Hi Tom, thanks for your reply.
So I managed to solve the issue by adding a line to the MASQ file, as
described in FAQ 1f. It seems I cannot change the default GW of the
internal server to the firewall's VPN address, because that would not be
right. Normal traffic should leave the server via the real router, not the
firewall...
However, I think the masquerading should be fine in my case, it seems to
work fine now.
Thanks!
On 13 February 2015 at 05:28, Tom Eastep <[email protected]> wrote:
> On 2/12/2015 5:21 PM, Matthias F. Brandstetter wrote:
> > Hello, I am running Shorewall 4.5.5.3 on a Debian machine.
> >
> > I have a firewall (10.8.0.1) connected to an internal server (10.8.0.2)
> > via OpenVPN. On the firewall the VPN interface is called |tun0|. So in
> > my shorewall configuration I have this:
> >
> > |$ cat interfaces
> > #ZONE INTERFACE OPTIONS
> > - lo ignore
> > vpn tun+ optional
> > net eth+ dhcp,physical=+,routeback,optional
> >
> > $ cat zones
> > #ZONE TYPE OPTIONS IN OUT
> > # OPTIONS OPTIONS
> > fw firewall
> > vpn ipv4
> > net ip
> >
> > $ cat policy
> > #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
> > # LEVEL BURST MASK
> > $FW net ACCEPT
> > $FW vpn ACCEPT
> > vpn all ACCEPT
> > net all DROP info
> > |
> >
> > Now I want to forward all traffic from the public net coming to TCP port
> > 2222 on the firewall to the internal server port 22. So I have added the
> > following two lines:
> >
> > |$ cat rules
> > ACCEPT net $FW tcp 2222
> > DNAT:info net vpn:10.8.0.2:22 <http://10.8.0.2:22>
> tcp 2222
>
> The first rule is unnecessary.
>
> > |
> >
> > In my |shorewall.conf| file I have this line:
> >
> > |IP_FORWARDING=On
> > |
> >
> > However, this does not seem to work.
> > In the log file I can see these lines:
> >
> > Feb 13 01:59:44 helios kernel: [2390648.826670]
> > Shorewall:net_dnat:DNAT:IN=eth0 OUT=
> > MAC=52:54:ed:88:f9:f5:5c:5e:ab:03:66:c0:08:00 SRC=<client-IP>
> > DST=<firewall-IP> LEN=60 TOS=0x00 PREC=0x00 TTL=55 ID=21389 DF PROTO=TCP
> > SPT=38026 DPT=2222 WINDOW=29200 RES=0x00 SYN URGP=0
> >
> > What am I missing here?
>
> Have you followed the troubleshooting procedure outlined in Shorewall
> FAQs 1a and 1b?
>
> -Tom
> --
> Tom Eastep \ When I die, I want to go like my Grandfather who
> Shoreline, \ died peacefully in his sleep. Not screaming like
> Washington, USA \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
--
Matthias F. Brandstetter
[email protected]
@maflobra <https://twitter.com/maflobra>
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
