I have everything working fine but I have to have: all all ACCEPT in the policies file or else the VPN won''t work, the rules file is defined with what ports I want opened to the Internet and port forwarding. All help greatly appreciated. Thanks
On Monday 26 August 2002 01:32 pm, Kevyn Snary wrote:> I have everything working fine but I have to have: > > all all ACCEPT > > in the policies file or else the VPN won''t work, the rules file is defined > with what ports I want opened to the Internet and port forwarding. >VPN is a generic term that covers at least half a dozen protocols -- you''re going to have to be more specific. Also, if you don''t have the all->all ACCEPT policy, what does "shorewall show log" tell you. Adding a all->all ACCEPT policy takes away the best diagnostic tool you have -- the log.... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Mon, 26 Aug 2002, Tom Eastep wrote:> On Monday 26 August 2002 01:32 pm, Kevyn Snary wrote: > > I have everything working fine but I have to have: > > > > all all ACCEPT > > > > in the policies file or else the VPN won''t work, the rules file is defined > > with what ports I want opened to the Internet and port forwarding. > > > > VPN is a generic term that covers at least half a dozen protocols -- you''re > going to have to be more specific. Also, if you don''t have the all->all > ACCEPT policy, what does "shorewall show log" tell you. Adding a all->all > ACCEPT policy takes away the best diagnostic tool you have -- the log.... >Let me see if I can be clearer. The default all->all policy is REJECT with logging at the INFO level. This allows you to see every connection request that is rejected under that policy. You are report that your VPN doesn''t work with that policy so you have substituted all->all ACCEPT. If you have retained the net->all DROP policy from the default setup, you''re probably OK but by removing the logging under the original all->all policy, you now don''t know what your new policy is letting through that is crucial to your VPN''s operation. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Tuesday 27 August 2002 06:32 am, Kevyn Snary wrote:> OK > > I have narrowed it down to one thing no matter what I try I can''t get the > firewall to allow UDP port 500 unless the policy file states all all > ACCEPT, I wrote rules in the rules file to no avail, if you can help I > would apreciate it >Well, as always you are being so tight with information about your setup that I''m left to do a lot of guessing. I just realized however that in the post that I sent you privately, I didn''t account for masquerading/SNAT so if you are doing either of those, the solution that I propose won''t work. Before I go any further, please tell us: a) Where are the endpoints of the IPSEC tunnel? b) Are you using MASQUERADE or SNAT c) Are you trying to bridge two networks or are you simply trying to connect from a single host to a remote network? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Kevyn, We are running a Nortel 1500 VPN on our network behind shorewall and external users can connect to this vpn from outside our network without any problems. Also we have some users that are connecting to a VPN on the east coast using ATT VPN Client and they connect to their network without any problems. We are using Tom''s original policies. We have the following rules on our shorewall box and hopefully this may help you out. ACCEPT net loc esp ACCEPT net loc udp 2967,isakmp,500,5000 Mike -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Tuesday, August 27, 2002 9:33 AM To: Kevyn@softwaremanagementinc.com; Users Subject: Re: [Shorewall-users] Gibraltar + Shorewall On Tuesday 27 August 2002 06:32 am, Kevyn Snary wrote:> OK > > I have narrowed it down to one thing no matter what I try I can''t get the > firewall to allow UDP port 500 unless the policy file states all all > ACCEPT, I wrote rules in the rules file to no avail, if you can help I > would apreciate it >Well, as always you are being so tight with information about your setup that I''m left to do a lot of guessing. I just realized however that in the post that I sent you privately, I didn''t account for masquerading/SNAT so if you are doing either of those, the solution that I propose won''t work. Before I go any further, please tell us: a) Where are the endpoints of the IPSEC tunnel? b) Are you using MASQUERADE or SNAT c) Are you trying to bridge two networks or are you simply trying to connect from a single host to a remote network? