Shorewall users - Jul 2005 - shorewall add error, but working

Hi all

I have a "vpn gateway" with CentOS 4: kernel 2.6.9, iptables 1.2.11,
shorewall 2.4.2.
The kernel is rebuilt with some patch-o-matic patches, some of which are the
ipsec policy ones.

I would like to allow some users that connect with pptp (PoPToP) to only be
able to access some hosts in the internal LAN, while others should be able
to access the whole network.

Because pptpd does not allow me to select the IP address assigned to each
user (at least without rebuilding and, it seems to me, without other
limitations) I decided to create two empty zones in Shorewall, where
I''m
goig to add/delete IP addresses via a script that is called by pppd on
connect/disconnetc of the user. This script is going to add the IP address
to the right zone, based on the user used to authenticate.

But when I issue the command
shorewall add ppp+:192.168.30.33 vpnAS
I get:
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
iptables: No chain/target/match by that name
   Can''t add ppp+:192.168.30.33 to zone vpnAS

But it works! If I issue a shorewall show zones, I see ppp+:192.168.30.33 in
vpnAS.
I''m using ppp+ as the interface because in the interfaces file I have
the "-
ppp+            -" line.

The command that fails is the following:
iptables -A ips_dyn -o ppp+ -d 192.168.30.33 -m policy --pol none --dir
out -j all2all

It''s not difficult to argue why it failed: ips_dyn is not present in my
corrent iptables rules:
iptables -L -n -v | grep ips_dyn | wc -l
0

Is this my fault, or shorewall''s?


Some further infos:

I made some little debugging, and the iptables commands issued by
"shorewall
add ppp+:192.168.30.33 vpnAS" have the following arguments:
-t nat -L -n
-t mangle -L -n
-N fooX1234
-A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT
-A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT
-A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT
-A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT
-A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT
-A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT
-A fooX1234 -m recent --update -j ACCEPT
-A fooX1234 -m owner --cmd-owner foo -j ACCEPT
-A fooX1234 -m connmark --mark 2 -j ACCEPT
-t mangle -N fooX1234
-t mangle -A fooX1234 -j ROUTE --oif eth0
-t mangle -A fooX1234 -j MARK --or-mark 2
-t mangle -A fooX1234 -j CONNMARK --save-mark
-t mangle -F fooX1234
-t mangle -X fooX1234
-A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT
-F fooX1234
-X fooX1234
-L shorewall -n
-L ppp_in -n
-L ppp_dyni -n
-t nat -L vpnAS_dnat -n
-A ips_dyn -o ppp+ -d 192.168.30.33 -m policy --pol none --dir out -j
all2all
-A ppp_dynf -s 192.168.30.64/27 -o ppp+ -d 192.168.30.33 -m policy --pol
none --dir out -j all2all
-A eth0_dynf -s 0.0.0.0/0 -o ppp+ -d 192.168.30.33 -m policy --pol
none --dir out -j net2all
-A eth2_dynf -s 0.0.0.0/0 -o ppp+ -d 192.168.30.33 -m policy --pol
none --dir out -j loc2vpnAS
-A eth1_dynf -s 0.0.0.0/0 -o ppp+ -d 192.168.30.33 -m policy --pol
none --dir out -j ap2all
-A ppp_dyno -d 192.168.30.33 -m policy --pol none --dir out -j fw2vpnAS
-A ppp_dyni -s 192.168.30.33 -m policy --pol none --dir in -j all2all
-A ppp_dynf -s 192.168.30.33 -o eth0 -d 0.0.0.0/0 -m policy --pol
ipsec --dir out -j all2all
-A ppp_dynf -s 192.168.30.33 -o ppp+ -d 192.168.30.64/27 -m policy --pol
none --dir out -j all2all
-A ppp_dynf -s 192.168.30.33 -o eth0 -d 0.0.0.0/0 -m policy --pol none --dir
out -j all2all
-A ppp_dynf -s 192.168.30.33 -o eth2 -d 0.0.0.0/0 -m policy --pol none --dir
out -j vpnAS2loc
-A ppp_dynf -s 192.168.30.33 -o eth1 -d 0.0.0.0/0 -m policy --pol none --dir
out -j all2all



