[Shorewall-users] shorewall not doing SNAT for proto GRE ?

Sergio A. Kessler Tue, 26 Sep 2006 12:06:17 -0700

hi all,

I have a problem with a VPN server (poptop) behind a shorewall firewall.


according with http://www.shorewall.net/PPTP.htm#ServerBehind
(and because the fw have multiple external IP address) I have:

/etc/shorewall/rules:

###############################################################
#ACTION SOURCE    DEST          PROTO DEST  SOURCE   ORIGINAL
#                                     PORT  PORT(S)  DEST
#
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
DNAT    ext       dmz:$DMZ_VPN  tcp   1723  -        $EXT_VPN
DNAT    ext       dmz:$DMZ_VPN  47    -     -        $EXT_VPN
DNAT    ext       dmz:$DMZ_VPN  icmp  -     -        $EXT_VPN

$EXT_VPN=A.B.C.105  (defined in /etc/shorewall/params)

# shorewall version
3.2.3

now, if I do a (in the fw):

# tcpdump tcp port 1723 or proto 47

I see this:

15:34:42.599363 A.B.C.105.1723 > 200.51.45.27.3204: . ack 349 win 5840 (DF)
15:34:45.229530 A.B.C.100 > 200.51.45.27: gre [KSv1] ID:8000 S:1 ppp:
                 ^^^^^^^^^
                     \ -> this is wrong ! should be A.B.C.105
Conf-Req(1), ACCM=00000000, Auth-Prot CHAP/MSCHAPv2, Magic-Num=83484876, 
PFC, ACFC (DF)
15:34:48.239518 A.B.C.100 > 200.51.45.27: gre [KSv1] ID:8000 S:2 ppp:
Conf-Req(1), ACCM=00000000, Auth-Prot CHAP/MSCHAPv2, Magic-Num=83484876, 
PFC, ACFC (DF)
...
[snip; it tries 10 times]
...
15:35:12.331008 A.B.C.105.1723 > 200.51.45.27.3204: F 189:189(0) ack 349 
win 5840 (DF)
15:35:13.489379 A.B.C.105.1723 > 200.51.45.27.3204: F 189:189(0) ack 349 
win 5840 (DF)
15:35:13.925613 200.51.45.27.3204 > A.B.C.5.1723: F 349:349(0) ack 190 
win 64672 (DF)
15:35:13.925658 A.B.C.5.1723 > 200.51.45.27.3204: . ack 350 win 5840 (DF)


as you can see, the TCP/port 1723 is correctly SNAT'ed with A.B.C.105,
BUT the protocol 47 (GRE) is NOT !

I also tried with:
# cat /etc/shorewall/masq
###############################################################################
#INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S) 
IPSEC
eth0                    eth1            $EXT_SALIDA
eth0                    eth3            $EXT_SALIDA
eth0                    eth1            $EXT_VPN        47

but the problem remains,
the protocol 47 is not being SNAT'ed with the correct external IP.

any idea ??


Saluda Atte.
--
Lic. Sergio A. Kessler
Departamento de Informática
INCUCAI TE 4788-8300 (118)

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] shorewall not doing SNAT for proto GRE ?

Reply via email to