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://www.shorewall.net/mailman/listinfo/shorewall-users
On Tuesday 27 August 2002 07:56 am, Martinez, Mike (MHS-ACS) wrote:> Kevyn, > > We are running a Nortel 1500 VPN on our network behind shorewall and > external users can connect to this vpn from outside our network without any > problems. Also we have some users that are connecting to a VPN on the east > coast using ATT VPN Client and they connect to their network without any > problems. > > We are using Tom''s original policies. We have the following rules on our > shorewall box and hopefully this may help you out. > > ACCEPT net loc esp > ACCEPT net loc udp 2967,isakmp,500,5000 >isakmp == 500 :-) I suspect that the original poster is using masquerading/snat which would make the setup somewhat different. Something like: DNAT net loc:<internal ip> 50 DNAT net loc:<internal ip> udp 500 -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Tuesday 27 August 2002 07:33 am, Tom Eastep wrote:> > Before I go any further, please tell us: > > a) Where are the endpoints of the IPSEC tunnel? > b) Are you using MASQUERADE or SNAT > c) Are you trying to bridge two networks or are you simply trying to > connect from a single host to a remote network?In the event that the answers are: a) loc and net b) Yes c) Single host to remote network Then please see if http://www.shorewall.net/VPN.htm helps. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
OK sorry let me explain I have 4 pc''s on a test bed going from left to right windows 98 Debian FW A Debian FW B windows 98 192.168.10.6 loc:192.168.10.1 loc:192.168.20.1 192.168.20.6 net:10.1.1.1 net:10.1.1.2 vpn:ipsec0 vpn:ipsec:0 On both Debian boxes I am running Gibraltar 0.99.4 I am running Masq as eth0 eth1 FW A conf''s are: "ipsec.conf" config setup interfaces=%defaultroute klipsdebug=none plutodebug=none plutoload=%search plutostart=%search uniqueids=yes conn %default keyingtries=0 disablearrivalcheck=no authby=rsasig conn sample # Left security gateway, subnet behind it, next hop toward right. left=10.1.1.1 leftsubnet=192.168.10.0/24 leftnexthop=10.1.1.2 leftrsasigkey=AQOZsZBXjF96/heruJ3w21Z/n3a1Yo...NXIdGPtQ70khJvRyKS8ywqoobUu6u KK4wiEc5J # Right security gateway, subnet behind it, next hop toward left. right=10.1.1.2 rightsubnet=192.168.20.0/24 rightnexthop=10.1.1.1 rightrsasigkey=AQOd6DrYCC+KMj0kIN7JvOdcqO3EP....4I+CwouKMNCezPzVkpzEw8zVC2L auto=start "Hosts" #ZONE HOST(S) OPTIONS net eth0:10.1.1.1 loc eth1:192.168.10.0/24 vpn ipsec0:192.168.20.0/24 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE Policy #CLIENT SERVER POLICY LOG LEVEL loc vpn ACCEPT vpn loc ACCEPT fw vpn ACCEPT vpn fw ACCEPT loc net ACCEPT net all DROP info all all ACCEPT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE rules #RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT PORT(S) ADDRESS ACCEPT net fw udp 500 ACCEPT loc fw udp 500 ACCEPT loc vpn udp 500 ACCEPT vpn loc udp 500 ACCEPT net fw 50 ACCEPT loc fw 50 ACCEPT loc vpn 50 ACCEPT vpn loc 50 ACCEPT net fw 51 ACCEPT loc fw 51 ACCEPT loc vpn 51 ACCEPT vpn loc 51 # Allow inbound to the Firewall ACCEPT net $FW tcp ssh,auth ACCEPT loc $FW tcp ssh # Allow outbound from the firewall ACCEPT $FW net tcp ssh ACCEPT $FW loc tcp ssh # Allow outbound from local network to internet ACCEPT loc net tcp ftp,ftp-data,ssh,smtp,www,pop3,https Tunnels # TYPE ZONE GATEWAY GATEWAY ZONE ipsec net 10.1.1.2 vpn "zones" #ZONE