Shorewall users - Jul 2003 - masq over vpn (newbie question)

Now here''s my issue (I am writing here as a last resort, after trying a
lot)
I do not know how set internet acces on only one point in two subnets linked
thru VPN


Here''s the data.

subnet 1
subnet 2
[192.168.1.0/24]--[linux1 box 192.168.1.254]......... OpenVPN
.........[linux2 box 192.168.2.254]--[192.168.2.0/24]
				|
				|
			 internet (http, ...)

each linux box have it''s own public IP, but for linux2 box my ISP does
not
allow internet traffic.
Between the two linux boxes the link is made thru OpenVPN.
Now, I want all internet traffic from [subnet 2] to be made through [linux
box1] --> [linux box 2] --> [workstation in subnet 2]


I''ve started on [linux box 1] settind another mask rule:
/etc/shorewall/masq
#################################
interface	subnet
etho		eth1
eth0		tun0
#################################

and in policy file I''ve set all possible combinations to ACCEPT:

/etc/shorewall/policy
#################################
vpn	loc	ACCEPT
loc	vpn	ACCEPT
vpn	net	ACCEPT
vpn	fw	ACCEPT
fw	vpn	ACCEPT
...
#################################

I try to access net from linux box 2, but cannot access internet.
Any ideas?


I will detail all settings if needed.

Gupi, Stefaniu Criste wrote:
> Now here''s my issue (I am writing here as a last resort, after
trying
> a lot) I do not know how set internet acces on only one point in two
> subnets linked thru VPN
> 
> 
> Here''s the data.
> 
> subnet 1
> subnet 2
> [192.168.1.0/24]--[linux1 box 192.168.1.254]......... OpenVPN
> .........[linux2 box 192.168.2.254]--[192.168.2.0/24]
|
> 				|
1) Can a node on subnet 2 ping a node on subnet 1? and vice-versa. I''m
just
trying to determine if you have both firewalls configured correctly to pass
tunnel traffic between the subnets (not the endpoints) before you try to add
web/internet access for subnet 2 through firewall 1.

2) Whats the zone names for subnet 1 and subnet 2?

3) Since subnet 2 is not allowed internet access by ISP, I would think you
would need to add the appropriate rules to linux 2 that re-direct port 80
traffic (for instance) across the tunnel instead of its default gateway. You
really have not explained that part of or design. In other words - is a web
request from subnet 2 making it to firewall 1 (linux1). Run tcpdump on
firewall 1.

4) I would think you would need to add the zone name for subnet 2 (not the
tunnel name) to the /etc/shorewall/masq file on linux 1?

5) Your probably going to have to add a policy that allows subnet 2 -> net
traffic.

Steve Cowles

> Can a node on subnet 2 ping a node on subnet 1?
===========================================================================any
ping from [subnet 2] to [subnet 1] and viceversa works.
.....
ping 192.168.1.1 (from station 192.168.2.1)
and
ping 192.168.2.1 (from station 192.168.1.1)
........
===========================================================================
> and vice-versa. I''m just
> trying to determine if you have both firewalls configured correctly to
pass
> tunnel traffic between the subnets (not the endpoints) before you try to
add
> web/internet access for subnet 2 through firewall 1.
===========================================================================The
traffic is set ok, since on the two subnets are working Win2k stations,
and they can see each other.
===========================================================================

> 2) Whats the zone names for subnet 1 and subnet 2?
===========================================================================each
fw (I will call tehm FW1 and FW2) has the same zone settings
.....
loc	eth1
net	eth0
vpn	tun0
....
===========================================================================
> 3) Since subnet 2 is not allowed internet access by ISP, I would think you
> would need to add the appropriate rules to linux 2 that re-direct port 80
===========================================================================I''ve
added various rules on FW2, like:

DNAT	loc	vpn:10.1.0.1:80	tcp	www		(10.1.0.1 is the vpn
address of FW1)
or
DNAT	loc	vpn:192.168.1.254:80	tcp	www	(192.168.1.254 is
the local IP for FW1)
but didn''t work.
===========================================================================

