2015-06-17 18:55 GMT+03:00 Tom Eastep <[email protected]>:
> On 6/16/2015 9:44 PM, Иван Иванов wrote: > > Hello. > > I have remote server (Ubuntu 14.04, Shorewall 4.5.21) with one physical > interface eth0. This server is IPSEC/L2TP client. > L2TP tunnel interface: > ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1410 qdisc pfifo_fast > state UNKNOWN group default qlen 3 > link/ppp > inet 192.168.1.160 peer 192.168.1.254/32 scope global ppp0 > valid_lft forever preferred_lft forever > > Shorewall config. > Interfaces: > - lo ignore > net eth0 dhcp,physical=+,routeback,optional,routefilter > l2tp ppp0 > > Zones: > fw firewall > net ipv4 > vpn ipsec > l2tp ipv4 > > Tunnels: > ipsec net xx.xx.xx.xx vpn > > Hosts: > vpn eth0:0.0.0.0/0 > > Policy: > $FW all ACCEPT > vpn net NONE > net vpn NONE > l2tp all ACCEPT > net all DROP info > all all REJECT info > > When l2tp tunnel is up, traffic through ppp0 counts as net2fw. > Jun 17 18:05:06 server kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MAC= > SRC=192.168.1.1 DST=192.168.1.160 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=63204 > DF PROTO=TCP SPT=57205 DPT=3128 WINDOW=29200 RES=0x00 SYN URGP=0 > Jun 17 18:05:06 server kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MAC= > SRC=192.168.1.1 DST=192.168.1.160 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=49828 > DF PROTO=TCP SPT=57207 DPT=3128 WINDOW=29200 RES=0x00 SYN URGP=0 > > I wonder what did i miss? Why ppp0 traffic does not belong l2tp zone > (IN=ppp0, but net2fw chain)? > > Your tunnels entry is incorrect - it should be: > > ipsec l2tp xxx.xxx.xxx.xxx vpn > > -Tom > > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his carhttp://shorewall.net > \________________________________________________ > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > Shorewall documentation says: " ZONE - zone The zone of the physical interface through which tunnel traffic passes. This is normally your internet zone." I think this means "net" zone.
------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
