Hi I''ve just installed Shorewall 4.4.0 on my system. It''s look like that: Box with Linux 2.6 with: ath0 interface with public ip (x.x.x.x) eth0 interface with internal ip (192.168.111.1) used as gateway for my home network and I am trying to set up OpenVPN tunnel with my work network from this box tun0 interface with internal ip (10.8.5.254) end point (at work) 10.8.5.253 - OpenVPN connects with remote system ip y.y.y.y I''ve some problems with this stuff. I set up shorewall and computers from network 192.168.111.0 can use ath0 as default gateway for internet (masq). Also found doc (shorewall.net) and set up vpn connection but still got for exmaple: kernel: martian source 10.8.5.254 from 212.77.100.101, on dev tun0 while ping via tun interface ( ping -c 5 -I tun0 www.wp.pl). First question what is wrong in my configuration? /etc/shorewall/interfaces: net ath0 detect tcpflags,routefilter,nosmurfs,logmartians,blacklist vpn tun0 detect tcpflags,routefilter,nosmurfs,blacklist loc eth0 detect dhcp,maclist,tcpflags,nosmurfs,blacklist /etc/shorewall/zones fw firewall net ipv4 loc ipv4 vpn ipv4 /etc/shorewall/policy loc vpn ACCEPT vpn loc ACCEPT fw vpn ACCEPT vpn fw ACCEPT loc net ACCEPT fw net ACCEPT net all DROP info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info /etc/shorewall/tunnels openvpn:4672 net y.y.y.y /etc/shorewall/masq ath0 eth0 Second question: I want to masquerade packets from host 192.168.111.21 (from my local network) via OpenVPN tunnel defined in /etc/shorewall/tunnels. Other host still should use eth0. So in /etc/shorewall/masq I add tun0 196.168.111.21 ath0 eth0 But it''s not working. Again am I missing something? ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Robert, This is a mailing list run by volunteers -- repeating your post in a short timespan only annoys us -- it doesn''t get you faster service. Robert wrote:> Hi > I''ve just installed Shorewall 4.4.0 on my system. It''s look like that: > > Box with Linux 2.6 with: > ath0 interface with public ip (x.x.x.x) > eth0 interface with internal ip (192.168.111.1) used as gateway for my > home network > > and I am trying to set up OpenVPN tunnel with my work network from this > box > > tun0 interface with internal ip (10.8.5.254) end point (at work) > 10.8.5.253 - OpenVPN connects with remote system ip y.y.y.y > > I''ve some problems with this stuff. I set up shorewall and computers > from network 192.168.111.0 > can use ath0 as default gateway for internet (masq). > Also found doc (shorewall.net) and set up vpn connection but still got > for exmaple: > > kernel: martian source 10.8.5.254 from 212.77.100.101, on dev tun0 > > while ping via tun interface ( ping -c 5 -I tun0 www.wp.pl). > > First question what is wrong in my configuration?The Shorewall support page (http://www.shorewall.net/support.htm) specifically asks that you not send us your configuration unless requested. The reason for that is that your configuration reflects your solution to some problem. If all we have is your configuration, then we are forced to guess what the problem is that you are trying to solve. If you submit the output of ''shorewall dump'', as requested on the page, we can then see both the problem and your solution to it. The presence of ''martian'' messages indicates a problem with your routing, not with your Shorewall configuration. You can get rid of the ''martian'' messages by changing the configuration of ''tun0'' in /etc/shorewall/interfaces to read: vpn tun0 detect tcpflags,routefilter=0,nosmurfs,blacklist ------------- Note: I must say that this is the first time that I ever saw ''blacklist'' specified on an internal interface like a VPN.> Second question: > I want to masquerade packets from host 192.168.111.21 (from my local > network) via OpenVPN tunnel defined in /etc/shorewall/tunnels. > Other host still should use eth0. > > So in /etc/shorewall/masq I add > tun0 196.168.111.21 > ath0 eth0 > > But it''s not working. Again am I missing something?"it''s not working" means what? That connections created after you changed your configuration and restarted Shorewall don''t get masqueraded? Or that communication from 196.168.111.21 to VPN hosts fails? If so how does it fail? Because the response packets are dropped as martians? If so, the change suggested above will stop that. If you continue to have problems, please send us ''shorewall dump'' output collected as described in the support article, and explain exactly what you tried and what happened in response; we will try to help you. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Tom Eastep wrote:> > The presence of ''martian'' messages indicates a problem with your > routing, not with your Shorewall configuration. You can get rid of the > ''martian'' messages by changing the configuration of ''tun0'' in > /etc/shorewall/interfaces to read: > > vpn tun0 detect tcpflags,routefilter=0,nosmurfs,blacklistNote that this change doesn''t fix the underlying routing issue -- it simply hides one of its effects. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
On Sun, Aug 23, 2009 at 07:29:27AM -0700, Tom Eastep wrote:> > This is a mailing list run by volunteers -- repeating your post in a > short timespan only annoys us -- it doesn''t get you faster service.Sorry. After your suggetions - no martians in logs. Now I can ping via this interface and it works Ok. Tnx.> "it''s not working" means what? That connections created after you > changed your configuration and restarted Shorewall don''t get > masqueraded? Or that communication from 196.168.111.21 to VPN hosts > fails? If so how does it fail? Because the response packets are dropped > as martians? If so, the change suggested above will stop that.Host 192.168.111.21 can connect to local network (loc zone) but can not connect to Internet. No info why in log.> > If you continue to have problems, please send us ''shorewall dump'' output > collected as described in the support article, and explain exactly what > you tried and what happened in response; we will try to help you.Dump in attachment. Sorry for my english... I tried to connect to Internet via VPN tunnel only from host 192.168.111.21 - other hosts in local network uses ath0 for Internet connection (and it''s working). So wanna set gateway for .21 via VPN and other hosts via interface ath0. Additional info for dump - eth1 is not used. Thanks for help. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Robert wrote:> On Sun, Aug 23, 2009 at 07:29:27AM -0700, Tom Eastep wrote: >> This is a mailing list run by volunteers -- repeating your post in a >> short timespan only annoys us -- it doesn''t get you faster service. > > Sorry. > > After your suggetions - no martians in logs. Now I can ping > via this interface and it works Ok. Tnx. > >> "it''s not working" means what? That connections created after you >> changed your configuration and restarted Shorewall don''t get >> masqueraded? Or that communication from 196.168.111.21 to VPN hosts >> fails? If so how does it fail? Because the response packets are dropped >> as martians? If so, the change suggested above will stop that. > > Host 192.168.111.21 can connect to local network (loc zone) but can not > connect to Internet. No info why in log. > > >> If you continue to have problems, please send us ''shorewall dump'' output >> collected as described in the support article, and explain exactly what >> you tried and what happened in response; we will try to help you. > > Dump in attachment. > > Sorry for my english... I tried to connect to Internet via VPN tunnel > only from host 192.168.111.21 - other hosts in local network uses ath0 for > Internet connection (and it''s working). > So wanna set gateway for .21 via VPN and other hosts via interface ath0.If you want to do that, you need to use Shorewall MultiISP support. See http://www.shorewall.net/MultiISP.html -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july