end point and should NAT from ipsec0 and eth1
------------------
192.168.10.1 --- eth1
| ---- zone referenced as nocat in shorewall set up
| ---- simulates a wireless connection
192.168.10.2 --- eth1
------------------
| bering box | mountaingate ipsec end point
------------------
192.168.20.1 --- eth0
|
192.168.20.0/24 upper end subnet

Here is some Log Info, please let me know if anything is amiss.

ipsec barf on valleygate yields
.....
Feb 14 17:44:39 valleygate Pluto[8400]: "valleygate-mountaingate" #6: responding to Quick Mode
Feb 14 17:44:40 valleygate Pluto[8400]: "valleygate-mountaingate" #6: IPsec SA established
Feb 14 18:33:47 valleygate Pluto[8400]: "valleygate-mountaingate" #7: responding to Main Mode
Feb 14 18:33:47 valleygate Pluto[8400]: "valleygate-mountaingate" #7: sent MR3, ISAKMP SA established

So IMHO I have an established SA whith mountaingate

now when I try to connect from the 192.168.20.0/24 subnet to (for example) ssh on 194.124.158.50 the connection is rejected on valleygate by the all2all chain

Feb 16 22:27:27 all2all:REJECT:IN=ipsec0 OUT=eth0 SRC=192.168.20.2 DST=194.124.158.50 LEN=48 TOS=0x10 PREC=0x00 TTL=126 ID=70 DF PROTO=TCP SPT=1032 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=2064

This seems to indicate that the tunneled connection from 192.168.20.2 is not masqueraded on valleygate, I must have missed something in the shorewall set up.

Here are the shorewall settings for valleygate:

>>>>>>>>>interfaces:

#ZONE INTERFACE BROADCAST OPTIONS
#net eth0 detect dhcp,routefilter,norfc1918
net eth0 detect routestopped
vpn ipsec0
nocat eth1 detect routestopped
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

>>>>>>>>>tunnels:

# TYPE ZONE GATEWAY GATEWAY ZONE
ipsec nocat 192.168.10.2
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

>>>>>>>>>zones:

#ZONE DISPLAY COMMENTS
net Net Internet
nocat NoWire Intermediate Network
vpn VPN Remote Network behind VPN tunnel
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

>>>>>>>>>policy:

# If you want open access to the internet from your firewall, uncomment the
# following line
#fw net ACCEPT
nocat net ACCEPT
net nocat ACCEPT
net all DROP info
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE

>>>>>>>>>>rules:

#
# Accept DNS connections from the firewall to the network
#
#ACCEPT fw net tcp 53
ACCEPT fw net tcp
ACCEPT fw net udp 53
#
# Accept SSH connections from the local network for administration
#
ACCEPT nocat fw tcp 22
ACCEPT net fw tcp 22
# accept connections to the local network
ACCEPT fw nocat tcp
ACCEPT fw nocat udp
#
# Bering specific
#
ACCEPT nocat fw udp 53
ACCEPT nocat fw tcp 80
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Here is the output from shorewall status after a reset

Shorewall-1.3.13 Status at valleygate - Sun Feb 16 22:33:31 CET 2003

Counters reset Sun Feb 16 22:32:41 CET 2003

Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT ah -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 eth0_in ah -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ipsec0_in ah -- ipsec0 * 0.0.0.0/0 0.0.0.0/0
3 312 eth1_in ah -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 common ah -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG ah -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'
0 0 reject ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 eth0_fwd ah -- eth0 * 0.0.0.0/0 0.0.0.0/0
3 144 ipsec0_fwd ah -- ipsec0 * 0.0.0.0/0 0.0.0.0/0
0 0 eth1_fwd ah -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 common ah -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG ah -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'
0 0 reject ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT ah -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 fw2net ah -- * eth0 0.0.0.0/0 0.0.0.0/0
3 288 fw2nocat ah -- * eth1 0.0.0.0/0 0.0.0.0/0
3 120 all2all ah -- * ipsec0 0.0.0.0/0 0.0.0.0/0
0 0 common ah -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG ah -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'
0 0 reject ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain all2all (8 references)
pkts bytes target prot opt in out source destination
3 120 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02
3 144 common ah -- * * 0.0.0.0/0 0.0.0.0/0
3 144 LOG ah -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:'
3 144 reject ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain common (5 references)
pkts bytes target prot opt in out source destination
0 0 icmpdef icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445 reject-with icmp-port-unreachable
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:135
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900
0 0 DROP ah -- * * 0.0.0.0/0 255.255.255.255
0 0 DROP ah -- * * 0.0.0.0/0 224.0.0.0/4
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 state NEW
0 0 DROP ah -- * * 0.0.0.0/0 194.124.158.255
0 0 DROP ah -- * * 0.0.0.0/0 192.168.10.255

Chain dynamic (6 references)
pkts bytes target prot opt in out source destination

Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic ah -- * * 0.0.0.0/0 0.0.0.0/0
0 0 net2nocat ah -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 net2all ah -- * ipsec0 0.0.0.0/0 0.0.0.0/0

