Hi list, On the default-gateway (internal IP: 192.168.100.99) of our LAN I''m running shorewall. Two NICs, masquerading on the external IF, internal Subnet is 192.168.100.0/24. There is another machine (internal IP: 192.168.100.91) in the same subnet acting as VPN-endpoint for two branch offices. Subnets of these offices are 192.168.1.0/24 and 192.168.200.0/24. routing table of the default gateway (192.168.100.99): intgate:~ # route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface externalNet * 255.255.255.240 U 0 0 0 eth0 192.168.100.0 * 255.255.255.0 U 0 0 0 eth1 192.168.1.0 192.168.100.91 255.255.255.0 UG 0 0 0 eth1 192.168.200.0 192.168.100.91 255.255.255.0 UG 0 0 0 eth1 default ext GW 0.0.0.0 UG 0 0 0 eth0 without a firewall (and forwarding enabled), all machines from the internal LAN can reach machines in the other offices just by using the default gateway. Now shorewall just refuses to forward these packets to the VPN-endpoint. I tried modifying rules, zones and policy but I can''t get it to work. what /var/log/messages says: Oct 28 10:06:08 intgate kernel: Shorewall:FORWARD:REJECT:IN=3Deth1 OUT=3Deth1 SRC=3D192.168.100.97 DST=3D192.168.1.150 LEN=3D68 TOS=3D0x00 PREC=3D0x00 TTL=3D127 ID=3D38487 PROTO=3DUDP SPT=3D1297 DPT=3D53 LEN=3D48 anybody have a hint on where to configure this correctly? What other information do you probably need (I don''t want to waste bandwith and your time with all config-files)? any help greatly appreciated, Andreas
Andreas Marbet wrote:> Hi list, > > > On the default-gateway (internal IP: 192.168.100.99) of our LAN I''m > running shorewall. Two NICs, masquerading on the external IF, internal > Subnet is 192.168.100.0/24. > > There is another machine (internal IP: 192.168.100.91) in the same > subnet acting as VPN-endpoint for two branch offices. Subnets of these > offices are 192.168.1.0/24 and 192.168.200.0/24. > > > routing table of the default gateway (192.168.100.99): > > intgate:~ # route > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use > Iface > externalNet * 255.255.255.240 U 0 0 0 > eth0 > 192.168.100.0 * 255.255.255.0 U 0 0 0 > eth1 > 192.168.1.0 192.168.100.91 255.255.255.0 UG 0 0 0 > eth1 > 192.168.200.0 192.168.100.91 255.255.255.0 UG 0 0 0 > eth1 > default ext GW 0.0.0.0 UG 0 0 0 > eth0 > > without a firewall (and forwarding enabled), all machines from the > internal LAN can reach machines in the other offices just by using the > default gateway. Now shorewall just refuses to forward these packets to > the VPN-endpoint. I tried modifying rules, zones and policy but I can''t > get it to work. > > what /var/log/messages says: > > Oct 28 10:06:08 intgate kernel: Shorewall:FORWARD:REJECT:IN=eth1 > OUT=eth1 SRC=192.168.100.97 DST=192.168.1.150 LEN=68 TOS=0x00 PREC=0x00 > TTL=127 ID=38487 PROTO=UDP SPT=1297 DPT=53 LEN=48 > > anybody have a hint on where to configure this correctly? What other > information do you probably need (I don''t want to waste bandwith and > your time with all config-files)? > > any help greatly appreciated,Set the ''multi'' option on eth1 in /etc/shorewall/net and add a "loc->loc ACCEPT" policy. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep wrote:> > > Set the ''multi'' option on eth1 in /etc/shorewall/net and add a "loc->loc > ACCEPT" policy. >Make that "in /etc/shorewall/interfaces..." -- not enough coffee yet this morning. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
> From: Tom Eastep [mailto:teastep@shorewall.net]=20 >=20 > Tom Eastep wrote: >=20 > >=20 > >=20 > > Set the ''multi'' option on eth1 in /etc/shorewall/net and=20 > add a "loc->loc=20 > > ACCEPT" policy. > >=20 >=20 > Make that "in /etc/shorewall/interfaces..." -- not enough=20 > coffee yet this=20 > morning. >=20IT WORKS! thank you very much. the moment your mail arrived I just found it on your page. Perhaps I also didn''t have enough coffee this morning.. I got a bit lost in the documentation. shorewall is great work. Andreas