DISPLAY COMMENTS net Net Internet loc Local Local networks dmz DMZ Demilitarized zone vpn VPN Remote Subnet FW B conf''s are: "ipsec.conf" config setup interfaces=%defaultroute klipsdebug=none plutodebug=none plutoload=%search plutostart=%search uniqueids=yes conn %default keyingtries=0 disablearrivalcheck=no authby=rsasig conn sample # Left security gateway, subnet behind it, next hop toward right. left=10.1.1.1 leftsubnet=192.168.10.0/24 leftnexthop=10.1.1.2 leftrsasigkey=AQOZsZBXjF96/heruJ3w21Z/n3a1Yo...NXIdGPtQ70khJvRyKS8ywqoobUu6u KK4wiEc5J # Right security gateway, subnet behind it, next hop toward left. right=10.1.1.2 rightsubnet=192.168.20.0/24 rightnexthop=10.1.1.1 rightrsasigkey=AQOd6DrYCC+KMj0kIN7JvOdcqO3EP....4I+CwouKMNCezPzVkpzEw8zVC2L auto=start "Hosts" #ZONE HOST(S) OPTIONS net eth0:10.1.1.2 loc eth1:192.168.20.0/24 vpn ipsec0::192.168.10.0/24 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE Policy #CLIENT SERVER POLICY LOG LEVEL loc vpn ACCEPT vpn loc ACCEPT fw vpn ACCEPT vpn fw ACCEPT loc net ACCEPT net all DROP info all all ACCEPT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE rules #RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT PORT(S) ADDRESS ACCEPT net fw udp 500 ACCEPT loc fw udp 500 ACCEPT loc vpn udp 500 ACCEPT vpn loc udp 500 ACCEPT net fw 50 ACCEPT loc fw 50 ACCEPT loc vpn 50 ACCEPT vpn loc 50 ACCEPT net fw 51 ACCEPT loc fw 51 ACCEPT loc vpn 51 ACCEPT vpn loc 51 # Allow inbound to the Firewall ACCEPT net $FW tcp ssh,auth ACCEPT loc $FW tcp ssh # Allow outbound from the firewall ACCEPT $FW net tcp ssh ACCEPT $FW loc tcp ssh # Allow outbound from local network to internet ACCEPT loc net tcp ftp,ftp-data,ssh,smtp,www,pop3,https Tunnels # TYPE ZONE GATEWAY GATEWAY ZONE ipsec net 10.1.1.1 vpn "zones" #ZONE DISPLAY COMMENTS net Net Internet loc Local Local networks dmz DMZ Demilitarized zone vpn VPN Remote Subnet -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Tuesday, August 27, 2002 10:33 AM To: Kevyn@softwaremanagementinc.com; Users Subject: Re: [Shorewall-users] Gibraltar + Shorewall On Tuesday 27 August 2002 06:32 am, Kevyn Snary wrote:> OK > > I have narrowed it down to one thing no matter what I try I can''t get the > firewall to allow UDP port 500 unless the policy file states all all > ACCEPT, I wrote rules in the rules file to no avail, if you can help I > would apreciate it >Well, as always you are being so tight with information about your setup that I''m left to do a lot of guessing. I just realized however that in the post that I sent you privately, I didn''t account for masquerading/SNAT so if you are doing either of those, the solution that I propose won''t work. Before I go any further, please tell us: a) Where are the endpoints of the IPSEC tunnel? b) Are you using MASQUERADE or SNAT c) Are you trying to bridge two networks or are you simply trying to connect from a single host to a remote network? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Tuesday 27 August 2002 08:58 am, Kevyn Snary wrote:> OK sorry let me explain > > I have 4 pc''s on a test bed going from left to right > > windows 98 Debian FW A Debian FW B windows 98 > 192.168.10.6 loc:192.168.10.1 loc:192.168.20.1 192.168.20.6 > net:10.1.1.1 net:10.1.1.2 > vpn:ipsec0 vpn:ipsec:0 > > > On both Debian boxes I am running Gibraltar 0.99.4Then why aren''t you simply adding an entry in /etc/shorewall/tunnels on each firewall? That''s what that file is designed for.... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Tuesday 27 August 2002 08:58 am, Kevyn Snary wrote:> OK sorry let me explain > > I have 4 pc''s on a test bed going from left to right > > windows 98 Debian FW A Debian FW B windows 98 > 192.168.10.6 loc:192.168.10.1 loc:192.168.20.1 192.168.20.6 > net:10.1.1.1 net:10.1.1.2 > vpn:ipsec0 vpn:ipsec:0 > > > On both Debian boxes I am running Gibraltar 0.99.4 >I think you''ll also find the information at http://www.shorewall.net/IPSEC.htm to be relevant. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
