Shorewall users - May 2005 - pb with iptables snat script

hi list,
oh it''s not really a problem.
Each time i fire shorewall, i run a custom iptables script:
(for the openvpn machines to have route back from my bridge/fw -
$SOURCEIP is the ip of my OpenVPN/Fw/bridge)

iptables  -A POSTROUTING -t nat -s 10.8.0.0/16 -j SNAT --to-source
$SOURCEIP

i wish to better integrate it within shorewall, so is there any config
files that could achieve the same thing? nat? actions?

Thx for you help guys and a grand bravo to Tom Eastep!!!

tristan

2005/5/21, Tristan DEFERT
<tristan.d@alphamosa.fr>:
> hi list,
> oh it''s not really a problem.
> Each time i fire shorewall, i run a custom iptables script:
> (for the openvpn machines to have route back from my bridge/fw -
> $SOURCEIP is the ip of my OpenVPN/Fw/bridge)
> 
> iptables  -A POSTROUTING -t nat -s 10.8.0.0/16 -j SNAT --to-source
> $SOURCEIP
> 
> i wish to better integrate it within shorewall, so is there any config
> files that could achieve the same thing? nat? actions?
> 
> Thx for you help guys and a grand bravo to Tom Eastep!!!
> 
> tristan
> 
is documented right here :

http://www.shorewall.net/shorewall_extension_scripts.htm

2005/5/21, Tristan DEFERT
<tristan.d@alphamosa.fr>:
> hi list,
> oh it''s not really a problem.
> Each time i fire shorewall, i run a custom iptables script:
> (for the openvpn machines to have route back from my bridge/fw -
> $SOURCEIP is the ip of my OpenVPN/Fw/bridge)
> 
and openVPN docs are here:

http://www.shorewall.net/OPENVPN.html

Tristan DEFERT wrote:
> i wish to better integrate it within shorewall, so is there any config
> files that could achieve the same thing? nat? actions?
> 
> Thx for you help guys and a grand bravo to Tom Eastep!!!

Did you read why Tom has quit? It''s at least partly because people
don''t
take the trouble to read his (excellent) documentation. If Tom made a 
mistake it was that he was far too polite: the answer is RTFM.

On Saturday 21 May 2005 22:06, Keith Edmunds wrote:
> Tristan DEFERT wrote:
> > i wish to better integrate it within shorewall, so is there any config
> > files that could achieve the same thing? nat? actions?
> >
> > Thx for you help guys and a grand bravo to Tom Eastep!!!
>
> Did you read why Tom has quit? It''s at least partly because people
don''t
> take the trouble to read his (excellent) documentation.
Ack.
> If Tom made a 
> mistake it was that he was far too polite: the answer is RTFM.
I always enjoyed Tom''s politeness and support. 
And I would be very sorry if this would change on this list after Tom''s
leaving.

Also it seems that Tom quits because of being unable to attract enough other 
developers/supporters helping other users!

So let''s give a less rude hint:

As Christian already wrote before:
Please have a look at Tom''s very good documentation at
- http://www.shorewall.net/OPENVPN.html
- http://shorewall.net/shorewall_extension_scripts.htm


HTH,
Alex

> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> https://lists.shorewall.net/mailman/listinfo/shorewall-users Support:
> http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

>Tristan DEFERT wrote:
>>i wish to better integrate it within shorewall, so is there any config
>>files that could achieve the same thing? nat? actions?
>>
>>Thx for you help guys and a grand bravo to Tom Eastep!!!
>
>
>Did you read why Tom has quit? It''s at least partly because people 
>don''t take the trouble to read his (excellent) documentation. If
Tom
>made a mistake it was that he was far too polite: the answer is RTFM.
Yikes. For the past day I''ve been struggling with whether or not I 
want to ask a question on this list, because I did read Tom''s
''I
Quit'' post, and I can appreciate what he was saying. I''ve
scoured the
docs on the Shorewall site as well as Poptop (it''s a PPTP question) 
and don''t have a definitive answer. I''ve already
''RTFM'' had still
haven''t found the answer I''m looking for. So, Keith, do you
mind if I
ask a question? ;-)

By the way, I wouldn''t necessarily expect my question to be answered 
in the Shorewall docs, so have posted my question on the PoPToP list. 
However, I know there are plenty of knowledgeable people on this list 
who could probably give me an answer.