4) I would think you would need to add the zone name for subnet 2 (not the
tunnel name) to the /etc/shorewall/masq file on linux 1?
===========================================================================I
will try for now to get tcpdump on fw1 AND set different names for local
subnets
===========================================================================

5) Your probably going to have to add a policy that allows subnet 2 -> net
traffic.
===========================================================================I
will try this too.
===========================================================================
Thanks A LOT

PS
The big issue is that I cann access both FW only via ssh, and If I screw up
one of them,
I have to painfully explain to some nice ladies how to re-edit shorewall
files and restart
the server :(

Gupi, Stefaniu Criste wrote:
> 
>> 3) Since subnet 2 is not allowed internet access by ISP, I would
>> think you would need to add the appropriate rules to linux 2 that
> re-direct port 80
> =============================================================>
I''ve added various rules on FW2, like:
> 
> DNAT	loc	vpn:10.1.0.1:80	tcp	www
> (10.1.0.1 is the vpn
> address of FW1)
> or
> DNAT	loc	vpn:192.168.1.254:80	tcp	www
> (192.168.1.254 is
> the local IP for FW1)
> but didn''t work.
> =============================================================
Maybe I''m missing something here, but why are you DNAT''ing
these rules??? I
don''t know what the correct shorewall term is, but I would think you
need to
re-direct the port 80 requests from FW2 (as is) across the tunnel to FW1.
FW1 would then need to know how to route this traffic. i.e. It needs to masq
the traffic from FW2 out to the internet and then deal with the replies.

Steve Cowles

Maybe I''m missing something here, but why are you DNAT''ing
these rules???
...


==================================================REDIRECT is used
(that''s what I understood) to
forward the request to another port on the local firewall

DNAT is used to forward the request to another system.
That''s the reason.


DNAT must work somehow, because I have some similar rules
for Terminal Services forwarding: When I try to connect
with TS onto FW1 from outside, it forwards me to a Win2K server inside

Gupi

Gupi, Stefaniu Criste wrote:
> 
> DNAT must work somehow, because I have some similar rules
> for Terminal Services forwarding: When I try to connect
> with TS onto FW1 from outside, it forwards me to a Win2K server inside
> 
As you have stated, DNAT is for connections originating from the internet.

If I understood your post correctly... your dealing with packets coming from
a private remote LAN connected through a tunnel destined for the internet
through FW1, not originating from the internet. That''s why I asked my
question about DNAT''ing these packets at FW2.

You have already stated that your 2 private LAN''s can talk to each
other
across the tunnel. So you have step one working. In other words... a packet
of data with a source and destination of

192.168.2.10 -> 192.168.1.10

knows how to get from LAN A to LAN B and return.

Now you want a packet of data from LAN 2 destined for the internet

192.168.2.10:80 -> 206.206.206.206:80

I would think that FW2 needs to be configured to route port 80 requests for
the internet to take the same path as those that are destined for LAN1. Then
FW1 needs to accept these packets (as is) and then route/masquerade them to
the internet as it would for LAN 1 requests. i.e. Add LAN2 zone name to the
masq file and add a policy for LAN2->NET and probably NET->LAN2.

If all else fails... I''m sure Tom will chime in sometime today to help
you.

Steve Cowles

On Thu, 2003-07-31 at 06:00, Cowles, Steve wrote:
> 
> I would think that FW2 needs to be configured to route port 80 requests for
> the internet to take the same path as those that are destined for LAN1.
Then
> FW1 needs to accept these packets (as is) and then route/masquerade them to
> the internet as it would for LAN 1 requests. i.e. Add LAN2 zone name to the
> masq file and add a policy for LAN2->NET and probably NET->LAN2.
Actually, you would want to add the LAN2 subnetwork to the masq file.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:
> On Thu, 2003-07-31 at 06:00, Cowles, Steve wrote:
> 
>> 
>> I would think that FW2 needs to be configured to route port 80
>> requests for the internet to take the same path as those that are
>> destined for LAN1. Then FW1 needs to accept these packets (as is)
>> and then route/masquerade them to the internet as it would for LAN 1
>> requests. i.e. Add LAN2 zone name to the masq file and add a policy
>> for LAN2->NET and probably NET->LAN2. 
> 
> Actually, you would want to add the LAN2 subnetwork to the masq file.
I knew I should have checked the format of the masq file before I posted. I
was on the right track though. I knew he needed to reference LAN2 in the
masq file in some form. i.e. 192.168.2.0/24 or what ever it is.

