date:20180323

Re: [Shorewall-users] IPSec Getting Blocked

2018-03-23 Thread Tom Eastep

On 03/23/2018 11:02 AM, colony.three--- via Shorewall-users wrote:
> 
> 
> 
> 
> 
> ‐‐‐ Original Message ‐‐‐
> 
> On March 23, 2018 9:43 AM, Tom Eastep  wrote:
> 
>> 
>>
>> On 03/22/2018 10:03 AM, colony.three--- via Shorewall-users wrote:
>>
>>> No change in the symptom with 'shorewall clear' on the IPSEC gateway.
>>>
>>> But I do notice that the response being emitted by the daemon which is not 
>>> received by the phone (nor even seen in the IPSec gateway interface):
>>>
>>> Thu, 2018-03-22 09:51 12[IKE] <3> sending keep alive to 172.56.42.76[49548]
>>>
>>> Thu, 2018-03-22 09:51 12[MGR] <3> checkin IKE_SA (unnamed)[3]
>>>
>>> Thu, 2018-03-22 09:51 12[MGR] <3> checkin of IKE_SA successful
>>>
>>> Thu, 2018-03-22 09:51 04[NET] sending packet: from 192.168.111.16[4500] to 
>>> 172.56.42.76[49548]
>>>
>>> Thu, 2018-03-22 09:51 01[JOB] next event in 10s 3ms, waiting
>>>
>>> ... has a -source- of 4500, not a destination of 4500. I'm not opening this 
>>> in either the IPSec gateway nor the LAN gateway:
>>>
>>> IPSec gateway rules:
>>>
>>> ACCEPT $FW net udp 500,4500,ipsec,ipsec-nat -
>>>
>>> LAN gateway snat
>>>
>>> MASQUERADE 10.1.1.30/32,192.168.111.0/24 eth0
>>>
>>> rules
>>>
>>> ACCEPT local net udp domain -
>>>
>>> DNAT net local:192.168.111.16 udp 500,ipsec-nat-t - 
>>>
>>> It's UDP so unstateful, so maybe this is -a- problem? (Aside from the fact 
>>> that the 4500 response doesn't seem to leave the daemon)
>>
>> The conntrack entries on the gateways will allow the response packets to
>>
>> be sent. Using tcpdump on the IPSEC gateway, do you see the response
>>
>> packets being sent?
>>
>> -Tom
>>
>>
>> -
>>
>> Tom Eastep \ Q: What do you get when you cross a mobster with
>>
>> Shoreline, \ an international standard?
>>
>> Washington, USA \ A: Someone who makes you an offer you can't
>>
>> http://shorewall.org \ understand
>>
>> ___
>>
>>
>> -
>>
>> Check out the vibrant tech community on one of the world's most
>>
>> engaging tech sites, Slashdot.org! 
>> http://sdm.link/slashdot___
>>
>> Shorewall-users mailing list
>>
>> Shorewall-users@lists.sourceforge.net
>>
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
> 
> Oh man.  I don't have any IPSec entries in conntrack.

And you don't need any. I was speaking of the conntrack table that is
automatically maintained by Netfilter and is displayed by the 'shorewall
show connections' command.

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] IPSec Getting Blocked

2018-03-23 Thread colony.three--- via Shorewall-users






‐‐‐ Original Message ‐‐‐

On March 23, 2018 9:43 AM, Tom Eastep  wrote:

