Re: [Shorewall-users] Shorewall settings for IPSec & openVPN

Wed, 18 Mar 2020 13:16:10 -0700 




-----Original Message----- 
From: Tom Eastep

Sent: Wednesday, March 18, 2020 9:28 PM
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] Shorewall settings for IPSec & openVPN

On 3/18/2020 11:34 AM, Andrey Andreev wrote:

Done. Uncommented line is:
SNAT(!10.30.14.17)    192.168.126.200/29    enp2s0   # exclude IPSec
traffic


10.30.14.17                - LAN IP of the far end IPSec server, behind 
NAT

192.168.126.200/29  - LAN IP range behind my IPSec server

[root@server ~]# shorewall check
Checking using Shorewall 5.2.2...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Checking /etc/shorewall/zones...
Checking /etc/shorewall/interfaces...
Determining Hosts in Zones...
Locating Action Files...
Checking /etc/shorewall/policy...
Running /etc/shorewall/initdone...
Adding rules for DHCP
Checking TCP Flags filtering...
Checking Kernel Route Filtering...
Checking Martian Logging...
Checking /etc/shorewall/snat...
  WARNING: Interface enp2s0 entry generated no iptables rule
/etc/shorewall/snat (line 11)
Checking MAC Filtration -- Phase 1...
Checking /etc/shorewall/rules...
Checking /etc/shorewall/conntrack...
Checking /etc/shorewall/tunnels...
Checking MAC Filtration -- Phase 2...
Applying Policies...
Shorewall configuration verified



That isn't an error, and will not cause 'restart' to fail. The preceding
rule in line 10 is something like:

SNAT(11.11.11.11) 0.0.0.0/0  enp2s0  # local server WAN IP (for openVPN)

Which says "All traffic going out of enp2s0 will have its source IP
changed to 11.11.11.11". So no traffic going out of enp2s0 will ever
match your rule in line 11. For this reason, the compiler is ignoring
line 11. If you simply reverse the order of these two rules, it should
work correctly (remember that except in the mangle file, the first rule
in a file that matches a packet will be the rule that is enforced,
assuming that the rule's target is terminating (which SNAT is)).

-Tom
--
Tom Eastep        \ Q: What do you get when you cross a mobster
Shoreline,         \    with an international standard?
Washington, USA     \ A: Someone who makes you an offer you
http://shorewall.org \    can't understand
                     \________________________________________


I am beginning to get it, it is the waterfall situation. So I have to 
exchange lines order to:


/etc/shorewall/snat
SNAT(!9.9.9.9)  12.12.12.12/29 enp2s0       # exclude IPSec traffic: 9.9.9.9
SNAT(11.11.11.11)    0.0.0.0/0  enp2s0       # local server WAN IP

Tomorrow will test it at the site.

What is the effect of line 1 above: "All traffic only from LAN range 
12.12.12.12/29 going out of enp2s0 will have its source changed to 'not 
9.9.9.9' " ??
LAN range 12.12.12.12/29 needs IPSec & internet, what happens to the 
outgoing traffic which should not be tunneled?


Andrey











_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/shorewall-users 




_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to