[Shorewall-users] DNS responses across a VPN ? DNAT, SNAT, NAT, masq, oh my"!

Mon, 09 Jan 2017 09:03:03 -0800 

I've started using Shorewall v5.  OK, more "working on it" than "started" :-/

For the setup below, I want to make sure I can

        launch query & axfr FROM my desktop AT a nameserver across a VPN -- 
*NOT* a public one -- and make sure the responses get sent back correctly.

I'll admit I've gotten to the point where I've just been trying things blindly 
& randomly. When I've turned on logging, I keep getting DROPs on one or the 
other VPN endpoint.

So I stopped monkeying & I've been re-reading the docs (wow! lots of them!), 
and poists I can find, and have now gotten myself completely turned around re: 
DNAT, SNAT, masq, NAT & individual rules.

So time to ask!

What (kind of) rules do I need on each shorewall5 instance to make sure that 
the LAN1 <-> VPN endpoints <-> LAN2 "IP address mapping" is correct ?

I have 3 boxes
        (1) local server
        (2) local desktop
        (3) VPS server

They're arranged like this

              |- [eth0] -------- public internet
              |
        (1)---|- [eth1] -------- LAN1/switch ------- (2)
              |
              |- [tun0] -- VPN
                            |
                            |
                            |
              |- [tun0] -- VPN
              |
        (3)---|- [dummy0] ------ LAN2
              |
              |- [eth0] -------- public internet


& configured like this

        (1) local server
                3 interface
                        eth0
                                IP(public) = 192.0.2.1
                        eth1
                                IP(LAN1,private) = 10.1.0.1
                        lo
                                IP(local) = 127.0.0.1
                        tun0
                                IP(VPN,endpoint) = 10.99.99.1

                runs:
                        authoritative & recursive DNS server
                                listens on
                                        10.1.0.1 port 53
                                        127.0.0.1 port 53
                                shorewall5

        (2) Desktop
                        2 interfaces
                                eth0
                                        IP(LAN1,private) = 10.1.0.10/24
                                lo
                                        IP(local) = 127.0.0.1

        (3)     VPS
                        4 interfaces
                                eth0
                                        IP(public) = 198.51.100.1
                                dummy0
                                        IP(LAN2,private) 10.2.0.1/24
                                lo
                                        IP(local) = 127.0.0.1
                                tun0
                                        IP(VPN,endpoint) 10.99.99.2

                        runs:
                                recursive DNS server
                                        listens on
                                                10.2.0.1 port 50053
                                                127.0.0.1  port 53
                                shorewall5

Do I need DNAT, SNAT, masq?  On one box or both?

The tests I want to have work are, from the Desktop's shell

        dig -t A    example.com @10.2.0.1 -p 50053
        dig -t axfr example.com @10.2.0.1 -p 50053

-AJ

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to