Hi, We have Shorewall setup in a small corp lan. Openvpn is running on the firewall. We are moving to a new provider so we added a new interface and setup Shorewall according to the docs. currently we just want to route all traffic to the old provider. Later we will move services over to the new one.
After adding providers and updating the config, restarted Shorewall and everything works except Openvpn. VPN clients can connect to the router and establish a VPN tunnel but traffic is not flowing from the VPN. I have removed routefilter from the interfaces file but still no luck. This is a live system so I can't do a dump until tonight but here are the config files: # # Shorewall version 4 - Interfaces File # # For information about entries in this file, type "man shorewall-interfaces" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-interfaces.html # ############################################################################### #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect tcpflags,logmartians,nosmurfs net eth4 detect tcpflags,logmartians,nosmurfs corp eth1 detect tcpflags,nosmurfs dmz eth2 detect tcpflags,nosmurfs kvm eth3 detect tcpflags,nosmurfs road tun+ #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE # # Shorewall version 4 - Masq file # # For information about entries in this file, type "man shorewall-masq" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-masq.html # ############################################################################### #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK eth0 145.155.111.129 22.147.114.147 eth4 22.147.114.147 145.155.111.129 eth0 eth1 22.147.114.147 eth0 eth2 22.147.114.147 eth0 172.16.189.0/24 22.147.114.147 eth0 172.16.191.0/24 22.147.114.147 eth4 eth1 145.155.111.129 eth4 eth2 145.155.111.129 eth4 172.16.189.0/24 145.155.111.129 eth4 172.16.191.0/24 145.155.111.129 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE # # Shorewall version 4 - Policy File # # For information about entries in this file, type "man shorewall-policy" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-policy.html # ############################################################################### #SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL # Policies for traffic originating from the corp LAN (corp) # # on your firewall, change the corp to net policy to REJECT info. net net DROP # If you want to force clients to access the Internet via a proxy server # on your firewall, change the corp to net policy to REJECT info. corp net ACCEPT corp dmz ACCEPT corp road ACCEPT corp kvm ACCEPT corp $FW REJECT info corp all REJECT info # Policies for traffic originating from the DMZ LAN (dmz) dmz net ACCEPT dmz $FW REJECT info dmz corp REJECT info dmz kvm REJECT info dmz all REJECT info # Policies for traffic originating from the kvm kvm net REJECT kvm $FW REJECT info kvm corp REJECT info kvm all REJECT info # # Policies for traffic originating from the firewall ($FW) # # If you want open access to the Internet from your firewall, change the # $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL. # This may be useful if you run a proxy server on the firewall. $FW net ACCEPT $FW corp REJECT info $FW dmz REJECT info $FW kvm REJECT info $FW all REJECT info # Policies for traffic originating from VPN # road net ACCEPT road corp ACCEPT road dmz ACCEPT road kvm ACCEPT road $FW ACCEPT road all DROP info # # Policies for traffic originating from the Internet zone (net) # net $FW DROP info net corp DROP info net dmz DROP info net kvm DROP info net all DROP info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info #LAST LINE -- DO NOT REMOVE # # Shorewall version 4 - Providers File # # For information about entries in this file, type "man shorewall-providers" # # For additional information, see http://shorewall.net/MultiISP.html # ############################################################################################ #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE ISP1 1 1 main eth0 145.155.111.254 track,balance eth1,eth2,eth3,tun+ ISP2 2 2 main eth4 22.147.114.254 track,balance eth1,eth2,eth3,tun+ # # Shorewall version 4 - route_rules File # # For information about entries in this file, type "man shorewall-route_rules" # # For additional information, see http://www.shorewall.net/MultiISP.html ############################################################################## #SOURCE DEST PROVIDER PRIORITY eth1 - ISP1 1000 eth1 - ISP1 1000 - 172.16.189.0/24 ISP1 1000 - 172.16.191.0/24 ISP1 1000 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE # # Shorewall version 4 - Routestopped File # # For information about entries in this file, type "man shorewall-routestopped" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-routestopped.html # # See http://shorewall.net/starting_and_stopping_shorewall.htm for additional # information. # ############################################################################### #INTERFACE HOST(S) OPTIONS eth1 172.16.10.0/24 eth2 172.16.20.0/24 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE # # Shorewall version 4 - Rules File # # For information on the settings in this file, type "man shorewall-rules" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-rules.html # ############################################################################################################################ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK # PORT PORT(S) DEST LIMIT GROUP # Accept DNS connections from the firewall to the network DNS/ACCEPT $FW net # Accept SSH connections SSH/ACCEPT corp $FW # Accept dhcp connections ACCEPT corp $FW udp 67 ACCEPT dmz $FW udp 67 ACCEPT kvm $FW udp 67 # Allow Ping from the corp network Ping/ACCEPT corp $FW # Reject Ping from "bad" net zone.. and prevent your log from being flooded.. #Ping/REJECT net $FW ACCEPT $FW corp icmp ACCEPT $FW net icmp # DNAT net dmz:172.16.20.34:8080 tcp 8080 - 145.155.111.129 DNAT net dmz:172.16.20.34:80 tcp 80 - 145.155.111.129 DNAT net dmz:172.16.20.34:5222 tcp 5222 - 145.155.111.129 DNAT net dmz:172.16.20.34:5223 tcp 5223 - 145.155.111.129 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE ############################################################################### # /etc/shorewall/shorewall.conf V4.0 - Change the following variables to # match your setup # # This program is under GPL # [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # # This file should be placed in /etc/shorewall # # (c) 1999,2000,2001,2002,2003,2004,2005, # 2006,2007 - Tom Eastep ([EMAIL PROTECTED]) # # For information about the settings in this file, type "man shorewall.conf" # # Additional information is available at # http://www.shorewall.net/Documentation.htm#Conf ############################################################################### # S T A R T U P E N A B L E D ############################################################################### STARTUP_ENABLED=Yes ############################################################################### # V E R B O S I T Y ############################################################################### VERBOSITY=1 ############################################################################### # C O M P I L E R # (setting this to 'perl' requires installation of Shorewall-perl) ############################################################################### SHOREWALL_COMPILER= ############################################################################### # L O G G I N G ############################################################################### LOGFILE=/var/log/messages LOGFORMAT="Shorewall:%s:%s:" LOGTAGONLY=No LOGRATE= LOGBURST= LOGALLNEW= BLACKLIST_LOGLEVEL= MACLIST_LOG_LEVEL=info TCP_FLAGS_LOG_LEVEL=info RFC1918_LOG_LEVEL=info SMURF_LOG_LEVEL=info LOG_MARTIANS=No ############################################################################### # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ############################################################################### IPTABLES= PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin SHOREWALL_SHELL=/bin/sh SUBSYSLOCK=/var/lock/subsys/shorewall MODULESDIR= CONFIG_PATH=/etc/shorewall:/usr/share/shorewall RESTOREFILE= IPSECFILE=zones LOCKFILE= ############################################################################### # D E F A U L T A C T I O N S / M A C R O S ############################################################################### DROP_DEFAULT="Drop" REJECT_DEFAULT="Reject" ACCEPT_DEFAULT="none" QUEUE_DEFAULT="none" NFQUEUE_DEFAULT="none" ############################################################################### # R S H / R C P C O M M A N D S ############################################################################### RSH_COMMAND='ssh [EMAIL PROTECTED] ${command}' RCP_COMMAND='scp ${files} [EMAIL PROTECTED]:${destination}' ############################################################################### # F I R E W A L L O P T I O N S ############################################################################### IP_FORWARDING=On ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=No RETAIN_ALIASES=No TC_ENABLED=Internal TC_EXPERT=No CLEAR_TC=Yes MARK_IN_FORWARD_CHAIN=No CLAMPMSS=No ROUTE_FILTER=No DETECT_DNAT_IPADDRS=No MUTEX_TIMEOUT=60 ADMINISABSENTMINDED=Yes BLACKLISTNEWONLY=Yes DELAYBLACKLISTLOAD=No MODULE_SUFFIX= DISABLE_IPV6=Yes BRIDGING=No DYNAMIC_ZONES=No PKTTYPE=Yes RFC1918_STRICT=No MACLIST_TABLE=filter MACLIST_TTL= SAVE_IPSETS=No MAPOLDACTIONS=No FASTACCEPT=No IMPLICIT_CONTINUE=Yes HIGH_ROUTE_MARKS=No USE_ACTIONS=Yes OPTIMIZE=0 EXPORTPARAMS=Yes EXPAND_POLICIES=Yes KEEP_RT_TABLES=No DELETE_THEN_ADD=Yes MULTICAST=No DONT_LOAD= ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=REJECT TCP_FLAGS_DISPOSITION=DROP #LAST LINE -- DO NOT REMOVE # # Shorewall version 4 - Tunnels File # # For information about entries in this file, type "man shorewall-tunnels" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-tunnels.html # ############################################################################### #TYPE ZONE GATEWAY GATEWAY # ZONE openvpnserver:tcp:1194 net 0.0.0.0/0 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE # # Shorewall version 4 - Zones File # # For information about this file, type "man shorewall-zones" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-zones.html # ############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 corp ipv4 dmz ipv4 kvm ipv4 road ipv4 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE TIA Pete ______________ ______________ ______________ ______________ Sent via the KillerWebMail system at petefleming.com ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
