On 10/9/20 10:55 PM, Peter Nunn wrote: > Hi there, > > firstly let me say that I really like shorewall and have been using it > for years to do exactly what I'm having issues with now. > > It all worked swimmingly up until ubuntu 18.04 and shorewall version > 5.2.3.4 where the masq file went away. > > The set up is as follows. > > I have a network sitting an the end of an ipsec vpn (146.178.211.0/24) > and a lan and open vpn connection that need to get to that machine. > > In the previous versions this was all handled by masq and worked like a > dream. > > Now that its been converted to snat, I can't for the life of me get it > to forward the traffic. > > traceroutes look, for all the world, like the lan traffic is just pumped > out the default route each time. > > I can ping the machines from the firewall itself no issues. > > The lan is on 192.168.122.x/24. I have done some packet captures and > can't see the ipsec interface getting hit at all. > > I am at a loss as the what I've done wrong. I would really appreciate > some help. > > I am attaching the shorewall_dump.txt file, however the dump did > terminate with > > grep: /proc/net/nf_conntrack: No such file or directory > Error: ipv4: FIB table does not exist. > Dump terminated > > so I'm not sure if its complete or not. > > > Thanks so much in advance. A linux bloke with enough networking to be > dangerous. >
According to the dump, although cnaron is running, there are no IPSec SAs active. So, you need to see what is happening there. As far as the snat file is conserned, you are masquerading all traffic going out of tun0 whose source address is in 192.168.122.0/24. No such traffic has been active since the firewall was last restarted. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster Shoreline, \ with an international standard? Washington, USA \ A: Someone who makes you an offer you http://shorewall.org \ can't understand \________________________________________
OpenPGP_0x96E6B3F2423A4D10.asc
Description: application/pgp-keys
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
