On 06/28/2012 08:34 PM, Michael Johannes wrote: > My Setup: > > Server (Linux - Shorewall, OpenVPN) External IP: 216.223.xxx.12 > (eth0) OpenVPN Server: 172.20.15.1 (tun0) > > Client (Linux - Shorewall, OpenVPN) > > External IP: 152.222.xxx.91 (eth0) OpenVPN (client IP): 172.20.15.6 > (tun1) Local IP (firewall internal interface):10.1.1.1 (eth1)
> What doesn't work: - packets seem to be dropped to a server on the > client subnet (server IP: 10.1.1.99) when I use a DNAT rule to port > forward TCP port 80 traffic. > > I should be clear that when I implement the following DNAT rule > packets reach the destination (10.1.1.99) - I can see them using the > debug or info LOG directives in shorewall. I suppose it sort of 'half > works'. However, when I run netstat -na on that server, I see > multiple SYN_RECV entries and none which are ESTABLISHED. Eventually > the connection fails/times out (I am testing externally as I'm clear > that this cannot be tested on an internal system): > > ON the Server: (rule) > > DNAT net vpn:10.1.1.99 tcp 80 - 216.223.xxx.12 > > To dig a bit deeper I ran TCPDUMP on 10.1.1.99 and opened the results > in Wireshark to see what was happening. It appears that packets reach > the server, but are either dropped (without a SYN-ACK) or are going > out the gateway of the client (152.222.xxx.91) instead of traversing > the vpn tunnel back to the server and out that gateway. I'm not sure > of that last sentence, but I think the latter of the two is correct. Yes -- that's exactly what is happening. > I hope I've given enough information - it's the first time I've asked > a question; I also hope the format in which I've asked is sufficent. The cheap way to fix this is to SNAT traffic out of tun0 on the server, but that approach has the drawback that all connections forwarded via the DNAT rule appear to come from the 172.20.15.0 subnet. A more complete solution is to use a Multi-ISP setup on the client where eth0 is a 'balance' provider and tun0 is an optional 'fallback' provider. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
