Hi, I am having problems with setting multiple ISP links and openvpn roadwarrior with Centos. The firewall I have is designed to run on both links, actively used and redirect traffic from DMZ and LAN based on their services to specific providers. I am able to get the firewall running to the state where a simple Internet, DMZ, LAN topology works and able to redirect traffics and DNAT services to certain provider links based on the requirement. However, when I add openvpn in the firewall and set it as vpn server for roadwarrior, I am not able to connect to the openvpn port with telnet from public internet. For some reason, it is blocked. Openvpn runs on tun0 and I can confirm it is running by telnet to port 443 tcp (the port I used for openvpn) from the firewall itself and the openvpn service is running. I collect logs for all REJECT and DROP packets but cannot see the attempted traffic in that log. Attached is the dump from shorewall. This is what I have done based on the documentation from shorewall: /etc/shorewall/interfaces: #ZONE INTERFACE OPTIONS net eth0 detect net eth1 detect dmz eth2 detect loc eth3 detect road tun+ /etc/shorewall/zones: fw firewall net ipv4 loc ipv4 dmz ipv4 road ipv4 /etc/shorewall/policy: net net DROP info # traffic to internet loc net ACCEPT dmz net REJECT info # traffic to dmz loc dmz ACCEPT # traffic from roadwarrior road loc ACCEPT road dmz ACCEPT # traffic to firewall loc $FW REJECT info # traffic from firewall $FW all ACCEPT # traffic from internet net all DROP info # catch all all all DROP info /etc/shorewall/providers: ISPIIN 1 1 main eth1 218.206.228.101 track,balance=100 eth2,eth3,tun0 ISPAC3 2 2 main eth0 218.202.139.222 track,balance=50 eth2,eth3 /etc/shorewall/tcrules: # redirect service from LAN to (1) iinet or (2) ac3 1:P 10.35.249.0/24 0.0.0.0/0 tcp 80 2:P 10.35.249.0/24 0.0.0.0/0 tcp 3389 # redirect service from DMZ to (1) iinet or (2) ac3 1:P 192.168.168.0/24 0.0.0.0/0 tcp 80 1:P 192.168.168.0/24 0.0.0.0/0 tcp 443 1:P 192.168.168.0/24 0.0.0.0/0 tcp 53 1:P 192.168.168.0/24 0.0.0.0/0 udp 53 1:P 192.168.168.0/24 0.0.0.0/0 udp 123 1:P 192.168.168.0/24 0.0.0.0/0 icmp 8 1:P 192.168.168.0/24 0.0.0.0/0 tcp 21 #2:P 192.168.168.0/24 0.0.0.0/0 icmp 8 /etc/shorewall/rtrules: #here not using USE_DEFAULT_RT - 172.16.1.0/24 main 1000 /etc/shorewall/tunnels: openvpnserver:tcp:443 net 0.0.0.0/0 # Internet to ALL -- drop NewNotSyn packets dropNotSyn net fw tcp dropNotSyn net loc tcp dropNotSyn net dmz tcp #---FROM LAN--- SSH(ACCEPT) loc $FW - - - - s:1/min:3 #---FROM DMZ--- HTTP(ACCEPT) dmz net HTTPS(ACCEPT) dmz net DNS(ACCEPT) dmz net NTP(ACCEPT) dmz net Ping(ACCEPT) dmz net FTP(ACCEPT) dmz net #---DNAT Rules--- DNAT net:eth1 dmz:192.168.168.10:80 tcp 8080 - 218.206.228.102 DNAT net:eth1 loc:10.35.249.53:80 tcp 8081 - 218.206.228.102 #---Services within Firewall--- # openvpn - tcp 443 ACCEPT net $FW tcp 443 - 218.202.228.102 #---Temporary Rules--- ACCEPT net:124.149.32.217 $FW tcp 22 - 218.206.228.102 #Block stealth Auth port 113 (must be at the end) Auth(DROP) net $FW /etc/shorewall/shorewall.conf (diff from the original setting): < STARTUP_ENABLED=Yes < LOGLIMIT=s:5/sec < STARTUP_LOG=/var/log/firewall/shorewall-init.log < MARK_IN_FORWARD_CHAIN=Yes Could someone give a hint what went wrong? I''d really appreciate it. Many thanks. -Lito ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 4/27/12 6:14 PM, Lito Kusnadi wrote:> Hi, > > I am having problems with setting multiple ISP links and openvpn roadwarrior with Centos. > > The firewall I have is designed to run on both links, actively used and redirect traffic from DMZ and LAN based on their services to specific providers. > > I am able to get the firewall running to the state where a simple Internet, DMZ, LAN topology works and able to redirect traffics and DNAT services to certain provider links based on the requirement. > > However, when I add openvpn in the firewall and set it as vpn server for roadwarrior, I am not able to connect to the openvpn port with telnet from public internet. For some reason, it is blocked. Openvpn runs on tun0 and I can confirm it is running by telnet to port 443 tcp (the port I used for openvpn) from the firewall itself and the openvpn service is running. > > I collect logs for all REJECT and DROP packets but cannot see the attempted traffic in that log. > > Attached is the dump from shorewall. > > This is what I have done based on the documentation from shorewall:I see no evidence from the dump that the OpenVPN connection requests are ever reaching the Shorewall box. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Hi Tom, Thank you for your help. I found the ISP blocked port 443 tcp and some other common service ports. Really appreciate your help. Lito --- On Sat, 28/4/12, Tom Eastep <teastep@shorewall.net> wrote:> From: Tom Eastep <teastep@shorewall.net> > Subject: Re: [Shorewall-users] multiple ISPs and openvpn roadwarrior > To: shorewall-users@lists.sourceforge.net > Received: Saturday, 28 April, 2012, 2:34 AM > On 4/27/12 6:14 PM, Lito Kusnadi > wrote: > > Hi, > > > > I am having problems with setting multiple ISP links > and openvpn roadwarrior with Centos. > > > > The firewall I have is designed to run on both links, > actively used and redirect traffic from DMZ and LAN based on > their services to specific providers. > > > > I am able to get the firewall running to the state > where a simple Internet, DMZ, LAN topology works and able to > redirect traffics and DNAT services to certain provider > links based on the requirement. > > > > However, when I add openvpn in the firewall and set it > as vpn server for roadwarrior, I am not able to connect to > the openvpn port with telnet from public internet. For some > reason, it is blocked. Openvpn runs on tun0 and I can > confirm it is running by telnet to port 443 tcp (the port I > used for openvpn) from the firewall itself and the openvpn > service is running. > > > > I collect logs for all REJECT and DROP packets but > cannot see the attempted traffic in that log. > > > > Attached is the dump from shorewall. > > > > This is what I have done based on the documentation > from shorewall: > > I see no evidence from the dump that the OpenVPN connection > requests are > ever reaching the Shorewall box. > > -Tom > -- > Tom Eastep \ When I die, I want > to go like my Grandfather who > Shoreline, \ died > peacefully in his sleep. Not screaming like > Washington, USA \ all of the > passengers in his car > http://shorewall.net > \________________________________________________ > > > -----Inline Attachment Follows----- > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today''s > security and > threat landscape has changed and how IT managers can > respond. Discussions > will include endpoint security, mobile security and the > latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > -----Inline Attachment Follows----- > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/