Re: [Shorewall-users] SRC address masquerading over VPN link -- seeing the tunnel endpoint, not the src IP?

[PGNd]

For this config

        --------------------------
        Remote VPS
                ETH0:   1.2.3.4
                DUMMY0: 10.0.1.53       < remote DNS listens/talks on this IP:53
                TUN1:   10.254.254.1
        --------------------------
          |
          |
        --------------------------
        Local Router
                ETH0:   5.6.7.8
                ETH1:   10.0.2.53       <  local DNS listens/talks on this IP:53
                TUN1:   10.254.254.2
        --------------------------

these rules

        remote SHOREWALL/rules
                ACCEPT       vpn1:10.0.2.53       $FW:10.0.1.53       udp     53
                ACCEPT       vpn1:10.0.2.53       $FW:10.254.254.1    udp     53
                ACCEPT       $FW:10.254.254.1     vpn1:10.0.2.53      tcp     53
        remote SHOREWALL/masq
                (empty)

        local SHOREWALL/rules
                ACCEPT       $FW:10.0.2.53        vpn1:10.0.1.53      udp     53
                ACCEPT       $FW:10.0.2.53        vpn1:10.254.254.1   udp     53
                ACCEPT       vpn1:10.254.254.1    $FW:10.0.2.53       tcp     53
        local SHOREWALL/masq
                (empty)

encapsulate all the xfr/notify traffic currently between the 2 DNS servers, and 
are nominally sufficient to get it all working.

Of course, the local DNS still sees the VPN endpoint as the origin

        May 28 15:10:26 border000 named[14387]: 28-May-2015 15:10:26.113 
xfer-out: info: client 10.254.254.1#33014/key key-vpa000 (zone000.domain.com): 
view external: transfer of 'zone000.domain.com/IN': AXFR-style IXFR ended

Editing that to use DNAT & *adding* a /masq rule on the remote end,

        remote SHOREWALL/rules
                DNAT         vpn1:10.0.2.53       $FW:10.0.1.53       udp     53
                ACCEPT       $FW:10.254.254.1     vpn1:10.0.2.53      tcp     53
        remote SHOREWALL/masq
                VPN_IF:10.0.2.53     10.254.254.1     10.0.1.53     tcp,udp     
53

        local SHOREWALL/rules
                DNAT         $FW:10.0.2.53        vpn1:10.0.1.53      udp     53
                ACCEPT       vpn1:10.254.254.1    $FW:10.0.2.53       tcp     53
        local SHOREWALL/masq
                (empty)

seems to do the trick.  Now, @ xfer/notify, the local DNS server sees the SRC 
as the remote DNS server, as intended

        May 28 15:30:24 border000 named[11766]: 28-May-2015 15:30:24.345 
xfer-out: info: client 10.0.1.53#33353/key key-edge (zone000.domain.com): view 
external: transfer of 'zone000.domain.com/IN': AXFR-style IXFR ended

Now to convince myself that that's rational, and works in all test cases.


------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users