Re: [Shorewall-users] Wrong zone

Wed, 25 Aug 2010 17:53:16 -0700 

On 8/25/10 3:53 PM, Brad Clarke wrote:
> I'm trying to make connections from over an ipsec vpn to some local
> machines in a zone other than loc and they're getting dropped by
> vpn2net. In this example I'm trying an ssh connection from 10.88.2.1
> (vpn zone) to 10.99.5.5 (iscsi zone) but it's getting dropped in
> vpn2net instead of vpn2iscsi:
> 
> Aug 25 17:39:08 it-router kernel: [406408.700612]
> Shorewall:vpn2net:REJECT:IN=eth3 OUT=eth3 SRC=10.88.2.1 DST=10.99.5.5
> LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=20099 DF PROTO=TCP SPT=49662
> DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0

Your firewall is doing exactly what you have configured it to do.

- eth3 is a provider interface for traveller_wireless
- vlan5 is apparently not listed in the COPY column for that interface
- If you route 10.88.2.1 from eth3, it uses this routing table:

        207.111.162.62 dev eth3  scope link  src 207.111.162.1
        207.111.162.0/26 dev eth3  proto kernel  scope link  src        
                207.111.162.1
        10.99.4.0/24 dev vlan4  proto kernel  scope link  src 10.99.4.1
        10.99.3.0/24 dev vlan3  proto kernel  scope link  src 10.99.3.1
        192.168.10.0/24 via 10.99.4.254 dev vlan4
        10.88.0.0/16 via 207.111.162.62 dev eth3  src 10.99.4.1
        -------------------------------------------------------
        10.77.0.0/16 via 207.111.162.62 dev eth3  src 10.99.4.1
        default via 207.111.162.62 dev eth3  src 207.111.162.1

   Clearly, 10.88.2.1 is routed out of eth3, not vlan5

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Sell apps to millions through the Intel(R) Atom(Tm) Developer Program
Be part of this innovative community and reach millions of netbook users 
worldwide. Take advantage of special opportunities to increase revenue and 
speed time-to-market. Join now, and jumpstart your future.
http://p.sf.net/sfu/intel-atom-d2d
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to