Re: [Shorewall-users] IPSec Getting Blocked
On 03/23/2018 11:02 AM, colony.three--- via Shorewall-users wrote: > > > > > > ‐‐‐ Original Message ‐‐‐ > > On March 23, 2018 9:43 AM, Tom Eastepwrote: > >> >> >> On 03/22/2018 10:03 AM, colony.three--- via Shorewall-users wrote: >> >>> No change in the symptom with 'shorewall clear' on the IPSEC gateway. >>> >>> But I do notice that the response being emitted by the daemon which is not >>> received by the phone (nor even seen in the IPSec gateway interface): >>> >>> Thu, 2018-03-22 09:51 12[IKE] <3> sending keep alive to 172.56.42.76[49548] >>> >>> Thu, 2018-03-22 09:51 12[MGR] <3> checkin IKE_SA (unnamed)[3] >>> >>> Thu, 2018-03-22 09:51 12[MGR] <3> checkin of IKE_SA successful >>> >>> Thu, 2018-03-22 09:51 04[NET] sending packet: from 192.168.111.16[4500] to >>> 172.56.42.76[49548] >>> >>> Thu, 2018-03-22 09:51 01[JOB] next event in 10s 3ms, waiting >>> >>> ... has a -source- of 4500, not a destination of 4500. I'm not opening this >>> in either the IPSec gateway nor the LAN gateway: >>> >>> IPSec gateway rules: >>> >>> ACCEPT $FW net udp 500,4500,ipsec,ipsec-nat - >>> >>> LAN gateway snat >>> >>> MASQUERADE 10.1.1.30/32,192.168.111.0/24 eth0 >>> >>> rules >>> >>> ACCEPT local net udp domain - >>> >>> DNAT net local:192.168.111.16 udp 500,ipsec-nat-t - >>> >>> It's UDP so unstateful, so maybe this is -a- problem? (Aside from the fact >>> that the 4500 response doesn't seem to leave the daemon) >> >> The conntrack entries on the gateways will allow the response packets to >> >> be sent. Using tcpdump on the IPSEC gateway, do you see the response >> >> packets being sent? >> >> -Tom >> >> >> - >> >> Tom Eastep \ Q: What do you get when you cross a mobster with >> >> Shoreline, \ an international standard? >> >> Washington, USA \ A: Someone who makes you an offer you can't >> >> http://shorewall.org \ understand >> >> ___ >> >> >> - >> >> Check out the vibrant tech community on one of the world's most >> >> engaging tech sites, Slashdot.org! >> http://sdm.link/slashdot___ >> >> Shorewall-users mailing list >> >> Shorewall-users@lists.sourceforge.net >> >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > Oh man. I don't have any IPSec entries in conntrack. And you don't need any. I was speaking of the conntrack table that is automatically maintained by Netfilter and is displayed by the 'shorewall show connections' command. -Tom -- Tom Eastep\ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \___ signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] IPSec Getting Blocked
‐‐‐ Original Message ‐‐‐ On March 23, 2018 9:43 AM, Tom Eastepwrote: > > > On 03/22/2018 10:03 AM, colony.three--- via Shorewall-users wrote: > > > No change in the symptom with 'shorewall clear' on the IPSEC gateway. > > > > But I do notice that the response being emitted by the daemon which is not > > received by the phone (nor even seen in the IPSec gateway interface): > > > > Thu, 2018-03-22 09:51 12[IKE] <3> sending keep alive to 172.56.42.76[49548] > > > > Thu, 2018-03-22 09:51 12[MGR] <3> checkin IKE_SA (unnamed)[3] > > > > Thu, 2018-03-22 09:51 12[MGR] <3> checkin of IKE_SA successful > > > > Thu, 2018-03-22 09:51 04[NET] sending packet: from 192.168.111.16[4500] to > > 172.56.42.76[49548] > > > > Thu, 2018-03-22 09:51 01[JOB] next event in 10s 3ms, waiting > > > > ... has a -source- of 4500, not a destination of 4500. I'm not opening this > > in either the IPSec gateway nor the LAN gateway: > > > > IPSec gateway rules: > > > > ACCEPT $FW net udp 500,4500,ipsec,ipsec-nat - > > > > LAN gateway snat > > > > MASQUERADE 10.1.1.30/32,192.168.111.0/24 eth0 > > > > rules > > > > ACCEPT local net udp domain - > > > > DNAT net local:192.168.111.16 udp 500,ipsec-nat-t - > > > > It's UDP so unstateful, so maybe this is -a- problem? (Aside from the fact > > that the 4500 response doesn't seem to leave the daemon) > > The conntrack entries on the gateways will allow the response packets to > > be sent. Using tcpdump on the IPSEC gateway, do you see the response > > packets being sent? > > -Tom > > > - > > Tom Eastep \ Q: What do you get when you cross a mobster with > > Shoreline, \ an international standard? > > Washington, USA \ A: Someone who makes you an offer you can't > > http://shorewall.org \ understand > > ___ > > > - > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! > http://sdm.link/slashdot___ > > Shorewall-users mailing list > > Shorewall-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/shorewall-users Oh man. I don't have any IPSec entries in conntrack. ?FORMAT 3 ## #ACTION SOURCE DESTPROTO DPORT SPORT USERSWITCH ?if $AUTOHELPERS && __CT_TARGET ?if __AMANDA_HELPER CT:helper:amanda:PO - - udp 10080 ?endif ?if __FTP_HELPER CT:helper:ftp:PO- - tcp 21 ?endif ?if __H323_HELPER CT:helper:RAS:PO- - udp 1719 CT:helper:Q.931:PO - - tcp 1720 ?endif ?if __IRC_HELPER CT:helper:irc:PO- - tcp 6667 ?endif ?if __NETBIOS_NS_HELPER CT:helper:netbios-ns:PO - - udp 137 ?endif ?if __PPTP_HELPER CT:helper:pptp:PO - - tcp 1723 ?endif ?if __SANE_HELPER CT:helper:sane:PO - - tcp 6566 ?endif ?if __SIP_HELPER CT:helper:sip:PO- - udp 5060 ?endif ?if __SNMP_HELPER CT:helper:snmp:PO - - udp 161 ?endif ?if __TFTP_HELPER CT:helper:tftp:PO - - udp 69 ?endif ?endif -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] IPSec Getting Blocked