I have # TYPE ZONE GATEWAY GATEWAY ZONE ipsec net 10.1.1.1 vpn #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE on FW B -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Tuesday, August 27, 2002 11:59 AM To: Kevyn@softwaremanagementinc.com; ''Users'' Subject: Re: [Shorewall-users] Gibraltar + Shorewall On Tuesday 27 August 2002 08:58 am, Kevyn Snary wrote:> OK sorry let me explain > > I have 4 pc''s on a test bed going from left to right > > windows 98 Debian FW A Debian FW B windows 98 > 192.168.10.6 loc:192.168.10.1 loc:192.168.20.1 192.168.20.6 > net:10.1.1.1 net:10.1.1.2 > vpn:ipsec0 vpn:ipsec:0 > > > On both Debian boxes I am running Gibraltar 0.99.4Then why aren''t you simply adding an entry in /etc/shorewall/tunnels on each firewall? That''s what that file is designed for.... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
http://www.shorewall.net/IPSEC.htm This is what I started with and have had the same problem ever since I kept trying to open more and more to fix it so the confs are a little messy now. ----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Tuesday, August 27, 2002 12:10 PM To: Kevyn@softwaremanagementinc.com; ''Users'' Subject: Re: [Shorewall-users] Gibraltar + Shorewall On Tuesday 27 August 2002 08:58 am, Kevyn Snary wrote:> OK sorry let me explain > > I have 4 pc''s on a test bed going from left to right > > windows 98 Debian FW A Debian FW B windows 98 > 192.168.10.6 loc:192.168.10.1 loc:192.168.20.1 192.168.20.6 > net:10.1.1.1 net:10.1.1.2 > vpn:ipsec0 vpn:ipsec:0 > > > On both Debian boxes I am running Gibraltar 0.99.4 >I think you''ll also find the information at http://www.shorewall.net/IPSEC.htm to be relevant. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
OK I wiped out everything and started again as I think the confs were over done. I followed the IPSEC doc on your website, and I still have reject errors for ESP I have the tunnel file filled out but still no traffic??? I thought this was suppose to allow for prot 50 51 and udp 500 I am doing masq. would that effect it? Kevyn ---Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Tuesday, August 27, 2002 12:10 PM To: Kevyn@softwaremanagementinc.com; ''Users'' Subject: Re: [Shorewall-users] Gibraltar + Shorewall On Tuesday 27 August 2002 08:58 am, Kevyn Snary wrote:> OK sorry let me explain > > I have 4 pc''s on a test bed going from left to right > > windows 98 Debian FW A Debian FW B windows 98 > 192.168.10.6 loc:192.168.10.1 loc:192.168.20.1 192.168.20.6 > net:10.1.1.1 net:10.1.1.2 > vpn:ipsec0 vpn:ipsec:0 > > > On both Debian boxes I am running Gibraltar 0.99.4 >I think you''ll also find the information at http://www.shorewall.net/IPSEC.htm to be relevant. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Tuesday 27 August 2002 09:33 am, Kevyn Snary wrote:> OK I wiped out everything and started again as I think the confs were over > done. > > I followed the IPSEC doc on your website, and I still have reject errors > for ESP > > I have the tunnel file filled out but still no traffic??? I thought this > was suppose to allow for prot 50 51 and udp 500 > > I am doing masq. would that effect it?No -- send me the output of "shorewall status" and I''ll try to figure out where you''ve gone wrong.... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Tuesday 27 August 2002 09:44 am, Tom Eastep wrote:> On Tuesday 27 August 2002 09:33 am, Kevyn Snary wrote: > > OK I wiped out everything and started again as I think the confs were > > over done. > > > > I followed the IPSEC doc on your website, and I still have reject errors > > for ESP > > > > I have the tunnel file filled out but still no traffic??? I thought this > > was suppose to allow for prot 50 51 and udp 500 > > > > I am doing masq. would that effect it? > > No -- send me the output of "shorewall status" and I''ll try to figure out > where you''ve gone wrong....Nevermind -- take your hosts file and throw it as far as your arm can throw it. The first entry essentially makes the ''net'' zone empty since 10.1.1.1 is the local IP address, right? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
