At our main office, I have a single machine that provides routing and
firewalling. We will call that machine HUB. There are two branch offices that
connect to HUB via IPsec tunnels to access the private network in which HUB is
connected to. We will call those branch offices BRANCH A and BRANCH B.
BRANCH A | <- Internet / ipsec -> | HUB | <- Internet / ipsec -> | BRANCH B
I want BRANCH A's subnet to be able to access network resources on BRANCH B's
subnet and vice versa through the HUB router. I've added all the necessary
entries to "zones", "hosts", "interfaces", and "policy". BRANCH A can access
HUB's subnet no problem, and BRANCH B can access HUB's subnet no problem, but
packets were being DROPPED from BRANCH A to BRANCH B, which were clearly
visible from Shorewall and syslog (Shorewall:FORWARD:DROP).
/etc/shorewall/policy had entries to ACCEPT traffic between BRANCH A and BRANCH
B.
I solved the problem by manually adding an iptables rule (eth0 is the
public/ipsec interface):
Iptables -I FORWARD -i eth0 -o eth0 -j ACCEPT -m policy -pol ipsec -mode tunnel
-dir in
In order to get this to work with Shorewall, I added that 'iptables' line to
/etc/shorewall/start. Is there a better way to add an iptables policy rule to
Shorewall's config files to allow packets from two IPsec routable subnets to
pass?
Mike Rosile
International I.T. Director
Interzone Entertainment
Tel: +1 (417) 887-8118 x 1006
Fax: +1 (417) 887-7577
URL: http://interzonegames.com
E-mail: [EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
