On 08/01/2012 04:07 AM, Bas van Schaik wrote: > On 31/07/12 10:56, Bas van Schaik wrote: >> On 31/07/12 02:28, Tom Eastep wrote: >>> Have you tried specifying 'none' in the COPY column as described in >>> the shorewall-providers manpage? >> Genius! I had to put 'main' back into the DUPLICATE column, and then >> added 'none' to the COPY column. (..) > > I noticed another minor issue: the server (eth0:129.67.194.105, > tun0:192.168.103.6) can't communicate with itself via the vps-gateway > (eth0:37.34.58.203). Assume www.mydomain.org resolves to the vps-gateway > at 37.34.58.203, which is actually served by Apache on the server. Now, > things go wrong when: > > 1) 129.67.194.105 => www.mydomain.org (37.34.58.203) > 2) vps-gateway DNATs 37.34.58.203 to 192.168.103.6, resulting in: > 3) 129.67.194.105 => 192.168.103.6 (via tun0) > 4) server complains about martian on tun0: > [72347.809855] martian source 192.168.103.6 from 129.67.194.105, on > dev tun0 > > > The packet does qualify as a martian - after all, 129.67.194.105 would > usually be routed over eth0. However, in this setup, a "martian" are not > a bad thing: packets are allowed to travel via Mars (the vps-gateway), > and replies should be routed back via Mars. ROUTE_FILTER is still "No" - > see attached shorewall dump. > > I'm guessing it's related to the routing rule with priority 0: >> Routing Rules >> >> 0: from all lookup local >> 10000: from all fwmark 0x1/0xff lookup prov_main >> 10001: from all fwmark 0x2/0xff lookup prov_vpn >> 20000: from 129.67.194.105 lookup prov_main >> (...) > > Which contains: >> Table local: >> >> local 192.168.103.6 dev tun0 proto kernel scope host src 192.168.103.6 >> local 129.67.194.105 dev eth0 proto kernel scope host src 129.67.194.105 >> (...) > > Any clues?
Why don't you simply turn of routefilter on tun0? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
