Re: [Shorewall-users] Shorewall settings for IPSec & openVPN

Wed, 18 Mar 2020 12:30:27 -0700 

On 3/18/2020 11:34 AM, Andrey Andreev wrote:
> Done. Uncommented line is:
> SNAT(!10.30.14.17)    192.168.126.200/29    enp2s0   # exclude IPSec
> traffic
> 
> 10.30.14.17                - LAN IP of the far end IPSec server, behind NAT
> 192.168.126.200/29  - LAN IP range behind my IPSec server
> 
> [root@server ~]# shorewall check
> Checking using Shorewall 5.2.2...
> Processing /etc/shorewall/params ...
> Processing /etc/shorewall/shorewall.conf...
> Loading Modules...
> Checking /etc/shorewall/zones...
> Checking /etc/shorewall/interfaces...
> Determining Hosts in Zones...
> Locating Action Files...
> Checking /etc/shorewall/policy...
> Running /etc/shorewall/initdone...
> Adding rules for DHCP
> Checking TCP Flags filtering...
> Checking Kernel Route Filtering...
> Checking Martian Logging...
> Checking /etc/shorewall/snat...
>   WARNING: Interface enp2s0 entry generated no iptables rule
> /etc/shorewall/snat (line 11)
> Checking MAC Filtration -- Phase 1...
> Checking /etc/shorewall/rules...
> Checking /etc/shorewall/conntrack...
> Checking /etc/shorewall/tunnels...
> Checking MAC Filtration -- Phase 2...
> Applying Policies...
> Shorewall configuration verified
> 

That isn't an error, and will not cause 'restart' to fail. The preceding
rule in line 10 is something like:

SNAT(11.11.11.11) 0.0.0.0/0  enp2s0  # local server WAN IP (for openVPN)

Which says "All traffic going out of enp2s0 will have its source IP
changed to 11.11.11.11". So no traffic going out of enp2s0 will ever
match your rule in line 11. For this reason, the compiler is ignoring
line 11. If you simply reverse the order of these two rules, it should
work correctly (remember that except in the mangle file, the first rule
in a file that matches a packet will be the rule that is enforced,
assuming that the rule's target is terminating (which SNAT is)).

-Tom
-- 
Tom Eastep        \ Q: What do you get when you cross a mobster
Shoreline,         \    with an international standard?
Washington, USA     \ A: Someone who makes you an offer you
http://shorewall.org \    can't understand
                      \________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to