--
DAvid

Le dimanche 22 mai 2005 à 00:00 +0200, Alexander Wilms a écrit
:
> On Saturday 21 May 2005 22:06, Keith Edmunds wrote:
> > Tristan DEFERT wrote:
> > > i wish to better integrate it within shorewall, so is there any
config
> > > files that could achieve the same thing? nat? actions?
> > >
> > > Thx for you help guys and a grand bravo to Tom Eastep!!!
> >
> > Did you read why Tom has quit? It''s at least partly because
people don''t
> > take the trouble to read his (excellent) documentation.
Of course i read it, it''s sad for shorewall...
And of course i read the docs. 
But my question seems obscure, since nobody understood it.
I know i can place my custom iptables scripts in shorewall config files.
BUT what i want is not that, i wonder if there is a way to REWRITE this
rule to integrate it in nat or another config files. I repeat, i don''t
want to integrate this rule as it is, i want to rewrite it as standart
config files (if there is a way to achieve it) i think this rule:
iptables  -A POSTROUTING -t nat -s 10.8.0.0/16 -j SNAT --to-source
SOURCEIP
can be split in two rules within NAT and PROXYARP config files.
How to do that? every setup i tried failed.
I someone could help, it would be great...
Bye fellows
> Ack.
> > If Tom made a 
> > mistake it was that he was far too polite: the answer is RTFM.
> I always enjoyed Tom''s politeness and support. 
> And I would be very sorry if this would change on this list after
Tom''s
> leaving.
> 
> Also it seems that Tom quits because of being unable to attract enough
other
> developers/supporters helping other users!
> 
> So let''s give a less rude hint:
> 
> As Christian already wrote before:
> Please have a look at Tom''s very good documentation at
> - http://www.shorewall.net/OPENVPN.html
> - http://shorewall.net/shorewall_extension_scripts.htm
> 
> 
> HTH,
> Alex
> 
> 
> > _______________________________________________
> > Shorewall-users mailing list
> > Post: Shorewall-users@lists.shorewall.net
> > Subscribe/Unsubscribe:
> > https://lists.shorewall.net/mailman/listinfo/shorewall-users Support:
> > http://www.shorewall.net/support.htm
> > FAQ: http://www.shorewall.net/FAQ.htm
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
-- 
__________________________________________________________________
Tristan DEFERT
Société Alpha Mosa
__________________________________________________________________
Tél. (33) 03 26 48 17 56        Internet : http://www.alphamosa.fr
Fax. (33) 03 26 48 10 87               eMail : tristan.d@alphamosa.fr

> Le dimanche 22 mai 2005 à 00:00 +0200, Alexander Wilms a écrit :
> > On Saturday 21 May 2005 22:06, Keith Edmunds wrote:
> > > Tristan DEFERT wrote:
> > > > i wish to better integrate it within shorewall, so is there
any config
> > > > files that could achieve the same thing? nat? actions?
> > > >
> > > > Thx for you help guys and a grand bravo to Tom Eastep!!!
> > >
> > > Did you read why Tom has quit? It''s at least partly
because
people don''t
> > > take the trouble to read his (excellent) documentation.
> Of course i read it, it''s sad for shorewall...
> And of course i read the docs.
> But my question seems obscure, since nobody understood it.
> I know i can place my custom iptables scripts in shorewall config
files.
> BUT what i want is not that, i wonder if there is a way to REWRITE
this
> rule to integrate it in nat or another config files. I repeat, i
don''t
> want to integrate this rule as it is, i want to rewrite it as
standart
> config files (if there is a way to achieve it) i think this rule:
> iptables  -A POSTROUTING -t nat -s 10.8.0.0/16 -j SNAT --to-source
> SOURCEIP
> can be split in two rules within NAT and PROXYARP config files.
> How to do that? every setup i tried failed.
> I someone could help, it would be great...
> Bye fellows
Your question is not obscure, think I understand it.
You just didn''t give enough detail to make an informed answer.

10.8.0.0/16 is the vpn network, right?
SOURCEIP is the external ip of the firewall?
Are you using the tap or tun device with openvpn?
Are you using openvpn with the bridge?
What are you tring to accomplish?
Allow the vpn clients access to the internet accoss the vpn only?

