Hi, Tom Eastep schrieb: > On 7/9/10 1:20 PM, Markus Plessing wrote: >> Hi, >> >> Tom Eastep schrieb: >>> On 7/9/10 1:03 AM, Markus Plessing wrote: >>>> Hello, >>>> >>>> I'm trying to set up shorewall to allow traffic from a single >>>> host behind the firewall to a remote network both connected >>>> as openvpn clients to an openvpn-server on the internet. >>> [...] >>> >>> If the tunnel is being established fully, then the firewall rules are >>> not the problem; traffic sent through the tunnel is not visible to the >>> firewall; all the firewall is aware of are the TCP 1202 packets and >>> responses. >> [...] > > Forget the Shorewall configuration; it is not relevant! Once the > connection is made, the only thing that is relevant is the IP > configuration and routing. > > a) What IP address is being assigned to the client by the VPN server?
Some extracted output from openvpn ifconfig_local = '10.8.2.2' ifconfig_remote_netmask = '10.8.2.1' route 192.168.6.0/255.255.255.0/nil/nil /sbin/ifconfig tun0 10.8.2.2 pointopoint 10.8.2.1 mtu 1500 /sbin/route add -net 192.168.6.0 netmask 255.255.255.0 gw 10.8.2.1 > b) What does the routing table on the client look like when the VPN is > connected? routes of host running the vpn-client: Destination Gateway Genmask Flags Metric Ref Use Iface 10.8.2.1 * 255.255.255.255 UH 0 0 0 tun0 192.168.6.0 10.8.2.1 255.255.255.0 UG 0 0 0 tun0 192.168.0.0 * 255.255.255.0 U 1 0 0 eth0 link-local * 255.255.0.0 U 1000 0 0 eth0 default 192.168.0.1 0.0.0.0 UG 0 0 0 eth0 > c) What does the routing table look like at the remote client machine > (192.168.6.1)? routes of openvpn server: 10.11.2.2 * 255.255.255.255 UH 0 0 0 tun0 10.10.2.2 * 255.255.255.255 UH 0 0 0 tun1 81.169.183.1 * 255.255.255.255 UH 0 0 0 eth0 10.8.2.2 * 255.255.255.255 UH 0 0 0 tun2 192.168.6.0 10.10.2.2 255.255.255.0 UG 0 0 0 tun1 192.168.1.0 10.11.2.2 255.255.255.0 UG 0 0 0 tun0 192.168.0.0 10.8.2.2 255.255.255.0 UG 0 0 0 tun2 default 81.169.183.1 0.0.0.0 UG 0 0 0 eth0 routes of the gateway of the destination network: 10.10.2.1 * 255.255.255.255 UH 0 0 0 tun0 192.168.6.0 * 255.255.255.0 U 0 0 0 br0 10.11.2.0 10.10.2.1 255.255.255.0 UG 0 0 0 tun0 92.250.155.0 * 255.255.255.0 U 0 0 0 vlan1 default 1.a2c-250-155.a 0.0.0.0 UG 0 0 0 vlan1 Some sort of horrible configuration, but as said, it worked out from within the network of the other business location (192.168.1.0) The routes of the host with the working connection are: 10.11.2.1 * 255.255.255.255 UH 0 0 0 tun0 192.168.6.0 10.11.2.1 255.255.255.0 UG 0 0 0 tun0 10.10.2.0 10.11.2.1 255.255.255.0 UG 0 0 0 tun0 192.168.1.0 * 255.255.255.0 U 0 0 0 eth0 default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0 The router of the network which the working client resist in is a two interface router with one ppp connection and one tunnel to connect our network. This router is iptables secured. >> As I've understood, the packets with destination 192.168.6.0 are sent >> through the established tunnel, but the answers get lost? > > I don't have enough information yet to even guess. Is there a chance to guess now? My brain is totally fried. >> Is there a way to get this done with settings of shorewall or am I wrong >> here? > > Again -- once the connection is made, the Shorewall configuration is not > relevant. This isn't a Shorewall issue and cannot be solved with Shorewall. Ok, No shorewall issue, but hopeful that someone lightens things up. > -Tom > Thanks in advance. Markus ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