Steve

Hi Tom and the list,

I can access my ISP Mail-Server (port 25 and 110) only from home. When I am
away, I would like to connect to my home with VPN and check mail thru that
VPN link.

Suppose that my ISP mail-server IP is 24.199.199.199. Beside establishing up
a Road Warrior VPN connection to that IP addres, here is the Shorewall
settings I came up with:

/etc/shorewall/hosts
--------------------
vpnRW   ipsec0:0.0.0.0/0


/etc/shorewall/interafaces
-------------------------
-       ipsec0


/etc/shorewall/masq
--------------------
eth0:0:24.199.199.199/32  ipsec0:0.0.0.0/0 $ETH0_ALIAS_IP


/etc/shorewall/rules
-------------------
ACCEPT  vpnRW     net:24.199.199.199      tcp     25,110


It works but I just wonder if there are any security holes in this kind of
setup or something wrong or is there any other better way of doing this?

Thank you.

M Lu.

On Thu, 2003-07-31 at 14:41, M Lu wrote:
> Hi Tom and the list,
> 
> I can access my ISP Mail-Server (port 25 and 110) only from home. When I am
> away, I would like to connect to my home with VPN and check mail thru that
> VPN link.
> 
> Suppose that my ISP mail-server IP is 24.199.199.199. Beside establishing
up
> a Road Warrior VPN connection to that IP addres, here is the Shorewall
> settings I came up with:
> 
> /etc/shorewall/hosts
> --------------------
> vpnRW   ipsec0:0.0.0.0/0
> 
> 
> /etc/shorewall/interafaces
> -------------------------
> -       ipsec0
> 
> 
> /etc/shorewall/masq
> --------------------
> eth0:0:24.199.199.199/32  ipsec0:0.0.0.0/0 $ETH0_ALIAS_IP
This essentially masquerades all outbound traffic using $ETH0_ALIAS_IP.
> 
> 
> /etc/shorewall/rules
> -------------------
> ACCEPT  vpnRW     net:24.199.199.199      tcp     25,110
> 
> 
> It works but I just wonder if there are any security holes in this kind of
> setup or something wrong or is there any other better way of doing this?
> 
There''s really no good way to do what you want using ipsec without
adding dynamic iptables rules in your ipsec updown script. The reason is
that SNAT occurs in the POSTROUTING chain where it is not allowed to
specify a source interface. That''s why the "ipsec0:0.0.0.0/0 is
treated
like 0.0.0.0/0 in the /etc/shorewall/masq entry that you have. 

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Thu, 2003-07-31 at 15:52, Tom Eastep wrote:
> There''s really no good way to do what you want using ipsec without
> adding dynamic iptables rules in your ipsec updown script. The reason is
> that SNAT occurs in the POSTROUTING chain where it is not allowed to
> specify a source interface. That''s why the "ipsec0:0.0.0.0/0
is treated
> like 0.0.0.0/0 in the /etc/shorewall/masq entry that you have. 
I should also add that it is only because of a strange bug in iptables
that the syntax that you used in your /etc/shorewall/masq entry doesn''t
result in an error. iptables is interpreting "-s foo:0.0.0.0/0" as
"-s
0.0.0.0/0" in an SNAT rule.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

But at least I do not pose any security holes? Correct?

Thanks Tom,

M Lu.


----- Original Message ----- 
From: "Tom Eastep" <teastep@shorewall.net>
To: "M Lu" <mlu919@hotmail.com>
Cc: <shorewall-users@lists.shorewall.net>
Sent: Thursday, July 31, 2003 3:59 PM
Subject: Re: [Shorewall-users] Accessing ISP server with VPN connection

> On Thu, 2003-07-31 at 15:52, Tom Eastep wrote:
>
> > There''s really no good way to do what you want using ipsec
without
> > adding dynamic iptables rules in your ipsec updown script. The reason
is
> > that SNAT occurs in the POSTROUTING chain where it is not allowed to
> > specify a source interface. That''s why the
"ipsec0:0.0.0.0/0 is treated
> > like 0.0.0.0/0 in the /etc/shorewall/masq entry that you have.
>
> I should also add that it is only because of a strange bug in iptables
> that the syntax that you used in your /etc/shorewall/masq entry
doesn''t
> result in an error. iptables is interpreting "-s foo:0.0.0.0/0"
as "-s
> 0.0.0.0/0" in an SNAT rule.
>
> -Tom
> -- 
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
>
>

Still not working :(
Sorry for bothering, but its realyy pressing and
I am very nervous about not knowing how to do it.