Most of the above would of been answered if you had posted your
shorewall config files, the output ip route show and ip addr show as
stated in: http://shorewall.net/support.htm

Why I''m asking is the rule that you posted has no -o stated, meaning
that all traffic from 10.8.0.0/16 would be masq''d.
Shorewall requires this -o info to do masq/snat, which is handled by
the masq file.

Without the benefit of knowing how you configured shorewall, the
layout
of your network, and the openvpn config, this is just a guess, in
masq:

INTF    10.8.0.0/16     SOURCEIP

INTF would be the interface that is connected to the target network.
Hope it helps...

Jerry Vonau

Le lundi 23 mai 2005 à 11:35 -0500, Jerry Vonau a écrit
:
> Your question is not obscure, think I understand it.
> You just didn''t give enough detail to make an informed answer.
> 
> 10.8.0.0/16 is the vpn network, right?
> SOURCEIP is the external ip of the firewall?
> Are you using the tap or tun device with openvpn?
> Are you using openvpn with the bridge?
> What are you tring to accomplish?
> Allow the vpn clients access to the internet accoss the vpn only?
> 
> Most of the above would of been answered if you had posted your
> shorewall config files, the output ip route show and ip addr show as
> stated in: http://shorewall.net/support.htm
> 
> Why I''m asking is the rule that you posted has no -o stated,
meaning
> that all traffic from 10.8.0.0/16 would be masq''d.
> Shorewall requires this -o info to do masq/snat, which is handled by
> the masq file.
> 
> Without the benefit of knowing how you configured shorewall, the
> layout
> of your network, and the openvpn config, this is just a guess, in
> masq:
> 
> INTF    10.8.0.0/16     SOURCEIP
> 
> INTF would be the interface that is connected to the target network.
> Hope it helps...
> 
> Jerry Vonau
> 
> 
oh sure, i can detail informations about my setup.
Here is a schema:

DMZ zone (hosts with pub IPs) <==> Bridge/Firewall <==> Router
<==> NET

Let''s say AM.0 is our corporate subnet (a whole C class of pub IPs:
AM.0/24)
The bridge/firewall has IP AM.2 
The machines in DMZ also have IPs like AM.xxx

Now the firewall hosts an OpenVPN server in tun mode.
the tun network class is 10.8.0.0/24.
The goal of this VPN is to allow managing DMZ computers remotely and
securely.

The problem encountered was the following:

Tunnel works fine, but the DMZ zone wasn''t reacheable from VPN users
because the computers in DMZ zone didn''t know how they could reach the
10.8.0.0 class, and used the router address (AM.1) as gateway, instead
of the firewall.Even if i "push" to openvpn client the good route!
The packets arrive correctly to the target (DMZ computers), but cannot
be routed back
After adding the route to one computer of the DMZ, I succeded in
reaching this computer from VPN.
(route add -net 10.8.0.0 netmask 255.255.255.0 gw $AM.2)

But i don''t want to maintain routes on each computer in DMZ, so I tried
an iptables workaround.
That''s where the custom iptables script comes:
iptables  -A POSTROUTING -t nat -s 10.8.0.0/16 -j SNAT --to-source
AM.2

--to-source points to the firewall/bridge/gateway IP
-s points to OpenVPN subnet

it works for every computer in DMZ.

Because of shorewall great design, i think i can achieve the same thing
only with standart shorewall config files. I read all shorewall doc, but
didn''t find such an exemple, nor in openvpn doc.

So i''m asking if someone has ever been stuck with this problem, and
already has a clean solution (no custom script / only standart shorewall
conffiles)

Now you have all elements to answer to me.

Thank you guys for helping me without raising polemics and trolling
around about reading docs or not... i''ve read them more than twice .















> 
> 
> 
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
-- 
__________________________________________________________________
Tristan DEFERT
Société Alpha Mosa
__________________________________________________________________
Tél. (33) 03 26 48 17 56        Internet : http://www.alphamosa.fr
Fax. (33) 03 26 48 10 87               eMail : tristan.d@alphamosa.fr

----- Original Message -----
From: "Tristan DEFERT" <tristan.d@alphamosa.fr>
To: "Mailing List for Shorewall Users"
<shorewall-users@lists.shorewall.net>
Sent: Tuesday, May 24, 2005 05:18
Subject: Re: [Shorewall-users] pb with iptables snat script

