On 03/14/2018 06:24 AM, HÖGLUND, Göran wrote: > > Hi > > I have (maybe a strange example) but I have a VPN server with some > nated public addresses > > Base address defined at NIC in OS: 123.456.789.123 > > Nat address defined in nat file in shorewall: 123.456.789.124 > > > > I have a VPN tunnel to another host where the tunnel IP is 10.89.1.98 > and a local lan on the remote host with LAN (zone name loc) IP 192.168.3.1 > > I’d like to access a webserver through the public IP 123.456.789.124 > at port 9191 and redirect it to the webserver at 192.168.3.9 at port 80 > > > > My NAT definition is: > > 123.456.789.124 eth1 10.89.1.98 no yes > > > > On the remote I have a similar DNAT (nag is my tunnel zone name) > > DNAT nag loc:192.168.3.9:80 tcp 9191 > > > > Traffic is working all the way to the webserver but the answers > disappear in the remote shorewall (tunnel client) > > So I cannot figure out whether I have a missing masq setting our if > this is a routing issue. > > > > All help is appreciated > > > Let's look at what happens.
- A TCP SYN packet from 192.0.2.44 (for example) is sent to
123.456.789.124..
- That gets forwarded through the VPN tunnel to 10.89.1.98
- The web server replies with a SYN,ACK to 192.0.2.44
- The packet is sent *directly to 192.0.2.44* (via the second Shorewall
system's default gateway) and not back through the tunnel.
- 192.0.2.44 gets the SYN,ACK from 10.89.1.98. Since it didn't send a
SYN to that IP address, the reply is discarded.
The only way to make the response packets route back through the VPN
tunnel is to SNAT traffic sent from the first Shorewall system that goes
through the tunnel. Specifically, the SNAT must cover traffic from hosts
that the other tunnel peer does not expect to route to through the
tunnel. That, unfortunately, will make all traffic that the web server
gets via this path appear to originate on the first Shorewall host.
In /etc/shorewall/snat, something like:
MASQ - <tunnel if>:10.89.1.98 { ORIGDEST=123.456.789.124 }
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