Here''s the data:

--------------------------
[subnet2: 192.168.2.0/24]
--------------------------
	|
	|
--------------------------
[FW2	  192.168.2.254 ]
--------------------------
	|
	\ 10.1.0.2
	\
	\ OpenVPN
	\
	\ 10.1.0.1
	|
--------------------------
[FW1	  192.168.1.254 ] |---->  INTERNET
--------------------------
	|
	|
--------------------------
[subnet1: 192.168.1.0/24]
--------------------------
	



fw1:
eth0: 12.34.56.78 (public IP)
eth1: 192.168.1.254
OpenVPN IP: 10.1.0.1

interfaces
--------------------------------------------------
#ZONE	INTERFACE	BROADCAST	OPTIONS
net	eth0		detect
loc	eth1		detect
vpn	tun0
--------------------------------------------------

masq
--------------------------------------------------
#INTERFACE	SUBNET	ADDRESS
eth0		eth1
eth0		192.168.2.0/24
--------------------------------------------------

policy
--------------------------------------------------
#SOURCE	DEST	POLICY	LOG LEVEL	LIMIT.BURST
loc		net	ACCEPT
fw		net	ACCEPT
fw		vpn	ACCEPT
vpn		fw	ACCEPT
loc		vpn	ACCEPT
vpn		loc	ACCEPT
vpn		net	ACCEPT
net		all	DROP
all		all	REJECT
--------------------------------------------------

rules
--------------------------------------------------
# All rules from two-interfaces example
# and some DNAT for accessing Terminal Services
# from internet on 192.168.1.1
--------------------------------------------------




fw2:
eth0: 12.34.56.87 (public IP)
eth1: 192.168.2.254
OpenVPN IP: 10.1.0.2

interfaces
--------------------------------------------------
#ZONE	INTERFACE	BROADCAST	OPTIONS
net	eth0		detect
loc	eth1		detect
vpn	tun0
--------------------------------------------------

masq
--------------------------------------------------
#INTERFACE	SUBNET	ADDRESS
eth0		eth1
--------------------------------------------------

policy
--------------------------------------------------
#SOURCE	DEST	POLICY   LOG LEVEL	LIMIT.BURST
fw		vpn	ACCEPT
vpn		fw	ACCEPT
loc		vpn	ACCEPT
vpn		loc	ACCEPT
vpn		net	ACCEPT
net		all	DROP
all		all	REJECT
--------------------------------------------------

rules
--------------------------------------------------
# All rules from two-interfaces + 

DNAT	loc	vpn:192.168.1.254	tcp 80
DNAT	fw	vpn:192.168.1.254	tcp 80
--------------------------------------------------

Gupi, Stefaniu Criste wrote:
> Still not working :(
> Sorry for bothering, but its realyy pressing and
> I am very nervous about not knowing how to do it.
>
snip... FW2 
> rules
> --------------------------------------------------
> # All rules from two-interfaces +
> 
> DNAT	loc	vpn:192.168.1.254	tcp 80
> DNAT	fw	vpn:192.168.1.254	tcp 80
> --------------------------------------------------
Stefaniu,

I currently have a tunnel defined between my LAN and a remote site. But each
end of the tunnels can access the internet from their ISP. So I don''t
know
how much help I can be in solving your problem. i.e. I have no way of
testing.

That said, I still don''t know why you are adding the above DNAT rules
at
FW2. If anything, you have a routing issue (possibly solved by using
iptables). In other words, how do you force packets of data with a source
address of 192.168.2.0/24 and a destination of 0.0.0.0/0 to use the vpn, not
FW2''s default route?