On 03/22/2018 10:03 AM, colony.three--- via Shorewall-users wrote: > No change in the symptom with 'shorewall clear' on the IPSEC gateway. > > But I do notice that the response being emitted by the daemon which is not > received by the phone (nor even seen in the IPSec gateway interface): > Thu, 2018-03-22 09:51 12[IKE] <3> sending keep alive to 172.56.42.76[49548] > Thu, 2018-03-22 09:51 12[MGR] <3> checkin IKE_SA (unnamed)[3] > Thu, 2018-03-22 09:51 12[MGR] <3> checkin of IKE_SA successful > Thu, 2018-03-22 09:51 04[NET] sending packet: from 192.168.111.16[4500] to > 172.56.42.76[49548] > Thu, 2018-03-22 09:51 01[JOB] next event in 10s 3ms, waiting > > ... has a -source- of 4500, not a destination of 4500. I'm not opening this > in either the IPSec gateway nor the LAN gateway: > > IPSec gateway rules: > ACCEPT $FW net udp 500,4500,ipsec,ipsec-nat - > > LAN gateway snat > MASQUERADE 10.1.1.30/32,192.168.111.0/24 eth0 > rules > ACCEPT local net udp domain - > DNATnet local:192.168.111.16 udp 500,ipsec-nat-t - > > > It's UDP so unstateful, so maybe this is -a- problem? (Aside from the fact > that the 4500 response doesn't seem to leave the daemon) > The conntrack entries on the gateways will allow the response packets to be sent. Using tcpdump on the IPSEC gateway, do you see the response packets being sent? -Tom -- Tom Eastep\ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \___ signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] IPTables to Shorewall
On 03/22/2018 10:24 PM, Andrea Bodrati wrote: > Greetings, > I'm trying to write the following rules in /etc/shorewall/rules but I > can't find any reference on how to do that : > iptables -t nat -I POSTROUTING -o eth0.0 -p udp -d y.y.y.y --sport > 5061 -j SNAT --to-source x.x.x.x:5060 > Basically I need to masquerade the source udp port to 5060 of all the > packets coming from my public IP x.x.x.x port 5061 and with > destination y.y.y.y. > Thanks! Which Shorewall Version? Earlier versions use the 'masq' file for SNAT and MASQUERADE; later versions use the 'snat' file. For the masq file: eth0:y.y.y.y- x.x.x.x:5600udp - 5061 For the snat file: SNAT(x.x.x.x:5600) - eth0:y.y.y.yudp - 5601 -Tom -- Tom Eastep\ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \___ signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] IPTables to Shorewall
Add a rule like net (public ip) and dmz (destination): DNATnet dmz:y.y.y.y:5060 udp 5061 On Fri, Mar 23, 2018 at 8:18 AM, Zennywrote: > Use DNAT. http://shorewall.net/FAQ.htm#DNS-DNAT Hope this helps. > > > > On Fri, Mar 23, 2018 at 6:24 AM, Andrea Bodrati wrote: > >> Greetings, >> I'm trying to write the following rules in /etc/shorewall/rules but I >> can't find any reference on how to do that : >> iptables -t nat -I POSTROUTING -o eth0.0 -p udp -d y.y.y.y --sport >> 5061 -j SNAT --to-source x.x.x.x:5060 >> Basically I need to masquerade the source udp port to 5060 of all the >> packets coming from my public IP x.x.x.x port 5061 and with >> destination y.y.y.y. >> Thanks! >> Andrea >> >> >> -- >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> ___ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> > > > > -- > Cheers, > /z > > -.. .. ... -.-. .-.. .- .. -- . .-. | -.. .. ... -.-. .-.. .- .. -- . .-. > CONFIDENTIALITY NOTICE AND DISCLAIMER: Access to this e-mail and its > contents by anyone other than the intended recipient is unauthorized as it > contains privileged and confidential information, and is subject to legal > privilege. Please do not re/distribute it. If you are not the intended > recipient (or responsible for delivery of the message to such person), you > may not use, copy, distribute or deliver the email and part of its contents > to anyone this message (or any part of its contents or take any action in > connection to it. In such case, you should destroy this message, and notify > the sender immediately. If you have received this email in error, please > notify the sender or your sysadmin immediately by e-mail or telephone, and > delete the e-mail from any computer. If you or your employer does not > consent to internet e-mail messages of this kind, please notify the sender > immediately. All reasonable precautions have been taken to ensure no > viruses are present in this e-mail and attachments included. As the sender > cannot accept responsibility for any loss or damage arising from the use of > this e-mail or attachments it is recommended that you are responsible to > follow your virus checking procedures prior to use. The views, opinions, > conclusions and other informations expressed in this electronic mail are > not given or endorsed by any company including the network providers unless > otherwise indicated by an authorized representative independent of this > message. > -.. .. ... -.