> Le lundi 23 mai 2005 à 11:35 -0500, Jerry Vonau a écrit :
> > Your question is not obscure, think I understand it.
> > You just didn''t give enough detail to make an informed
answer.
> >
> > 10.8.0.0/16 is the vpn network, right?
> > SOURCEIP is the external ip of the firewall?
> > Are you using the tap or tun device with openvpn?
> > Are you using openvpn with the bridge?
> > What are you tring to accomplish?
> > Allow the vpn clients access to the internet accoss the vpn only?
> >
> > Most of the above would of been answered if you had posted your
> > shorewall config files, the output ip route show and ip addr show
as
> > stated in: http://shorewall.net/support.htm
> >
> > Why I''m asking is the rule that you posted has no -o stated,
meaning
> > that all traffic from 10.8.0.0/16 would be masq''d.
> > Shorewall requires this -o info to do masq/snat, which is handled
by
> > the masq file.
> >
> > Without the benefit of knowing how you configured shorewall, the
> > layout
> > of your network, and the openvpn config, this is just a guess, in
> > masq:
> >
> > INTF    10.8.0.0/16     SOURCEIP
> >
> > INTF would be the interface that is connected to the target
network.
> > Hope it helps...
> >
> > Jerry Vonau
> >
> >
> oh sure, i can detail informations about my setup.
> Here is a schema:
>
> DMZ zone (hosts with pub IPs) <==> Bridge/Firewall <==> Router
<==>
NET
>
> Let''s say AM.0 is our corporate subnet (a whole C class of pub
IPs:
> AM.0/24)
> The bridge/firewall has IP AM.2
> The machines in DMZ also have IPs like AM.xxx
>
> Now the firewall hosts an OpenVPN server in tun mode.
> the tun network class is 10.8.0.0/24.
> The goal of this VPN is to allow managing DMZ computers remotely and
> securely.
>
> The problem encountered was the following:
>
> Tunnel works fine, but the DMZ zone wasn''t reacheable from VPN
users
> because the computers in DMZ zone didn''t know how they could reach
the
> 10.8.0.0 class, and used the router address (AM.1) as gateway,
instead
> of the firewall.Even if i "push" to openvpn client the good
route!
> The packets arrive correctly to the target (DMZ computers), but
cannot
> be routed back
> After adding the route to one computer of the DMZ, I succeded in
> reaching this computer from VPN.
> (route add -net 10.8.0.0 netmask 255.255.255.0 gw $AM.2)
>
> But i don''t want to maintain routes on each computer in DMZ, so I
tried
> an iptables workaround.
> That''s where the custom iptables script comes:
> iptables  -A POSTROUTING -t nat -s 10.8.0.0/16 -j SNAT --to-source
> AM.2
>
> --to-source points to the firewall/bridge/gateway IP
> -s points to OpenVPN subnet
>
> it works for every computer in DMZ.
>
> Because of shorewall great design, i think i can achieve the same
thing
> only with standart shorewall config files. I read all shorewall doc,
but
> didn''t find such an exemple, nor in openvpn doc.
>
> So i''m asking if someone has ever been stuck with this problem,
and
> already has a clean solution (no custom script / only standart
shorewall
> conffiles)
>
> Now you have all elements to answer to me.
>
> Thank you guys for helping me without raising polemics and trolling
> around about reading docs or not... i''ve read them more than twice
.
I did answer you before,
> in masq:
> INTF    10.8.0.0/16     SOURCEIP
> INTF would be the interface that is connected to the target network.
This is like setting up a 3 interface bridge box with the dmz having
public ip addresses, except that the "local lan" interface is virtual
(tun0).
Your target network''s interface is the bridge, so if your bridge is
br0,
in the MASQ file:

br0        10.8.0.0/16    AM.2

Jerry

Le mardi 24 mai 2005 à 06:26 -0500, Jerry Vonau a écrit
:
> ----- Original Message -----
> From: "Tristan DEFERT" <tristan.d@alphamosa.fr>
> To: "Mailing List for Shorewall Users"
> <shorewall-users@lists.shorewall.net>
> Sent: Tuesday, May 24, 2005 05:18
> Subject: Re: [Shorewall-users] pb with iptables snat script
> 
> 
> > Le lundi 23 mai 2005 à 11:35 -0500, Jerry Vonau a écrit :
> > > Your question is not obscure, think I understand it.
> > > You just didn''t give enough detail to make an informed
answer.
> > >
> > > 10.8.0.0/16 is the vpn network, right?
> > > SOURCEIP is the external ip of the firewall?
> > > Are you using the tap or tun device with openvpn?
> > > Are you using openvpn with the bridge?
> > > What are you tring to accomplish?
> > > Allow the vpn clients access to the internet accoss the vpn only?
> > >
> > > Most of the above would of been answered if you had posted your
> > > shorewall config files, the output ip route show and ip addr show
> as
> > > stated in: http://shorewall.net/support.htm
> > >
> > > Why I''m asking is the rule that you posted has no -o
stated,
> meaning
> > > that all traffic from 10.8.0.0/16 would be masq''d.
> > > Shorewall requires this -o info to do masq/snat, which is handled
> by
> > > the masq file.
> > >
> > > Without the benefit of knowing how you configured shorewall, the
> > > layout
> > > of your network, and the openvpn config, this is just a guess, in
> > > masq:
> > >
> > > INTF    10.8.0.0/16     SOURCEIP
> > >
> > > INTF would be the interface that is connected to the target
> network.
> > > Hope it helps...
> > >
> > > Jerry Vonau
> > >
> > >
> > oh sure, i can detail informations about my setup.
> > Here is a schema:
> >
> > DMZ zone (hosts with pub IPs) <==> Bridge/Firewall <==>
Router <==>
> NET
> >
> > Let''s say AM.0 is our corporate subnet (a whole C class of
pub IPs:
> > AM.0/24)
> > The bridge/firewall has IP AM.2
> > The machines in DMZ also have IPs like AM.xxx
> >
> > Now the firewall hosts an OpenVPN server in tun mode.
> > the tun network class is 10.8.0.0/24.
> > The goal of this VPN is to allow managing DMZ computers remotely and
> > securely.
> >
> > The problem encountered was the following:
> >
> > Tunnel works fine, but the DMZ zone wasn''t reacheable from
VPN users
> > because the computers in DMZ zone didn''t know how they could
reach
> the
> > 10.8.0.0 class, and used the router address (AM.1) as gateway,
> instead
> > of the firewall.Even if i "push" to openvpn client the good
route!
> > The packets arrive correctly to the target (DMZ computers), but
> cannot
> > be routed back
> > After adding the route to one computer of the DMZ, I succeded in
> > reaching this computer from VPN.
> > (route add -net 10.8.0.0 netmask 255.255.255.0 gw $AM.2)
> >
> > But i don''t want to maintain routes on each computer in DMZ,
so I
> tried
> > an iptables workaround.
> > That''s where the custom iptables script comes:
> > iptables  -A POSTROUTING -t nat -s 10.8.0.0/16 -j SNAT --to-source
> > AM.2
> >
> > --to-source points to the firewall/bridge/gateway IP
> > -s points to OpenVPN subnet
> >
> > it works for every computer in DMZ.
> >
> > Because of shorewall great design, i think i can achieve the same
> thing
> > only with standart shorewall config files. I read all shorewall doc,
> but
> > didn''t find such an exemple, nor in openvpn doc.
> >
> > So i''m asking if someone has ever been stuck with this
problem, and
> > already has a clean solution (no custom script / only standart
> shorewall
> > conffiles)
> >
> > Now you have all elements to answer to me.
> >
> > Thank you guys for helping me without raising polemics and trolling
> > around about reading docs or not... i''ve read them more than
twice .
> 
> I did answer you before,
> > in masq:
> > INTF    10.8.0.0/16     SOURCEIP
> > INTF would be the interface that is connected to the target network.
> 
> This is like setting up a 3 interface bridge box with the dmz having
> public ip addresses, except that the "local lan" interface is
virtual
> (tun0).
> Your target network''s interface is the bridge, so if your bridge
is
> br0,
> in the MASQ file:
> 
> br0        10.8.0.0/16    AM.2
> 
> Jerry
> 
> 
Great, it works!
In fact, it was so simple! i was searching something that was obvious...
Thanks Jerry for your help!
byeee
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
-- 
__________________________________________________________________
Tristan DEFERT
Société Alpha Mosa
__________________________________________________________________
Tél. (33) 03 26 48 17 56        Internet : http://www.alphamosa.fr
Fax. (33) 03 26 48 10 87               eMail : tristan.d@alphamosa.fr