Steve Cowles

> I currently have a tunnel defined between my LAN
> and a remote site. But each end of the tunnels
> can access the internet from their ISP. So I don''t
> know how much help I can be in solving your problem.
> i.e. I have no way of testing.
Thanks anyway. I didn''t want to go in both towns,
but seems I have to pay some visits.

Speaking with the ISP, just found that OK, there is access to net
on site 2, but with band zero (to be sure I do not make any traffic)
That''s why I can ping on the net from FW2 and subnet2, but cannot surf
or take emails.

> That said, I still don''t know why you are adding
> the above DNAT rules at FW2. If anything, you have a routing
> issue
That''s what I am afraid of!
I''ve tried to use tcpdump on FW1, but all traffic from FW2
is on udp:5000 (logical:)

So actually I do not know where the packets are going from FW2
After a visit there, I will tell you what went wrong (hopefully)

Anyway, if this is going to work, I will write a HOW-TO about it :)

On Fri, 2003-08-01 at 01:06, Gupi, Stefaniu Criste wrote:

What do the routing tables on each firewall look like?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

> What do the routing tables on each firewall look like?


Here is the routing data:
the real ip''s were changed in the second and last row.


FW1
----------------------------------------------------------------------------
-
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
10.1.0.2        *               255.255.255.255 UH    0      0        0 tun0
111.222.333.128 *               255.255.255.192 U     0      0        0 eth0
192.168.2.0     10.1.0.2        255.255.255.0   UG    0      0        0 tun0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth1
169.254.0.0     *               255.255.0.0     U     0      0        0 eth1
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         111.222.333.129 0.0.0.0         UG    0      0        0 eth0
----------------------------------------------------------------------------
-



FW2
----------------------------------------------------------------------------
-
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
10.1.0.1        *               255.255.255.255 UH    0      0        0 tun0
222.333.444.224 *               255.255.255.224 U     0      0        0 eth0
192.168.2.0     *               255.255.255.0   U     0      0        0 eth1
192.168.1.0     10.1.0.1        255.255.255.0   UG    0      0        0 tun0
169.254.0.0     *               255.255.0.0     U     0      0        0 eth1
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         222.333.444.225 0.0.0.0         UG    0      0        0 eth0
----------------------------------------------------------------------------
-




Again, thanks for your time and dedication.
Stefaniu Criste

On Sun, 2003-08-03 at 22:58, Gupi, Stefaniu Criste wrote:
> 
> 
> FW2
>
----------------------------------------------------------------------------
> -
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface
> 10.1.0.1        *               255.255.255.255 UH    0      0        0
tun0
> 222.333.444.224 *               255.255.255.224 U     0      0        0
eth0
> 192.168.2.0     *               255.255.255.0   U     0      0        0
eth1
> 192.168.1.0     10.1.0.1        255.255.255.0   UG    0      0        0
tun0
> 169.254.0.0     *               255.255.0.0     U     0      0        0
eth1
> 127.0.0.0       *               255.0.0.0       U     0      0        0 lo
> default         222.333.444.225 0.0.0.0         UG    0      0        0
eth0
>
----------------------------------------------------------------------------
The answer to your problem is right there in front of you. Get rid your
your DNAT rules for port 80 (they don''t do what you want anyway) and
change the default route to go through the tunnel.

Or, alternatively set up a second routing table just for port 80 that
goes through the tunnel. You can see how to set up such a table at
http://shorewall.net/Shorewall_Squid_Usage.html. Your setup on FW2 would
be similar to the "Squid in the DMZ" case except that you want to
redirect all WWW traffic through the tunnel rather than to a DMZ.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Mon, 2003-08-04 at 22:13, Gupi, Stefaniu Criste
wrote:
> Thanks a lot!
> My awareness was that if I will change the route, the whole coomunication
> will die.
Well, you do have to be careful when changing the default route in that
you have to ensure that your tunnel still works.

It would be a good idea to create a static route to FW1 on FW2 that has
222.333.444.225 as a gateway. Then you can delete/change the default
route without breaking the tunnel.

In that regard, adding a separate routing table just for the traffic you
want to send through the tunnel is a safer choice.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net