> 
> 
> On 03/22/2018 10:03 AM, colony.three--- via Shorewall-users wrote:
> 
> > No change in the symptom with 'shorewall clear' on the IPSEC gateway.
> > 
> > But I do notice that the response being emitted by the daemon which is not 
> > received by the phone (nor even seen in the IPSec gateway interface):
> > 
> > Thu, 2018-03-22 09:51 12[IKE] <3> sending keep alive to 172.56.42.76[49548]
> > 
> > Thu, 2018-03-22 09:51 12[MGR] <3> checkin IKE_SA (unnamed)[3]
> > 
> > Thu, 2018-03-22 09:51 12[MGR] <3> checkin of IKE_SA successful
> > 
> > Thu, 2018-03-22 09:51 04[NET] sending packet: from 192.168.111.16[4500] to 
> > 172.56.42.76[49548]
> > 
> > Thu, 2018-03-22 09:51 01[JOB] next event in 10s 3ms, waiting
> > 
> > ... has a -source- of 4500, not a destination of 4500. I'm not opening this 
> > in either the IPSec gateway nor the LAN gateway:
> > 
> > IPSec gateway rules:
> > 
> > ACCEPT $FW net udp 500,4500,ipsec,ipsec-nat -
> > 
> > LAN gateway snat
> > 
> > MASQUERADE 10.1.1.30/32,192.168.111.0/24 eth0
> > 
> > rules
> > 
> > ACCEPT local net udp domain -
> > 
> > DNAT net local:192.168.111.16 udp 500,ipsec-nat-t - 
> > 
> > It's UDP so unstateful, so maybe this is -a- problem? (Aside from the fact 
> > that the 4500 response doesn't seem to leave the daemon)
> 
> The conntrack entries on the gateways will allow the response packets to
> 
> be sent. Using tcpdump on the IPSEC gateway, do you see the response
> 
> packets being sent?
> 
> -Tom
> 
> 
> -
> 
> Tom Eastep \ Q: What do you get when you cross a mobster with
> 
> Shoreline, \ an international standard?
> 
> Washington, USA \ A: Someone who makes you an offer you can't
> 
> http://shorewall.org \ understand
> 
> ___
> 
> 
> -
> 
> Check out the vibrant tech community on one of the world's most
> 
> engaging tech sites, Slashdot.org! 
> http://sdm.link/slashdot___
> 
> Shorewall-users mailing list
> 
> Shorewall-users@lists.sourceforge.net
> 
> https://lists.sourceforge.net/lists/listinfo/shorewall-users

Oh man.  I don't have any IPSec entries in conntrack.
?FORMAT 3
##
#ACTION SOURCE  DESTPROTO   DPORT   
SPORT   USERSWITCH

?if $AUTOHELPERS && __CT_TARGET

?if __AMANDA_HELPER
CT:helper:amanda:PO -   -   udp 10080
?endif

?if __FTP_HELPER
CT:helper:ftp:PO-   -   tcp 21
?endif

?if __H323_HELPER
CT:helper:RAS:PO-   -   udp 1719
CT:helper:Q.931:PO  -   -   tcp 1720
?endif

?if __IRC_HELPER
CT:helper:irc:PO-   -   tcp 6667
?endif

?if __NETBIOS_NS_HELPER
CT:helper:netbios-ns:PO -   -   udp 137
?endif

?if __PPTP_HELPER
CT:helper:pptp:PO   -   -   tcp 1723
?endif

?if __SANE_HELPER
CT:helper:sane:PO   -   -   tcp 6566
?endif

?if __SIP_HELPER
CT:helper:sip:PO-   -   udp 5060
?endif

?if __SNMP_HELPER
CT:helper:snmp:PO   -   -   udp 161
?endif

?if __TFTP_HELPER
CT:helper:tftp:PO   -   -   udp 69
?endif

?endif

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] IPSec Getting Blocked

2018-03-23 Thread Tom Eastep

On 03/22/2018 10:03 AM, colony.three--- via Shorewall-users wrote:
> No change in the symptom with 'shorewall clear' on the IPSEC gateway.
> 
> But I do notice that the response being emitted by the daemon which is not 
> received by the phone (nor even seen in the IPSec gateway interface):
> Thu, 2018-03-22 09:51 12[IKE] <3> sending keep alive to 172.56.42.76[49548]
> Thu, 2018-03-22 09:51 12[MGR] <3> checkin IKE_SA (unnamed)[3]
> Thu, 2018-03-22 09:51 12[MGR] <3> checkin of IKE_SA successful
> Thu, 2018-03-22 09:51 04[NET] sending packet: from 192.168.111.16[4500] to 
> 172.56.42.76[49548]
> Thu, 2018-03-22 09:51 01[JOB] next event in 10s 3ms, waiting
> 
> ... has a -source- of 4500, not a destination of 4500.  I'm not opening this 
> in either the IPSec gateway nor the LAN gateway:
> 
> IPSec gateway rules:
> ACCEPT  $FW net udp 500,4500,ipsec,ipsec-nat -
> 
> LAN gateway snat
> MASQUERADE  10.1.1.30/32,192.168.111.0/24   eth0
> rules
> ACCEPT  local   net udp domain  -
> DNATnet local:192.168.111.16 udp 500,ipsec-nat-t -
>   
> 
> It's UDP so unstateful, so maybe this is -a- problem?  (Aside from the fact 
> that the 4500 response doesn't seem to leave the daemon)
> 

