-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 01/09/2017 08:57 AM, [email protected] wrote: > I've started using Shorewall v5. OK, more "working on it" than > "started" :-/ > > For the setup below, I want to make sure I can > > launch query & axfr FROM my desktop AT a nameserver across a VPN -- > *NOT* a public one -- and make sure the responses get sent back > correctly. > > I'll admit I've gotten to the point where I've just been trying > things blindly & randomly. When I've turned on logging, I keep > getting DROPs on one or the other VPN endpoint. > > So I stopped monkeying & I've been re-reading the docs (wow! lots > of them!), and poists I can find, and have now gotten myself > completely turned around re: DNAT, SNAT, masq, NAT & individual > rules. > > So time to ask! > > What (kind of) rules do I need on each shorewall5 instance to make > sure that the LAN1 <-> VPN endpoints <-> LAN2 "IP address mapping" > is correct ? > > I have 3 boxes (1) local server (2) local desktop (3) VPS server > > They're arranged like this > > |- [eth0] -------- public internet | (1)---|- [eth1] -------- > LAN1/switch ------- (2) | |- [tun0] -- VPN | | | |- [tun0] -- VPN > | (3)---|- [dummy0] ------ LAN2 | |- [eth0] -------- public > internet > > > & configured like this > > (1) local server 3 interface eth0 IP(public) = 192.0.2.1 eth1 > IP(LAN1,private) = 10.1.0.1 lo IP(local) = 127.0.0.1 tun0 > IP(VPN,endpoint) = 10.99.99.1 > > runs: authoritative & recursive DNS server listens on 10.1.0.1 port > 53 127.0.0.1 port 53 shorewall5 > > (2) Desktop 2 interfaces eth0 IP(LAN1,private) = 10.1.0.10/24 lo > IP(local) = 127.0.0.1 > > (3) VPS 4 interfaces eth0 IP(public) = 198.51.100.1 dummy0 > IP(LAN2,private) 10.2.0.1/24 lo IP(local) = 127.0.0.1 tun0 > IP(VPN,endpoint) 10.99.99.2 > > runs: recursive DNS server listens on 10.2.0.1 port 50053 127.0.0.1 > port 53 shorewall5 > > Do I need DNAT, SNAT, masq? On one box or both?
None of those. This isn't a Shorewall configuration problem; it is a basic routing problem. - - Box number 1 needs to know that it must route to 10.2.0.1/24 via the VPN. - - Box number 2 needs to know that it must route to 10.1.0.0/24 via the VPN If you are using OpenVPN, that is accomplished by having each side 'push' the appropriate route(s) to the other side during VPN startup. You should set this up with shorewall cleared on both sides and get it working that way first. Then add Shorewall and configure any firewall rules you want, together with masquerading your local network to the internet. - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJYc8XcAAoJEJbms/JCOk0Qs6sP/iL0HdmyoEHY4ADkBxAMQdaf DyT7NtZOi/Y16+UormVLc9PnPM8wOXPmYSX7gve8ylVpTtK4Cd+OfU+RBnnN14r5 U7nSLUyHwdNXGfmziVKCiVKdOpW1sKs5sVU4BqlgCiz8FTbBdbKLGEMhRaD5BlJ4 syV8k/QTWItNLcDU3dusMcZLKxFUSbg36CeKy25gySxvVPC9z1UwxfIBwhmOBKU6 Tdq62vh0sgPxb2eWo4RYt7BlGSQgmBEQ3jglUE5Pi+uubQkJEoSS/x4LMhL7mMJU hd5dWVf9rNMJaxdfbpuiLwsInxDtN/+b9ZDimvT5I53zzJrvCNFbtkhTD6S1myin pif1pHPyilpcKeI1vkR3bzvoqeu67lj6TLTqzUiA1ZGVrcV5u4cIgidhM22OBTFW C8V5v8hN3hy/2lQHu2tqLwcL7J+Lv921d7ALv5+DbJRWLGigaVtD7HVfwK4C/hqC 82NhIrAMxYiddHM0BAiPJweT2j910ZO+gnEdstYznFChB05Sb3Tqo5yhWj06TpWL GEhn86xlIbUPwenQ37Jxoi0QSCL6PJeb4PMW2/Le54m4g18GWGX0A2Jjzy4Zhm/y w8fjgrT5tcKT8cAO26017j1lK3pdWZi+ep4Sou6/QnjUN1I9rcnqWWXF36nGVxp+ 6R5L/YOga1beS+UtCFeZ =qcf6 -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