Some infos about my current configuration:
# cat zones
ips                     RemoteIPSEC     Utenti via IPSEC
l2t                     RemoteL2TP      Utenti via L2TP
net                     Net             Internet
loc                     Local           Local Networks
ap                      APs             Access Points
vpnAS                   VPNtoAS         Accesso VPN all AS
ptp                     RemotePPTP      Utenti via PPTP

# cat tunnels
pptpserver              net     0.0.0.0/0
pptpserver              loc     0.0.0.0/0
ipsecnat                net     0.0.0.0/0       ips

# cat inerfaces
net     $EXT_IF         detect
routefilter,norfc1918,logmartians,tcpflags,nosmurfs
loc     $INT_IF         detect
ap      $AP_IF          detect
-       ppp+            -

# cat hosts
ips             eth0:0.0.0.0/0                  ipsec
l2t             ppp+:192.168.30.64/27




-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click

Lux wrote:
> Hi all
>
> I have a "vpn gateway" with CentOS 4: kernel 2.6.9, iptables
1.2.11,
> shorewall 2.4.2.
> The kernel is rebuilt with some patch-o-matic patches, some of which are
the
> ipsec policy ones.
Since you already use patch-o-matic-ng, your best bet in the long run is to
add the ipset patch to your kernel and use an ipset to define your dynamic
zone. That way, you can just and and delete addresses from the ipsec. Once
ipset functionality is available in standard kernels, the old Shorewall
dynamic zone feature will be removed (It''s complex, hard to maintain
and
full of interesting "features").

Please try the attached patch against /usr/share/shorewall/firewall and let
me know if it corrects your problem.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

> From: shorewall-users-admin@lists.sourceforge.net
> [mailto:shorewall-users-admin@lists.sourceforge.net]On Behalf Of Tom
> Eastep
> Lux wrote:
> > Hi all
> >
> > I have a "vpn gateway" with CentOS 4: kernel 2.6.9, iptables
1.2.11,
> > shorewall 2.4.2.
> > The kernel is rebuilt with some patch-o-matic patches, some of
> which are the
> > ipsec policy ones.
>
> Since you already use patch-o-matic-ng, your best bet in the long
> run is to
> add the ipset patch to your kernel and use an ipset to define your dynamic
> zone. That way, you can just and and delete addresses from the ipsec. Once
> ipset functionality is available in standard kernels, the old Shorewall
> dynamic zone feature will be removed (It''s complex, hard to
maintain and
> full of interesting "features").
I''m going to try ipset, when I have the chance. In the past I had a
problem
compiling iptables+ipset patch, but I hope I''ll solve it.
> Please try the attached patch against
> /usr/share/shorewall/firewall and let
> me know if it corrects your problem.
It works! Thanks. Is this patch going to be included in the future releases?

Lux



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO September
19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

Lux wrote:
>
> I''m going to try ipset, when I have the chance. In the past I had
a problem
> compiling iptables+ipset patch, but I hope I''ll solve it.
I no longer have such problems since the Debian iptables maintainer compiles
with all available extensions :-) FWIW, there is a move afoot to get ipsets
into the standard kernel.org distributions but the patch itself has to be
reworked to use the new extensible userspace<->kernel interface first.
>
>>Please try the attached patch against
>>/usr/share/shorewall/firewall and let
>>me know if it corrects your problem.
>
> It works! Thanks. Is this patch going to be included in the future
releases?
A variety of that patch will be included. You might try the
''firewall''
script from the SHOREWALL_2_4 branch of CVS and be sure that works.
It''s
what I plan to release in 2.4.3.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key