-. .-.. .- .. -- . .-. | -.. .. ... -.-. .-.. .- .. -- . .-. > > -- Cheers, /z -.. .. ... -.-. .-.. .- .. -- . .-. | -.. .. ... -.-. .-.. .- .. -- . .-. CONFIDENTIALITY NOTICE AND DISCLAIMER: Access to this e-mail and its contents by anyone other than the intended recipient is unauthorized as it contains privileged and confidential information, and is subject to legal privilege. Please do not re/distribute it. If you are not the intended recipient (or responsible for delivery of the message to such person), you may not use, copy, distribute or deliver the email and part of its contents to anyone this message (or any part of its contents or take any action in connection to it. In such case, you should destroy this message, and notify the sender immediately. If you have received this email in error, please notify the sender or your sysadmin immediately by e-mail or telephone, and delete the e-mail from any computer. If you or your employer does not consent to internet e-mail messages of this kind, please notify the sender immediately. All reasonable precautions have been taken to ensure no viruses are present in this e-mail and attachments included. As the sender cannot accept responsibility for any loss or damage arising from the use of this e-mail or attachments it is recommended that you are responsible to follow your virus checking procedures prior to use. The views, opinions, conclusions and other informations expressed in this electronic mail are not given or endorsed by any company including the network providers unless otherwise indicated by an authorized representative independent of this message. -.. .. ... -.-. .-.. .- .. -- . .-. | -.. .. ... -.-. .-.. .- .. -- . .-. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] IPTables to Shorewall
Use DNAT. http://shorewall.net/FAQ.htm#DNS-DNAT Hope this helps. On Fri, Mar 23, 2018 at 6:24 AM, Andrea Bodratiwrote: > Greetings, > I'm trying to write the following rules in /etc/shorewall/rules but I > can't find any reference on how to do that : > iptables -t nat -I POSTROUTING -o eth0.0 -p udp -d y.y.y.y --sport > 5061 -j SNAT --to-source x.x.x.x:5060 > Basically I need to masquerade the source udp port to 5060 of all the > packets coming from my public IP x.x.x.x port 5061 and with > destination y.y.y.y. > Thanks! > Andrea > > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > ___ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > -- Cheers, /z -.. .. ... -.-. .-.. .- .. -- . .-. | -.. .. ... -.-. .-.. .- .. -- . .-. CONFIDENTIALITY NOTICE AND DISCLAIMER: Access to this e-mail and its contents by anyone other than the intended recipient is unauthorized as it contains privileged and confidential information, and is subject to legal privilege. Please do not re/distribute it. If you are not the intended recipient (or responsible for delivery of the message to such person), you may not use, copy, distribute or deliver the email and part of its contents to anyone this message (or any part of its contents or take any action in connection to it. In such case, you should destroy this message, and notify the sender immediately. If you have received this email in error, please notify the sender or your sysadmin immediately by e-mail or telephone, and delete the e-mail from any computer. If you or your employer does not consent to internet e-mail messages of this kind, please notify the sender immediately. All reasonable precautions have been taken to ensure no viruses are present in this e-mail and attachments included. As the sender cannot accept responsibility for any loss or damage arising from the use of this e-mail or attachments it is recommended that you are responsible to follow your virus checking procedures prior to use. The views, opinions, conclusions and other informations expressed in this electronic mail are not given or endorsed by any company including the network providers unless otherwise indicated by an authorized representative independent of this message. -.. .. ... -.-. .-.. .- .. -- . .-. | -.. .. ... -.-. .-.. .- .. -- . .-. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users