Re: [Shorewall-users] SRC address masquerading over VPN link -- seeing the tunnel endpoint, not the src IP?

Thu, 28 May 2015 13:15:06 -0700 

On 5/28/2015 8:34 AM, PGNd wrote:
> On Thu, May 28, 2015, at 08:13 AM, Tom Eastep wrote:
>> Is the remote DNS server running on the VPN endpoint server?
> Yes, the remote DNS is on the remote VPN endpoint server; it's a hosted linux 
> VPS.
> This DNS will stay this way.
>
> Also, the local DNS in on the local VPN endpoint server; it's a standalone 
> linux box.
> This DNS will, *eventually*, be migrated to a Xen Guest on the local LAN, 
> behind this server.
>
> The current 'physical' layout is
>
>       --------------------------
>       Remote VPS
>               ETH0:   1.2.3.4
>               DUMMY0: 10.0.1.53       < remote DNS listens/talks on this IP:53
>               TUN1:   10.254.254.1
>       --------------------------
>         |
>         |
>       --------------------------
>       Local Router
>               ETH0:   5.6.7.8
>               ETH1:   10.0.2.53       <  local DNS listens/talks on this IP:53
>               TUN1:   10.254.254.2
>       --------------------------
>
> Fwiw, doing some testing, with 'last' SHOREWALL/rules,
>
>       ACCEPT:info:[T1]  $FW:10.0.2.53  vpn1:10.254.254.1  udp,tcp   53
>       ACCEPT:info:[T2]  $FW:10.0.2.53  vpn1               udp,tcp   53
>       DROP:info:[T3]    all            all                udp,tcp   53
>
> on comms from local->remote DNS, fails to pass this traffic
>
>       May 28 08:06:30 border000 kernel: [34372.977048] SW:fw2vpn1:DROP IN= 
> OUT=tun1 SRC=10.0.2.53 DST=10.254.254.1 LEN=143 TOS=0x00 PREC=0x00 TTL=64 
> ID=3671 PROTO=UDP SPT=63068 DPT=53 LEN=123
>
> Which has me stymied atm, and I suspect has to do with this wrong-address 
> issue at hand.
>
Please forward the output of 'shorewall dump' taken after you have
produced the above log message.

Thanks,
-Tom

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to