ok
[H[JShorewall-1.2.10 Status at VPN-test1 - Tue Aug 27 12:52:48 CEST 2002
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
2 464 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
0 0 net2fw all -- eth0 * 10.0.0.2
0.0.0.0/0
1 241 loc2fw all -- eth1 * 192.168.2.0/24
0.0.0.0/0
0 0 vpn2fw all -- ipsec0 * 0.0.0.0/0
0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 10/hour burst 5 LOG flags 0 level 6 prefix
`Shorewall:all2all:REJECT:''
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 net2all all -- eth0 eth1 10.0.0.2
192.168.2.0/24
0 0 net2all all -- eth0 ipsec0 10.0.0.2
0.0.0.0/0
0 0 loc2net all -- eth1 eth0 192.168.2.0/24 10.0.0.2
0 0 loc2vpn all -- eth1 ipsec0 192.168.2.0/24
0.0.0.0/0
0 0 all2all all -- ipsec0 eth0 0.0.0.0/0 10.0.0.2
0 0 vpn2loc all -- ipsec0 eth1 0.0.0.0/0
192.168.2.0/24
0 0 common all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 10/hour burst 5 LOG flags 0 level 6 prefix
`Shorewall:all2all:REJECT:''
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy DROP 1 packets, 35 bytes)
pkts bytes target prot opt in out source
destination
2 464 ACCEPT all -- * lo 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 fw2net all -- * eth0 0.0.0.0/0 10.0.0.2
0 0 fw2loc all -- * eth1 0.0.0.0/0
192.168.2.0/24
0 0 all2all all -- * ipsec0 0.0.0.0/0
0.0.0.0/0
2 408 common all -- * * 0.0.0.0/0
0.0.0.0/0
2 408 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 10/hour burst 5 LOG flags 0 level 6 prefix
`Shorewall:all2all:REJECT:''
2 408 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain all2all (6 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
1 241 common all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 10/hour burst 5 LOG flags 0 level 6 prefix
`Shorewall:all2all:REJECT:''
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain common (5 references)
pkts bytes target prot opt in out source
destination
0 0 icmpdef icmp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x10/0x10
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x04/0x04
1 241 REJECT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:445 reject-with icmp-port-unreachable
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:135
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1900
0 0 DROP all -- * * 0.0.0.0/0
255.255.255.255
0 0 DROP all -- * * 0.0.0.0/0
224.0.0.0/4
0 0 DROP all -- * * 0.0.0.0/0
10.0.0.255
0 0 DROP all -- * * 0.0.0.0/0
192.168.2.255
Chain fw2loc (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:22
0 0 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT esp -- * * 0.0.0.0/0 10.0.0.1
state NEW
0 0 ACCEPT ah -- * * 0.0.0.0/0 10.0.0.1
state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 10.0.0.1
udp spt:500 dpt:500 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:123
0 0 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain icmpdef (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 0
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 12
Chain loc2fw (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT icmp -- eth1 * 0.0.0.0/0
0.0.0.0/0 icmp type 8
1 241 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2net (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:20
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:443
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2vpn (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2all (3 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 common all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 10/hour burst 5 LOG flags 0 level 6 prefix
`Shorewall:net2all:DROP:''
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT esp -- * * 10.0.0.1
0.0.0.0/0 state NEW
0 0 ACCEPT ah -- * * 10.0.0.1
0.0.0.0/0 state NEW
0 0 ACCEPT udp -- * * 10.0.0.1
0.0.0.0/0 udp spt:500 dpt:500 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0
