Dear Shorewall Users :-) I've been playing with shorewall for some time now - I found it really interesting and easy tool to organise all the rules and so on (beforethat I've been using simple iptables rules in shell script ;-)
Generally it's quite easy to be used, but anyway found one problem which I cannot handle myself - or in other words - cannot find appropriate way :-) I've set up VPN (IPSEC on 2.6 and racoon) on linux machine with iptables - generally VPN traffic lan<->vpn works fine. But I would like to make this box to be a VPN hub and I would like to allow vpn<->vpn traffic. I've spent a lot of time making Ipsec to work and finally I've achieved situation when IPSEC without shorewall is passing packets from VPN to another VPN. But once shorewall gets started VPN<->VPN packets are dropped by wan2all rule, for example: Shorewall:wan2all:DROP:IN=eth0 OUT=eth0 SRC=192.168.6.91 DST=10.1.0.250 LEN=106 TOS=0x00 PREC=0x00 TTL=126 ID=46540 PROTO=UDP SPT=1026 DPT=161 LEN=86 And my question is: How should I configure shorewall correctly to allow this traffic to be passed ? I know I can setup rule to allow wan to all traffic, but I feel this is not a good solution :-) I would like to set it up properly - that's the reason of my question to you - proffesionals. And here is a piece of my VPN shorewall configuration: zones: #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall wan ipv4 lan1 ipv4 publ ipv4 lan2 ipv4 dmz ipv4 vpn ipv4 tunnels: #TYPE ZONE GATEWAY GATEWAY ipsec wan 195.205.11.34 ipesc wan 195.205.142.34 ipsec wan 84.40.238.125 policy: # Policies for traffic between VPN's lan1 vpn ACCEPT vpn lan1 ACCEPT vpn vpn ACCEPT hosts: #ZONE HOST(S) OPTIONS vpn eth0:192.168.6.0/24,195.205.11.34 ipsec vpn eth0:10.1.0.0/24,195.205.142.34 ipsec vpn eth0:192.168.10.0/24,84.40.238.125 ipsec I'm sure someone will be able to help me :-) Thank you and best regards, Lukasz Spaleniak -- Lukasz Spaleniak GCM dpu s: a--- C++ UL++++ P+ L+++ E--- W+ N+ K- w O- M V- PGP t--- 5 X+ R- tv-- b DI- D- G e-- h! r y+ ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
