[Shorewall-users] DNAT routes Net -> ExternalServer -> VPN -> InternalServer correctly, but *return* not routed BACK over VPN. DNAT, SNAT, or routing?

Tue, 06 Jul 2021 13:27:51 -0700 

I'm setting up public access to a remote/internal server, on a specific port, 
over a private VPN.

Topology is:

        Net
         |
         |      eth0 (IP = AA.AA.AA.AA)
        "Public Server" (Shorewall)
         |      vpn0 <-> "Private Edge:vpn0"
         |
         |      eth0 (IP = BB.BB.BB.BB)
        "Private Edge" (Shorewall)
         |      vpn0 <-> "Public Server:vpn0"
         |      eth1 (IP = 10.10.10.1)
         |
         |      eth0 (IP = 10.10.10.99)
        "Private Server"
                        SERVER APP LISTENER @:  10.10.10.99:12345


Goal is:

external traffic, from XX.XX.XX.XX, to AA.AA.AA.AA:12345 flows to 
10.10.10.99:12345,

&,

responses route back from 10.10.10.99:12345 to originating XX.XX.XX.XX


Configs include:

        Shorewall @ "Public Server":

                /rules
                        ACCEPT  net    $FW:AA.AA.AA.AA    tcp    12345
                        DNAT    net    vpn:10.10.10.99    tcp    12345    -    
AA.AA.AA.AA

&,

        Shorewall @ "Private Edge"

                /rules

                        ACCEPT  vpn    lan:10.10.10.99    tcp    12345
                        DNAT    vpn    lan:10.10.10.99    tcp    12345    -    
10.10.10.99


With that^^, access from the 'net DOES make it to the LISTENER.


Inbound,

        @ "Private Edge"
        tcpdump -n -i vpn0 port 12345

                IP XX.XX.XX.XX.21959 > 10.10.10.99.12345: Flags [S], seq 
448812557, win 65535, options [mss 1224,sackOK,TS val 14593152 ecr 0,nop,wscale 
8], length 0


        @ "Private Server":LISTENER
        tcpdump -n -i eth0 port 12345

                16:12:25.703719 IP XX.XX.XX.XX.21959 > 10.10.10.99.12345: Flags 
[S], seq 1958940743, win 65535, options [mss 1224,sackOK,TS val 14699632 ecr 
0,nop,wscale 8], length 0


Outbound, the reply *is* generated

        @ "Private Server":LISTENER
        tcpdump -n -i eth0 port 12345

                16:12:25.703808 IP 10.10.10.99.12345 > XX.XX.XX.XX.21959: Flags 
[S.], seq 891560507, ack 2837133672, win 65160, options [mss 1460,sackOK,TS val 
3577618011 ecr 14699376,nop,wscale 7], length 0

but FAILs to route back over the VPN link; I don't see the traffic return via 
intfc = vpn0.

it's instead appearing on the EXTERNAL interface

        @ "Private Edge"
        tcpdump -n -i eth0 src port 12345
                       ^^^

                16:12:26.822716 IP 10.10.10.99.12345 > XX.XX.XX.XX.21959: Flags 
[S.], seq 891560507, ack 2837133672, win 65160, options [mss 1460,sackOK,TS val 
3577620033 ecr 14699376,nop,wscale 7], length 0


Where does that mis-routeback need to get fixed? so the traffic return is via 
"Private Edge" *vpn0*, NOT *eth0*?


Do I need to mod my DNAT?
Add a SNAT?
Or, add static routes?


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to