Northe, Juergen
2002-Oct-09 23:46 UTC
[Shorewall-users] masquerade the external vpn-clients
Hi. OK, my last issue in this forum was to freeswan-specific. Sorry for that. Now I am running the freeswan on the shorewall firewall and have the problem, that all incomming ipsec-connections in my private lan have the ip-adress given from the isp-dhcp-server.=20 For example my road-warriors can=B4t access an internal webmin-server when the "ip access control" is set to my private network (172.20.0.0/16) because he comes with 212.18.3.7.9. I want that all traffic from the vpn-clients have the internal ip address from the gateway. (here 172.20.6.1) On the machine is only freeswan and shorewall running. eth0 =3D 172.20.6.1 (internal) eth1 =3D 150.1.2.3 (external, leased line) ipsec0 =3D eth1 So I tried:=20 /etc/shorewall/shorewall.conf ADD_SNAT_ALIASES=3DYes In the /etc/shorewall/masq #You want all outgoing traffic from 192.168.1.0/24 through #eth0 to use source address 206.124.146.176. #eth0 192.168.1.0/24 206.124.146.176 ipsec0:172.20.0.0/16 172.20.6.1=09 # or ipsec0:0.0.0.0 172.20.6.1 # or ipsec0 eth0 no luck. Any hints ? Thanks in advance! J=FCrgen
Northe, Juergen wrote:> Hi. > OK, my last issue in this forum was to freeswan-specific. Sorry for > that. > > Now I am running the freeswan on the shorewall firewall and have the > problem, that all incomming ipsec-connections in my private lan have the > ip-adress given from the isp-dhcp-server. > For example my road-warriors can´t access an internal webmin-server when > the "ip access control" is set to my private network (172.20.0.0/16) > because he comes with 212.18.3.7.9. > > I want that all traffic from the vpn-clients have the internal ip > address from the gateway. (here 172.20.6.1) > On the machine is only freeswan and shorewall running. > > eth0 = 172.20.6.1 (internal) > eth1 = 150.1.2.3 (external, leased line) > ipsec0 = eth1 > > So I tried: > > /etc/shorewall/shorewall.conf > ADD_SNAT_ALIASES=Yes > > In the /etc/shorewall/masq > #You want all outgoing traffic from 192.168.1.0/24 through > #eth0 to use source address 206.124.146.176. > #eth0 192.168.1.0/24 206.124.146.176 > > ipsec0:172.20.0.0/16 172.20.6.1 > # or > ipsec0:0.0.0.0 172.20.6.1 > # or > ipsec0 eth0 > > > no luck. Any hints ? Thanks in advance!You''ll have to use a bit of a trick to do what you want. In /etc/shorewall/tcrules, put: 1 ipsec0 172.20.0.0/16 That will mark packets from ipsec0 destined for your local network with a value 1. If you are already using mark value 1 for traffic control, simply pick an unused mark value. In /etc/shorwall/start, put: run_iptables -t nat -A POSTROUTING -o eth0 --match mark --mark 1 -j SNAT --to-source 172.20.6.1 -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
I want to masquerade INCOMMING IP addresses looking like they are originated by the gateway. net -> ipsec0 -> eth0 -> loc loc = 172.20.6.1 (internal) ipsec = 150.1.2.3 (external, leased line) ipsec0 = eth1 What to use: dnat, snat, masq ? I read http://www.shorewall.net/shorewall_setup_guide.htm 5.2.1 - 5.3 and played with the settings.. no chance. jn
Northe, Juergen wrote:> I want to masquerade INCOMMING IP addresses looking like they are > originated by the gateway. > net -> ipsec0 -> eth0 -> loc > > loc = 172.20.6.1 (internal) > ipsec = 150.1.2.3 (external, leased line) > ipsec0 = eth1 > > What to use: dnat, snat, masq ? > > I read http://www.shorewall.net/shorewall_setup_guide.htm 5.2.1 - 5.3 > and played with the settings.. no > chance. >Please read my response to you from this morning about this topic. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
sorry,=20 my "postman" fetchmail had no hands free for collecting the small messages when i wrote the second issue. --------------------- Its late but I=B4m inquisitorial ! No, it does not look good: /etc/shorewall/tcrules: (tried also to set mark =3D 9) 1 ipsec0 172.20.0.0/16=09 /etc/shorewall/start (also mark 1 -> 9) run_iptables -t nat -A POSTROUTING -o eth0 --match mark --mark 1 -j SNAT --to-source 172.20.6.1 shorewall stop && shorewall clear && service ipsec restart && shorewall start Result: My notebook comes in the local net like before; with its own ip. I set logging for every policy to info. Not a spot of bother. Oct 11 01:52:18 dkmsrv2 kernel: Shorewall:vpn2loc:ACCEPT:IN=3Dipsec0 OUT=3Deth0 SRC=3D139.1.3.1 DST=3D172.20.5.1 LEN=3D48 TOS=3D0x00 PREC=3D0x00 TTL=3D127 ID=3D7262 DF PROTO=3DTCP SPT=3D1331 DPT=3D10000 WINDOW=3D16384 RES=3D0x00 SYN URGP=3D0 #shorewall show tc RTNETLINK answers: Invalid argument Dump terminated #iptables -L | grep "172.20.6.1" - no output. hmm.. ?
