thr3ads.net - Shorewall users - Shorewall and routebacks with default gateway not on firewall [Jun 2014]

If this information is useful, please help other people find it:
Share via:

Gerhard Wiesinger

2014-Jun-24 17:48 UTC

Shorewall and routebacks with default gateway not on firewall

Hello,

I've the following configuration:
Internet <=> Host with fixed IP <=> OpenVPN Tunnel <=>
Firewall Host
with dynamic IP <=> DMZ

Firewall Host with dynamic IP isn't the gateway.

I've configured:
1.) "Host with fixed IP" a DNAT forward into the OpenVPN Tunnel (OK):
SMTP(DNAT)      net             vpndmz:192.168.x.y
SMTP(DNAT)      $FW             vpndmz:192.168.x.y
2.) "Firewall Host with dynamic IP" forward into the DMZ again:
SMTP(DNAT)      vpndmz          dmz:192.168.x.y

Everything works fine except the shorewall rules on "Firewall Host with 
dynamic IP".

Packets go from "Firewall Host with dynamic IP" to DMZ, responses from
DMZ go back to "Firewall Host with dynamic IP" but then they are not 
routed into the OpenVPN Tunnel back again but to the default gateway 
(which is of course not working).

I read already http://shorewall.net/MultiISP.html, 
http://shorewall.net/PacketMarking.html and 
http://shorewall.net/manpages/shorewall-route_rules.html and some other 
sites but I still didn't get a working version.

What's the recommended way?
Via mangle?
Via multiple providers?

What I've tried so far (config partly listed):
ERROR: A provider interface must have at least one associated zone 
/etc/shorewall/providers

/etc/shorewall/mangle
MARK(2)         vpndmz          dmz

/etc/shorewall/providers
p_main  1       1       -               eth0 detect          track,balance
p_vpn   2       2       -               tun36 detect          
track,optional,loose

/etc/shorewall/zones
dmz     ipv4
vpndmz  ipv4
p_main  ipv4
p_vpn   ipv4

/etc/shorewall/interfaces
dmz     DMZ_IF tcpflags,nosmurfs,routefilter,logmartians,physical=eth2
vpn     TUN_IF tcpflags,nosmurfs,routefilter,logmartians,physical=tun0
vpndmz  tun36 tcpflags,nosmurfs,routeback,logmartians,physical=tun36

If something is unclear, just ask.

BTW: Please have a look at the Port Knocking patch :-)

Thank you.

Ciao,
Gerhard


------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft

Shorewall users - Jun 2014 - Shorewall and routebacks with default gateway not on firewall

Shorewall and routebacks with default gateway not on firewall