Hi Dale, Thanks for your reply!
Quote "Is the 10.9.0.0 network part of the local network on your vpn box? if so then your entry would look like this:" No it isn't, the tun0 device which 10.9.0.0 is part of has its own interface and zone. I also have a policy to allow all traffic to and from that interface see below:- loc eth1 net ppp0 vpn tun0 - routeback fw firewall loc ipv4 net ipv4 vpn ipv4 loc $FW ACCEPT $FW loc ACCEPT all vpn ACCEPT vpn all ACCEPT all all REJECT info If I tell Openvpn to be the default route via a CCD then it works, so it must be some kind of routing issue. Obviously I don' want everything going through the VPN so is there a way around this? Quoting Dale Hartung <[EMAIL PROTECTED]>: > Hi, >> Firstly I would like to say thank you to everyone who who has had a >> hand in producing and maintaining Shorewall. I have been using it for >> 4 years and it does a great job of hiding the internals of iptables >> and therefore simplifying firewall setup for me. >> >> Now down to the nitty gritty. >> >> Basically what I want to is forward an external connection to a VPN client. >> >> Both the firewall and VPN server are on the same machine. >> >> Naively I just tried to do a straight DNAT in /etc/shorewall/rules:- >> >> DNAT:info net vpn:10.9.0.6 tcp 5500 - >> >> Activity to this port is getting logged but isn't getting to the IP in >> question:- >> >> Sep 11 12:15:27 localhost kernel: Shorewall:net_dnat:DNAT:IN=ppp0 OUT= >> MAC= SRC=86.43.91.112 DST=83.70.178.21 LEN=48 TOS=0x00 PREC=0x00 >> TTL=124 ID=10287 DF PROTO=TCP SPT=40832 DPT=5500 WINDOW=65535 RES=0x00 >> SYN URGP=0 >> Sep 11 12:18:02 localhost kernel: Shorewall:net_dnat:DNAT:IN=ppp0 OUT= >> MAC= SRC=86.43.91.112 DST=83.70.178.21 LEN=48 TOS=0x00 PREC=0x00 >> TTL=124 ID=15726 DF PROTO=TCP SPT=40847 DPT=5500 WINDOW=65535 RES=0x00 >> SYN URGP=0 >> >> If I telnet to 10.9.0.6 on port 5500 from the server i.e. internally I >> get a response:- >> >> Trying 10.9.0.6... >> Connected to 10.9.0.6. >> Escape character is '^]'. >> >> I'm sure this setup will look a little strange but I will explain why >> I am doing things this way. In a nutshell my ISP doesn't give me an >> external address or port forwarding (HSDPA network). To get around >> that I am using a VPN to a remote site that does have a public address >> and want to be able forward relevant traffic to my VPN client. >> >> Can anyone help? >> >> Thanks hopefully in advance. >> >> John. >> >> >> > Is the 10.9.0.0 network part of the local network on your vpn box? if > so then your entry would look like this: > > DNAT net local:10.9.0.6 tcp 5500 > > this is because your vpn box makes your vpn client part of the local > network. Also make sure your vpn client receives a static address > I have this same setup for a vpn client when a vnc client connects to me > while i am on the road >> ------------------------------------------------------------------------- >> This SF.net email is sponsored by: Microsoft >> Defy all challenges. Microsoft(R) Visual Studio 2005. >> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ >> _______________________________________________ >> Shorewall-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2005. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users > ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
