A number of you are flailing around trying to get the subject combination to
work.
You should all be aware that there are parts of this that don''t
currently work
and that won''t work well until there are enhancements made to Shorewall
(and
probably to Netfilter).
I. There is no clean way currently to support Road Warriors from a
Masquerading Netfilter firewall/gateway. As Dan Hollis pointed out in his
post last fall, there is a requirement to avoid masquerading traffic from the
local network(s) through the tunnel. This was no problem when all tunnel
traffic went through its own device because the output device could be
specified in the Netfilter SNAT/MASQUERADE rule. With Crypto API, all tunnel
traffic leaves via the system''s external interface so exceptions to the
SNAT/MASQUERADE rule need to be inserted when a RoadWarrior connects and must
be deleted when the RoadWarrior disconnects.
The "updown" script can of course be used to do that. For those with
this
problem, I would suggest starting with:
UP:
iptables -t nat -I POSTROUTING -d <roadwarrior IP> -j ACCEPT
DOWN:
iptables -t nat -D POSTROUTING -d <roadwarrior IP> -j ACCEPT
Disclaimer: I have no idea if that will work or not.
II. If ''norfc1918'' is specified on your remote interface then
you need to
modify /etc/shorewall/rfc1918 to pass traffic to/from remote RFC1918
networks.
III. The requirement to avoid masquerading traffic through tunnels means that
you can''t cleanly define a VPN hub. You would want to be able to have
an
entry in /etc/shorewall/masq as follows:
<ext if>:!<subnet1>,<subnet2>,... <local if>
Where <subnet<n>> are the remote networks that you are tying
together.
Shorewall currently doesn''t support such entries.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net