Re: [Shorewall-users] IPSec Tunneling

Tom Eastep Fri, 05 Jan 2018 15:26:35 -0800

On 01/05/2018 03:02 PM, Colony.three via Shorewall-users wrote:
> On 01/05/2018 02:25 PM, Colony.three via Shorewall-users wrote:
>>
>>     I'm trying to change the listening port of Libreswan using these DNAT
>>     entries in rules:
>>     DNAT            net             local:192.168.1.16:500  udp  - 
>>     5500   &eth0
>>     DNAT            net             local:192.168.1.16  udp 
>>     ipsec-nat-t  - 
>>     &eth0
>>     ... but this results in the below DROPS.  Rather than forwarding the
>>     packets to that IP:port, it blocks them as destined for the $FW.  I
>>     don't understand why?  IPSEC connects fine when I don't try to change
>>     port 500.
>>     Also can I combine these two DNAT lines?  Or would that push
>>     everything
>>     into 500?
>>     [53533.057543] Shorewall:net-fw:DROP:IN=eth0 OUT=
>>     MAC=52:54:00:e6:0a:80:f6:b5:2f:a2:db:8e:08:00 SRC=172.58.46.201
>>     DST=50.35.109.212 LEN=736 TOS=0x00 PREC=0x00 TTL=55 ID=11170 DF
>>     PROTO=UDP SPT=20563 DPT=65500 LEN=716
>>     [53534.973338] Shorewall:net-fw:DROP:IN=eth0 OUT=
>>     MAC=52:54:00:e6:0a:80:f6:b5:2f:a2:db:8e:08:00 SRC=172.58.46.201
>>     DST=50.35.109.212 LEN=736 TOS=0x00 PREC=0x00 TTL=55 ID=11171 DF
>>     PROTO=UDP SPT=20563 DPT=65500 LEN=716
>>     [53537.760649] Shorewall:net-fw:DROP:IN=eth0 OUT=
>>     MAC=52:54:00:e6:0a:80:f6:b5:2f:a2:db:8e:08:00 SRC=172.58.46.201
>>     DST=50.35.109.212 LEN=736 TOS=0x00 PREC=0x00 TTL=55 ID=11172 DF
>>     PROTO=UDP SPT=20563 DPT=65500 LEN=716
>>     [53541.706546] Shorewall:net-fw:DROP:IN=eth0 OUT=
>>     MAC=52:54:00:e6:0a:80:f6:b5:2f:a2:db:8e:08:00 SRC=172.58.46.201
>>     DST=50.35.109.212 LEN=736 TOS=0x00 PREC=0x00 TTL=55 ID=11173 DF
>>     PROTO=UDP SPT=20563 DPT=65500 LEN=716
>>
>>
>>      
>>     Install the conntrack utility and run 'conntrack -F' and try again.
>>      
>>     -Tom
>>
> 
> Thanks, but same DROPs.  conntrack -F seemed to just hang, but when I
> added the tables 'conntrack' and 'expect', it flushed immediately.
> 
> [56184.041321] Shorewall:net-fw:DROP:IN=eth0 OUT=
> MAC=52:54:00:e6:0a:80:f6:b5:2f:a2:db:8e:08:00 SRC=172.58.46.201
> DST=50.35.109.212 LEN=736 TOS=0x00 PREC=0x00 TTL=55 ID=11427 DF
> PROTO=UDP SPT=3196 DPT=5500 LEN=716
> [56185.906421] Shorewall:net-fw:DROP:IN=eth0 OUT=
> MAC=52:54:00:e6:0a:80:f6:b5:2f:a2:db:8e:08:00 SRC=172.58.46.201
> DST=50.35.109.212 LEN=736 TOS=0x00 PREC=0x00 TTL=55 ID=11428 DF
> PROTO=UDP SPT=3196 DPT=5500 LEN=716
> [56188.729401] Shorewall:net-fw:DROP:IN=eth0 OUT=
> MAC=52:54:00:e6:0a:80:f6:b5:2f:a2:db:8e:08:00 SRC=172.58.46.201
> DST=50.35.109.212 LEN=736 TOS=0x00 PREC=0x00 TTL=55 ID=11429 DF
> PROTO=UDP SPT=3196 DPT=5500 LEN=716
>



The DESTINATION port is 5500, not the SOURCE port. So your rules need:

 DNAT     net     local:192.168.1.16:500  udp  5500     -   &eth0
 DNAT     net     local:192.168.1.16  udp  ipsec-nat-t  -   &eth0

-Tom
-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________

signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] IPSec Tunneling

Reply via email to