--On 10. November 2017 at 15:20:40 +0000 lejeczek <[email protected]>
wrote:
On 10/11/17 14:34, Dirk Hartmann wrote:
Hi, > > --On Friday, November 10, 2017 02:21:09 PM +0000
lejeczek > <[email protected]> wrote: > >> I've a working roadwarrior
which links up to a server(not mine, >> meaning - no control over it) and
I wonder - can that IP my >> roadworrior gets other things use? >> >>
From that other(server) end, the network behind the server sees >> that
IP my roadworrior gets, can ping it but, how to make, eg. >> apache etc,
use and serve on that IP? If I do nmap from server's >> net on my
roadwarrior IP it says port is closed. >> >> Is it something I can do at
my end? Which would be great if >> possible. > > without a firewall
either on your RW or on the Gateway side there is > no reason you should
not be able to reach any port on your RW. > > The question is, does your
service bind itself to your RW-IP. > > What does netstat report for your
apache? > > netstat -tulpn | grep apache > > Mostly you configure apache
in /etc/apache2/ports.conf on which IPs > it should listen or if it
should listen on all IPs. > > Some services don't bind to interfaces
added after the service > startet, so maybe you have to restart it after
the VPN connection is > up. > > > Dirk
Apache listens on all port, and I did restart it, same for sshd. Nmap
from behind the gateway says ports are closed, but not filtered.
My RW is on a box which is my local gateway-to-internet, the
interface/connection strongswan creates when connects to VPN gateway I
put(with use of firewalld) into my external zone, so it gets masqueraded
so other nodes on my local LAN can get to VPN via my RW - but I do not
see this affects firewall, etc, ports that are opened in exteranal
zone(nic with public IP and RW) asĀ nmap says are not filtered.
I nmap my public IP and is "open" I nmap my RW-IP and is "closed".
IIRC closed means it's either no service there or when using iptables it
has a reject rule to it instead of a drop-rule.
It all runs off a fedora26, I have
strongswan-libipsec-5.6.0-1.fc26.x86_64 installed - I understand with it
I get ipsec0 interface autocreation which then I can manage with
"regular" OS utils, eg. firewalld - I thought it was the laziest/quickest
way out.
I did think that RW-NIC-IP would be just operational, manageable as any
other iface in the OS, but it seems some sorcerery is needed, or maybe
something trivial?
Did you try to access the apache from local server via the tunnel-IP?
As I said. In a vanilla setup without firewall there is nothing preventing
you to reach open ports on either side of the tunnel via the tunnel.
Dirk