The conntrack entries on the gateways will allow the response packets to
be sent. Using tcpdump on the IPSEC gateway, do you see the response
packets being sent?

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] IPTables to Shorewall

2018-03-23 Thread Tom Eastep

On 03/22/2018 10:24 PM, Andrea Bodrati wrote:
> Greetings,
> I'm trying to write the following rules in /etc/shorewall/rules but I
> can't find any reference on how to do that :
> iptables -t nat -I POSTROUTING -o eth0.0 -p udp -d y.y.y.y --sport
> 5061 -j SNAT --to-source x.x.x.x:5060
> Basically I need to masquerade the source udp port to 5060 of all the
> packets coming from my public IP x.x.x.x port 5061 and with
> destination y.y.y.y.
> Thanks!

Which Shorewall Version? Earlier versions use the 'masq' file for SNAT
and MASQUERADE; later versions use the 'snat' file.

For the masq file:

eth0:y.y.y.y-   x.x.x.x:5600udp -   5061

For the snat file:

SNAT(x.x.x.x:5600)  -   eth0:y.y.y.yudp -   5601

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] IPTables to Shorewall

2018-03-23 Thread Zenny

Add a rule like net (public ip) and dmz (destination):

DNATnet dmz:y.y.y.y:5060  udp 5061  

On Fri, Mar 23, 2018 at 8:18 AM, Zenny  wrote:

> Use DNAT. http://shorewall.net/FAQ.htm#DNS-DNAT Hope this helps.
>
>
>
> On Fri, Mar 23, 2018 at 6:24 AM, Andrea Bodrati  wrote:
>
>> Greetings,
>> I'm trying to write the following rules in /etc/shorewall/rules but I
>> can't find any reference on how to do that :
>> iptables -t nat -I POSTROUTING -o eth0.0 -p udp -d y.y.y.y --sport
>> 5061 -j SNAT --to-source x.x.x.x:5060
>> Basically I need to masquerade the source udp port to 5060 of all the
>> packets coming from my public IP x.x.x.x port 5061 and with
>> destination y.y.y.y.
>> Thanks!
>> Andrea
>>
>> 
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> ___
>> Shorewall-users mailing list
>> Shorewall-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>
>
>
>
> --
> Cheers,
> /z
>
> -.. .. ... -.-. .-.. .- .. -- . .-. | -.. .. ... -.-. .-.. .- .. -- . .-.
> CONFIDENTIALITY NOTICE AND DISCLAIMER: Access to this e-mail and its
> contents by anyone other than the intended recipient is unauthorized as it
> contains privileged and confidential information, and is subject to legal
> privilege. Please do not re/distribute it.  If you are not the intended
> recipient (or responsible for delivery of the message to such person), you
> may not use, copy, distribute or deliver the email and part of its contents
> to anyone this message (or any part of its contents or take any action in
> connection to it. In such case, you should destroy this message, and notify
> the sender immediately. If you have received this email in error, please
> notify the sender or your sysadmin immediately by e-mail or telephone, and
> delete the e-mail from any computer. If you or your employer does not
> consent to internet e-mail messages of this kind, please notify the sender
> immediately. All reasonable precautions have been taken to ensure no
> viruses are present in this e-mail and attachments included. As the sender
> cannot accept responsibility for any loss or damage arising from the use of
> this e-mail or attachments it is recommended that you are responsible to
> follow your virus checking procedures prior to use. The views, opinions,
> conclusions and other informations expressed in this electronic mail are
> not given or endorsed by any company including the network providers unless
> otherwise indicated by an authorized representative independent of this
> message.
> -.. .. ... -.-. .-.. .- .. -- . .-. | -.. .. ... -.-. .-.. .- .. -- . .-.
>
>


