John Lewis wrote: > Hi Dale, > > Thanks for your reply! > > Quote "Is the 10.9.0.0 network part of the local network on your vpn box? if > so then your entry would look like this:" > > No it isn't, the tun0 device which 10.9.0.0 is part of has its own > interface and zone. I > also have a policy to allow all traffic to and from that interface see below:- > > loc eth1 > net ppp0 > vpn tun0 - routeback > > fw firewall > loc ipv4 > net ipv4 > vpn ipv4 > > loc $FW ACCEPT > $FW loc ACCEPT > all vpn ACCEPT > vpn all ACCEPT > all all REJECT info > > If I tell Openvpn to be the default route via a CCD then it works, so > it must be some > kind of routing issue. > > Obviously I don' want everything going through the VPN so is there a > way around this? > > Quoting Dale Hartung <[EMAIL PROTECTED]>: > > >> Hi, >> >>> Firstly I would like to say thank you to everyone who who has had a >>> hand in producing and maintaining Shorewall. I have been using it for >>> 4 years and it does a great job of hiding the internals of iptables >>> and therefore simplifying firewall setup for me. >>> >>> Now down to the nitty gritty. >>> >>> Basically what I want to is forward an external connection to a VPN client. >>> >>> Both the firewall and VPN server are on the same machine. >>> >>> Naively I just tried to do a straight DNAT in /etc/shorewall/rules:- >>> >>> DNAT:info net vpn:10.9.0.6 tcp 5500 - >>> >>> Activity to this port is getting logged but isn't getting to the IP in >>> question:- >>> >>> Sep 11 12:15:27 localhost kernel: Shorewall:net_dnat:DNAT:IN=ppp0 OUT= >>> MAC= SRC=86.43.91.112 DST=83.70.178.21 LEN=48 TOS=0x00 PREC=0x00 >>> TTL=124 ID=10287 DF PROTO=TCP SPT=40832 DPT=5500 WINDOW=65535 RES=0x00 >>> SYN URGP=0 >>> Sep 11 12:18:02 localhost kernel: Shorewall:net_dnat:DNAT:IN=ppp0 OUT= >>> MAC= SRC=86.43.91.112 DST=83.70.178.21 LEN=48 TOS=0x00 PREC=0x00 >>> TTL=124 ID=15726 DF PROTO=TCP SPT=40847 DPT=5500 WINDOW=65535 RES=0x00 >>> SYN URGP=0 >>> >>> If I telnet to 10.9.0.6 on port 5500 from the server i.e. internally I >>> get a response:- >>> >>> Trying 10.9.0.6... >>> Connected to 10.9.0.6. >>> Escape character is '^]'. >>> >>> I'm sure this setup will look a little strange but I will explain why >>> I am doing things this way. In a nutshell my ISP doesn't give me an >>> external address or port forwarding (HSDPA network). To get around >>> that I am using a VPN to a remote site that does have a public address >>> and want to be able forward relevant traffic to my VPN client. >>> >>> Can anyone help? >>> >>> Thanks hopefully in advance. >>> >>> John. >>> >>> >>> >>> >> Is the 10.9.0.0 network part of the local network on your vpn box? if >> so then your entry would look like this: >> >> DNAT net local:10.9.0.6 tcp 5500 >> >> this is because your vpn box makes your vpn client part of the local >> network. Also make sure your vpn client receives a static address >> I have this same setup for a vpn client when a vnc client connects to me >> while i am on the road >> >>> ------------------------------------------------------------------------- >>> This SF.net email is sponsored by: Microsoft >>> Defy all challenges. Microsoft(R) Visual Studio 2005. >>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ >>> _______________________________________________ >>> Shorewall-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>> >>> >>> >> ------------------------------------------------------------------------- >> This SF.net email is sponsored by: Microsoft >> Defy all challenges. Microsoft(R) Visual Studio 2005. >> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ >> _______________________________________________ >> Shorewall-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> > > > John
What kernel, shorewall version are you using and do you have policy match available? # shorewall show capabilities I am a strongswan user so I'm not familiar with openvpn, but you should be able to configure default routes in the config file somehow. Tom mentioned looking at the policy routing on the remote system, that'll affect your problems too Dale > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2005. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
