On 14.02.2015 00:10, Tom Eastep wrote: > On 2/13/2015 12:03 PM, Raimonds Cicans wrote: >> I have following Shorewall (4.5.21.10) configuration (simplified) >> >> --- Zone file --- >> zlan ipv4 >> zdmz ipv4 >> zinet ipv4 >> zvpn ipv4 >> >> --- Interfaces file --- >> zlan lan >> zdmz dmz >> zinet inet >> >> --- Hosts file --- >> zvpn inet:remote_internal_lan,remote_external_ip ipsec >> >> --- Masq file --- >> inet dmz >> inet lan >> >> --- Policy file --- >> $FW all ACCEPT >> zlan zinet ACCEPT >> zlan zdmz ACCEPT >> zlan zvpn ACCEPT >> >> zinet all DROP info >> all all REJECT info >> >> --- Tunnels file --- >> ipsec zinet remote_external_ip >> >> --------------------- >> >> Everything is working fine, but I need to add access from zdmz zone to zvpn. >> In FreeSwan configuration only zlan have access to zvpn, so it looks I >> need some >> kind of masquerading. >> Is this theoretically possible? >> >> I tried following: >> 1. step >> add to beginning of Policy file: >> zdmz zvpn ACCEPT >> >> 2. step >> add to beginning of Masq file >> inet:remote_internal_lan dmz ip_of_lan_interface >> >> But when I try to ping zvpn hosts from zdmz I get: >> Shorewall:zdmz2zinet:REJECT:IN=dmz OUT=inet ... SRC=some_zdmz_ip >> DST=some_zvpn_ip >> >> Honestly speaking in second step I tried almost all possible >> combinations of IP/net addresses >> and when I ping I always get same error. >> >> What I am doing wrong? >> > > As far as Netfilter is concerned, the traffic is not zdmz->zvpn but > zvpn->zinet. So, in addition to the masq entry, you need a rule: > > ACCEPT net:remote_internal_lan zdmz >
Little fix - it should be other way around: ACCEPT zdmz zinet:remote_internal_lan Thank you anyway! Raimonds Cicans ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