Northe, Juergen wrote:> sorry, > my "postman" fetchmail had no hands free for collecting the small > messages when i wrote the second issue. > --------------------- > > Its late but I´m inquisitorial ! > > No, it does not look good: > > /etc/shorewall/tcrules: (tried also to set mark = 9) > 1 ipsec0 172.20.0.0/16 > /etc/shorewall/start (also mark 1 -> 9) > run_iptables -t nat -A POSTROUTING -o eth0 --match mark --mark 1 -j SNAT > --to-source 172.20.6.1 > > shorewall stop && shorewall clear && > service ipsec restart && shorewall start > > Result: > My notebook comes in the local net like before; with its own ip. > I set logging for every policy to info. Not a spot of bother. > > Oct 11 01:52:18 dkmsrv2 kernel: Shorewall:vpn2loc:ACCEPT:IN=ipsec0 > OUT=eth0 SRC=139.1.3.1 DST=172.20.5.1 LEN=48 TOS=0x00 PREC=0x00 TTL=127 > ID=7262 DF PROTO=TCP SPT=1331 DPT=10000 WINDOW=16384 RES=0x00 SYN URGP=0 > > #shorewall show tc > RTNETLINK answers: Invalid argument > Dump terminated > > #iptables -L | grep "172.20.6.1" > - no output. > > hmm.. ?shorewall show nat | grep ''172\.20\.6\.1'' -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Northe, Juergen
2002-Oct-11 01:01 UTC
AW: AW: [Shorewall-users] masquerade INCOMMING ip = :-|
>> >> /etc/shorewall/tcrules: (tried also to set mark = 9) >> 1 ipsec0 172.20.0.0/16 >> /etc/shorewall/start (also mark 1 -> 9) >> run_iptables -t nat -A POSTROUTING -o eth0 --match mark --mark 1 -j >> SNAT --to-source 172.20.6.1 >> >> shorewall stop && shorewall clear && >> service ipsec restart && shorewall start >> >> Result: >> My notebook comes in the local net like before; with its own ip. Iset>> logging for every policy to info. Not a spot of bother. >> >> Oct 11 01:52:18 dkmsrv2 kernel: Shorewall:vpn2loc:ACCEPT:IN=ipsec0 >> OUT=eth0 SRC=139.1.3.1 DST=172.20.5.1 LEN=48 TOS=0x00 PREC=0x00 >> TTL=127 ID=7262 DF PROTO=TCP SPT=1331 DPT=10000 WINDOW=16384 RES=0x00>> SYN URGP=0 >> >> #shorewall show tc >> RTNETLINK answers: Invalid argument >> Dump terminated >> >> #iptables -L | grep "172.20.6.1" >> - no output. >> >> hmm.. ? > >shorewall show nat | grep ''172\.20\.6\.1''looks good: 0 0 SNAT all -- * eth0 0.0.0.0/0 0.0.0.0/0 MARK match 0x9 to:172.20.6.1 (also made with '' shorewall show nat | grep "172.20.6.1" '',.. but correct is yours with the regexp !) jn
On Thu Oct 10/10/02, 2002 at 05:26:04PM -0700, Tom Eastep wrote:> Northe, Juergen wrote: > > #iptables -L | grep "172.20.6.1" > shorewall show nat | grep ''172\.20\.6\.1''shorewall show nat | fgrep "172.16.0.1" iptables -L | fgrep "172.16.0.1" sed -e ''s/fgrep/grep -F/'' Lots easier than typing all those escape characters. ;) -- Greg White
Greg White wrote:> On Thu Oct 10/10/02, 2002 at 05:26:04PM -0700, Tom Eastep wrote: > >>Northe, Juergen wrote: >> >>>#iptables -L | grep "172.20.6.1" >> >>shorewall show nat | grep ''172\.20\.6\.1'' > > > shorewall show nat | fgrep "172.16.0.1" > iptables -L | fgrep "172.16.0.1" > sed -e ''s/fgrep/grep -F/'' > > Lots easier than typing all those escape characters. ;) >Thanks! -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net