Re: [Shorewall-users] IPSec Tunneling

Fri, 05 Jan 2018 14:37:57 -0800 

On 01/05/2018 02:25 PM, Colony.three via Shorewall-users wrote:
> I'm trying to change the listening port of Libreswan using these DNAT
> entries in rules:
> DNAT            net             local:192.168.1.16:500  udp  -  5500   &eth0
> DNAT            net             local:192.168.1.16  udp  ipsec-nat-t  - 
> &eth0
> 
> ... but this results in the below DROPS.  Rather than forwarding the
> packets to that IP:port, it blocks them as destined for the $FW.  I
> don't understand why?  IPSEC connects fine when I don't try to change
> port 500.
> 
> Also can I combine these two DNAT lines?  Or would that push everything
> into 500?
> 
> [53533.057543] Shorewall:net-fw:DROP:IN=eth0 OUT=
> MAC=52:54:00:e6:0a:80:f6:b5:2f:a2:db:8e:08:00 SRC=172.58.46.201
> DST=50.35.109.212 LEN=736 TOS=0x00 PREC=0x00 TTL=55 ID=11170 DF
> PROTO=UDP SPT=20563 DPT=65500 LEN=716
> [53534.973338] Shorewall:net-fw:DROP:IN=eth0 OUT=
> MAC=52:54:00:e6:0a:80:f6:b5:2f:a2:db:8e:08:00 SRC=172.58.46.201
> DST=50.35.109.212 LEN=736 TOS=0x00 PREC=0x00 TTL=55 ID=11171 DF
> PROTO=UDP SPT=20563 DPT=65500 LEN=716
> [53537.760649] Shorewall:net-fw:DROP:IN=eth0 OUT=
> MAC=52:54:00:e6:0a:80:f6:b5:2f:a2:db:8e:08:00 SRC=172.58.46.201
> DST=50.35.109.212 LEN=736 TOS=0x00 PREC=0x00 TTL=55 ID=11172 DF
> PROTO=UDP SPT=20563 DPT=65500 LEN=716
> [53541.706546] Shorewall:net-fw:DROP:IN=eth0 OUT=
> MAC=52:54:00:e6:0a:80:f6:b5:2f:a2:db:8e:08:00 SRC=172.58.46.201
> DST=50.35.109.212 LEN=736 TOS=0x00 PREC=0x00 TTL=55 ID=11173 DF
> PROTO=UDP SPT=20563 DPT=65500 LEN=716
> 

Install the conntrack utility and run 'conntrack -F' and try again.

-Tom
-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to