-- 
Cheers,
/z

-.. .. ... -.-. .-.. .- .. -- . .-. | -.. .. ... -.-. .-.. .- .. -- . .-.
CONFIDENTIALITY NOTICE AND DISCLAIMER: Access to this e-mail and its
contents by anyone other than the intended recipient is unauthorized as it
contains privileged and confidential information, and is subject to legal
privilege. Please do not re/distribute it.  If you are not the intended
recipient (or responsible for delivery of the message to such person), you
may not use, copy, distribute or deliver the email and part of its contents
to anyone this message (or any part of its contents or take any action in
connection to it. In such case, you should destroy this message, and notify
the sender immediately. If you have received this email in error, please
notify the sender or your sysadmin immediately by e-mail or telephone, and
delete the e-mail from any computer. If you or your employer does not
consent to internet e-mail messages of this kind, please notify the sender
immediately. All reasonable precautions have been taken to ensure no
viruses are present in this e-mail and attachments included. As the sender
cannot accept responsibility for any loss or damage arising from the use of
this e-mail or attachments it is recommended that you are responsible to
follow your virus checking procedures prior to use. The views, opinions,
conclusions and other informations expressed in this electronic mail are
not given or endorsed by any company including the network providers unless
otherwise indicated by an authorized representative independent of this
message.
-.. .. ... -.-. .-.. .- .. -- . .-. | -.. .. ... -.-. .-.. .- .. -- . .-.
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] IPTables to Shorewall

2018-03-23 Thread Zenny

Use DNAT. http://shorewall.net/FAQ.htm#DNS-DNAT Hope this helps.



On Fri, Mar 23, 2018 at 6:24 AM, Andrea Bodrati  wrote:

> Greetings,
> I'm trying to write the following rules in /etc/shorewall/rules but I
> can't find any reference on how to do that :
> iptables -t nat -I POSTROUTING -o eth0.0 -p udp -d y.y.y.y --sport
> 5061 -j SNAT --to-source x.x.x.x:5060
> Basically I need to masquerade the source udp port to 5060 of all the
> packets coming from my public IP x.x.x.x port 5061 and with
> destination y.y.y.y.
> Thanks!
> Andrea
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>



-- 
Cheers,
/z

-.. .. ... -.-. .-.. .- .. -- . .-. | -.. .. ... -.-. .-.. .- .. -- . .-.
CONFIDENTIALITY NOTICE AND DISCLAIMER: Access to this e-mail and its
contents by anyone other than the intended recipient is unauthorized as it
contains privileged and confidential information, and is subject to legal
privilege. Please do not re/distribute it.  If you are not the intended
recipient (or responsible for delivery of the message to such person), you
may not use, copy, distribute or deliver the email and part of its contents
to anyone this message (or any part of its contents or take any action in
connection to it. In such case, you should destroy this message, and notify
the sender immediately. If you have received this email in error, please
notify the sender or your sysadmin immediately by e-mail or telephone, and
delete the e-mail from any computer. If you or your employer does not
consent to internet e-mail messages of this kind, please notify the sender
immediately. All reasonable precautions have been taken to ensure no
viruses are present in this e-mail and attachments included. As the sender
cannot accept responsibility for any loss or damage arising from the use of
this e-mail or attachments it is recommended that you are responsible to
follow your virus checking procedures prior to use. The views, opinions,
conclusions and other informations expressed in this electronic mail are
not given or endorsed by any company including the network providers unless
otherwise indicated by an authorized representative independent of this
message.
-.. .. ... -.-. .-.. .- .. -- . .-. | -.. .. ... -.-. .-.. .- .. -- . .-.
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] IPSec Getting Blocked

Re: [Shorewall-users] IPSec Getting Blocked

Re: [Shorewall-users] IPSec Getting Blocked

Re: [Shorewall-users] IPTables to Shorewall

Re: [Shorewall-users] IPTables to Shorewall

Re: [Shorewall-users] IPTables to Shorewall

6 matches

Site Navigation

Mail list logo

Footer information