Chain eth0_in (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic ah -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 net2fw ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain eth1_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic ah -- * * 0.0.0.0/0 0.0.0.0/0
0 0 nocat2net ah -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 all2all ah -- * ipsec0 0.0.0.0/0 0.0.0.0/0

Chain eth1_in (1 references)
pkts bytes target prot opt in out source destination
3 312 dynamic ah -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
3 312 nocat2fw ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain fw2net (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
0 0 all2all ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain fw2nocat (1 references)
pkts bytes target prot opt in out source destination
3 288 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT esp -- * * 0.0.0.0/0 192.168.10.2
0 0 ACCEPT 51 -- * * 0.0.0.0/0 192.168.10.2
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.10.2 udp spt:500 dpt:500 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 all2all ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain icmpdef (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8

Chain ipsec0_fwd (1 references)
pkts bytes target prot opt in out source destination
3 144 dynamic ah -- * * 0.0.0.0/0 0.0.0.0/0
3 144 all2all ah -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 all2all ah -- * eth1 0.0.0.0/0 0.0.0.0/0

Chain ipsec0_in (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic ah -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 all2all ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain net2all (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 common ah -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG ah -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:'
0 0 DROP ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain net2fw (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 net2all ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain net2nocat (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain newnotsyn (8 references)
pkts bytes target prot opt in out source destination
0 0 DROP ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain nocat2fw (1 references)
pkts bytes target prot opt in out source destination
3 312 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT esp -- * * 192.168.10.2 0.0.0.0/0
0 0 ACCEPT 51 -- * * 192.168.10.2 0.0.0.0/0
0 0 ACCEPT udp -- * * 192.168.10.2 0.0.0.0/0 udp spt:500 dpt:500 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
0 0 all2all ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain nocat2net (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain reject (6 references)
pkts bytes target prot opt in out source destination
3 144 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
0 0 REJECT ah -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain shorewall (0 references)
pkts bytes target prot opt in out source destination

Feb 16 22:27:27 all2all:REJECT:IN=ipsec0 OUT=eth0 SRC=192.168.20.2 DST=194.124.158.50 LEN=48 TOS=0x10 PREC=0x00 TTL=126 ID=70 DF PROTO=TCP SPT=1032 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=2064
Feb 16 22:27:27 all2all:REJECT:IN=ipsec0 OUT=eth0 SRC=192.168.20.2 DST=194.124.158.50 LEN=48 TOS=0x10 PREC=0x00 TTL=126 ID=71 DF PROTO=TCP SPT=1032 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=2064
Feb 16 22:27:28 all2all:REJECT:IN=ipsec0 OUT=eth0 SRC=192.168.20.2 DST=194.124.158.50 LEN=48 TOS=0x10 PREC=0x00 TTL=126 ID=72 DF PROTO=TCP SPT=1032 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=2064
Feb 16 22:33:05 all2all:REJECT:IN=ipsec0 OUT=eth0 SRC=192.168.20.2 DST=194.124.158.50 LEN=48 TOS=0x10 PREC=0x00 TTL=126 ID=89 DF PROTO=TCP SPT=1035 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=2064
Feb 16 22:33:05 all2all:REJECT:IN=ipsec0 OUT=eth0 SRC=192.168.20.2 DST=194.124.158.50 LEN=48 TOS=0x10 PREC=0x00 TTL=126 ID=90 DF PROTO=TCP SPT=1035 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=2064
Feb 16 22:33:06 all2all:REJECT:IN=ipsec0 OUT=eth0 SRC=192.168.20.2 DST=194.124.158.50 LEN=48 TOS=0x10 PREC=0x00 TTL=126 ID=91 DF PROTO=TCP SPT=1035 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=2064

NAT Table

Chain PREROUTING (policy ACCEPT 3 packets, 144 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 3 packets, 120 bytes)
pkts bytes target prot opt in out source destination
0 0 eth0_masq ah -- * eth0 0.0.0.0/0 0.0.0.0/0
3 120 ipsec0_masq ah -- * ipsec0 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain eth0_masq (1 references)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE ah -- * * 192.168.10.0/24 0.0.0.0/0

Chain ipsec0_masq (1 references)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE ah -- * * 192.168.20.0/24 0.0.0.0/0

Mangle Table

Chain PREROUTING (policy ACCEPT 6 packets, 456 bytes)
pkts bytes target prot opt in out source destination
6 456 pretos ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain INPUT (policy ACCEPT 3 packets, 312 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 3 packets, 144 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 6 packets, 408 bytes)
pkts bytes target prot opt in out source destination
6 408 outtos ah -- * * 0.0.0.0/0 0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 6 packets, 408 bytes)
pkts bytes target prot opt in out source destination

Chain outtos (1 references)
pkts bytes target prot opt in out source destination
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10
3 120 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS set 0x08

Chain pretos (1 references)
pkts bytes target prot opt in out source destination
3 144 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS set 0x08

unknown 50 574 src=192.168.10.2 dst=192.168.10.1 src=192.168.10.1 dst=192.168.10.2 use=1

ipsec and shorewall logs are taken at 2 different sessions, set up was not changed.

Thanks for pointers

Erich

-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] shorewall masquerading packets behind ipsec tunnel

Reply via email to