0.0.0.0/0 icmp type 8
0 0 net2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain reject (5 references)
pkts bytes target prot opt in out source
destination
0 0 REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with tcp-reset
2 408 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
Chain shorewall (0 references)
pkts bytes target prot opt in out source
destination
Chain vpn2fw (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- ipsec0 * 0.0.0.0/0
0.0.0.0/0 icmp type 8
0 0 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain vpn2loc (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain PREROUTING (policy ACCEPT 1 packets, 241 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 2 packets, 270 bytes)
pkts bytes target prot opt in out source
destination
0 0 MASQUERADE all -- * eth0 192.168.2.0/24
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 4 packets, 509 bytes)
pkts bytes target prot opt in out source
destination
Chain PREROUTING (policy ACCEPT 3 packets, 705 bytes)
pkts bytes target prot opt in out source
destination
3 705 pretos all -- * * 0.0.0.0/0
0.0.0.0/0
Chain INPUT (policy ACCEPT 3 packets, 705 bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 5 packets, 907 bytes)
pkts bytes target prot opt in out source
destination
4 872 outtos all -- * * 0.0.0.0/0
0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 2 packets, 464 bytes)
pkts bytes target prot opt in out source
destination
Chain outtos (1 references)
pkts bytes target prot opt in out source
destination
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 TOS set 0x08
Chain pretos (1 references)
pkts bytes target prot opt in out source
destination
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 TOS set 0x08
-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net]
Sent: Tuesday, August 27, 2002 12:44 PM
To: Kevyn@softwaremanagementinc.com; ''Users''
Subject: Re: [Shorewall-users] Gibraltar + Shorewall
On Tuesday 27 August 2002 09:33 am, Kevyn Snary wrote:> OK I wiped out everything and started again as I think the confs were over
> done.
>
> I followed the IPSEC doc on your website, and I still have reject errors
> for ESP
>
> I have the tunnel file filled out but still no traffic??? I thought this
> was suppose to allow for prot 50 51 and udp 500
>
> I am doing masq. would that effect it?
No -- send me the output of "shorewall status" and I''ll try
to figure out
where you''ve gone wrong....
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net
YIPPPPEEEEEEEEEEEEEEEEEEEEE Thank you for all of your great help Tom I thought I was going nuts. The whole thing works great from what I can see. Thanks again Kevyn -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Tuesday, August 27, 2002 12:50 PM To: Kevyn@softwaremanagementinc.com; ''Users'' Subject: Re: [Shorewall-users] Gibraltar + Shorewall On Tuesday 27 August 2002 09:44 am, Tom Eastep wrote:> On Tuesday 27 August 2002 09:33 am, Kevyn Snary wrote: > > OK I wiped out everything and started again as I think the confs were > > over done. > > > > I followed the IPSEC doc on your website, and I still have reject errors > > for ESP > > > > I have the tunnel file filled out but still no traffic??? I thought this > > was suppose to allow for prot 50 51 and udp 500 > > > > I am doing masq. would that effect it? > > No -- send me the output of "shorewall status" and I''ll try to figure out > where you''ve gone wrong....Nevermind -- take your hosts file and throw it as far as your arm can throw it. The first entry essentially makes the ''net'' zone empty since 10.1.1.1 is the local IP address, right? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Tuesday 27 August 2002 10:03 am, Kevyn Snary wrote:> YIPPPPEEEEEEEEEEEEEEEEEEEEE > > > Thank you for all of your great help Tom I thought I was going nuts. > > The whole thing works great from what I can see. > > Thanks againYou''re welcome. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net