Hi everybody, I have been using Shorewall for quite a while now but I recently stumbled over a new setup that stopped me cold. I don''t know how to proceed: I have an ordinary GNU/Linux box (2.6.11) connected to a nonpublic network with one interface eth0 which gets an IP through DHCP like 172.17.x.y. Traffic is not routed to the Internet in this subnet. In order to connect to the Internet I have to build a VPN connection to a Cisco Concentrator box inside this network (172.17.0.1). I also get the addresses of two DNS servers assigned by this DHCP server (10.0.251.1, 10.0.251.2) which are ofcourse outside my reach as long as I don''t have a connection to the VPN Gateway. I can connect to the Cisco VPN Gateway using "vpnc", a free alternative to the Cisco client, which makes use of a "tun0" device. The "tun0" device also receives an IP address from a DHCP server, something like 10.26.80.x How do I setup Shorewall, so that I can connect to the Cisco Concentrator while at the same time blocking all inbound traffic that I don''t want? I started out with the one-interface setup described in the quick guides through I realise that I seem to have two devices (eth, tun0). When I''m using this initial setup I can establish the VPN link but cannot use it. As soon as I shut down Shorewall, I can use the VPN tunnel, but everything is wide open. thanks, Tobias ***************************************** "Email messages are supposed to be text, thank you. Text. Only text. If God had intended for email to be written in HTML, then the traditional signoff of prayers would be </amen>. " Tom Liston http://isc.sans.org/diary.php?date=2005-05-11
> > How do I setup Shorewall, so that I can connect to the Cisco > Concentrator while at the same time blocking all inbound traffic that I > don''t want? > > I started out with the one-interface setup described in the quick > guides through I realise that I seem to have two devices (eth, tun0). > When I''m using this initial setup I can establish the VPN link but > cannot use it. As soon as I shut down Shorewall, I can use the VPN > tunnel, but everything is wide open. >http://www.shorewall.net/Documentation_Index.html FInd the word VPN. read carrefully the related docs..still no luck ?
On Sun, 12 Jun 2005, Tobias Weisserth wrote:> Hi everybody, > > I have been using Shorewall for quite a while now but I recently stumbled > over a new setup that stopped me cold. I don''t know how to proceed: > > I have an ordinary GNU/Linux box (2.6.11) connected to a nonpublic network > with one interface eth0 which gets an IP through DHCP like 172.17.x.y. > Traffic is not routed to the Internet in this subnet. In order to connect to > the Internet I have to build a VPN connection to a Cisco Concentrator box > inside this network (172.17.0.1). > > I also get the addresses of two DNS servers assigned by this DHCP server > (10.0.251.1, 10.0.251.2) which are ofcourse outside my reach as long as I > don''t have a connection to the VPN Gateway. > > I can connect to the Cisco VPN Gateway using "vpnc", a free alternative to > the Cisco client, which makes use of a "tun0" device. The "tun0" device also > receives an IP address from a DHCP server, something like 10.26.80.x > > How do I setup Shorewall, so that I can connect to the Cisco Concentrator > while at the same time blocking all inbound traffic that I don''t want?I use OpenVPN to connect remote sites viw the tun device so... I assume you are running shorewall on the same box you want to connect with. You can treat tun<#> as a local device. In /etc/shorewall/interfaces: vpn0 tun0 detect In /etc/shorewall/policy: fw all ACCEPT vpn0 all REJECT This will allow all outgoing traffic from fw but block all incoming traffic. In masq: (I''ve never actually done this part but it _should_ work) tun0 eth0> I started out with the one-interface setup described in the quick guides > through I realise that I seem to have two devices (eth, tun0). When I''m using > this initial setup I can establish the VPN link but cannot use it. As soon as > I shut down Shorewall, I can use the VPN tunnel, but everything is wide open. > > thanks, > Tobias > > ***************************************** > > "Email messages are supposed to be text, thank you. Text. Only text. If God > had intended for email to be written in HTML, then the traditional signoff of > prayers would be </amen>. " Tom Liston > > http://isc.sans.org/diary.php?date=2005-05-11 > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
Hi, On Jun 12, 2005, at 10:03 PM, Cristian Rodriguez wrote:> http://www.shorewall.net/Documentation_Index.html > > FInd the word VPN. > > read carrefully the related docs..still no luck ?If you don''t want to help, why bother writing at all? I checked out this http://www.shorewall.net/GenericTunnels.html before asking my stupid question, but it doesn''t seem to help me. And as I understand (or don''t, that''s the problem) the Cisco concentrator does things differently, thus the need for a specific client. The problem is I don''t understand how this client works, so I don''t know how to handle this correctly in Shorewall. It''s not like an ordinary OpenVPN connection as far as I understand. The people running this network had simply one line of advice for my problem: disable your firewall. I thought maybe someone else is having the same problem and could help me out a little. regards, Tobias ***************************************** "Email messages are supposed to be text, thank you. Text. Only text. If God had intended for email to be written in HTML, then the traditional signoff of prayers would be </amen>. " Tom Liston http://isc.sans.org/diary.php?date=2005-05-11
Hi there, On Jun 12, 2005, at 10:04 PM, Stephen Carville wrote:> You can treat tun<#> as a local device. In /etc/shorewall/interfaces: > > vpn0 tun0 detect > > In /etc/shorewall/policy: > > fw all ACCEPT > vpn0 all REJECT > > This will allow all outgoing traffic from fw but block all incoming > traffic. > > In masq: (I''ve never actually done this part but it _should_ work) > > tun0 eth0Luckily I won''t need masq. I''ll try this out though I think I had something similar which didn''t work. thanks, Tobias ***************************************** "Email messages are supposed to be text, thank you. Text. Only text. If God had intended for email to be written in HTML, then the traditional signoff of prayers would be </amen>. " Tom Liston http://isc.sans.org/diary.php?date=2005-05-11
Hi again, On Jun 12, 2005, at 10:04 PM, Stephen Carville wrote:> You can treat tun<#> as a local device. In /etc/shorewall/interfaces: > > vpn0 tun0 detect > > In /etc/shorewall/policy: > > fw all ACCEPT > vpn0 all REJECT > > This will allow all outgoing traffic from fw but block all incoming > traffic.This didn''t work. I have some more info: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 172.17.0.1 172.17.4.254 255.255.255.255 UGH 0 0 0 eth0 172.17.4.0 * 255.255.255.0 U 0 0 0 eth0 loopback * 255.0.0.0 U 0 0 0 lo default * 0.0.0.0 U 0 0 0 tun0 and ifconfig output: eth0 Link encap:Ethernet HWaddr 00:30:84:26:4E:6E inet addr:172.17.4.140 Bcast:172.17.4.255 Mask:255.255.255.0 inet6 addr: fe80::230:84ff:fe26:4e6e/64 Scope:Link UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1 RX packets:3672 errors:0 dropped:0 overruns:0 frame:0 TX packets:140 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:476300 (465.1 Kb) TX bytes:51464 (50.2 Kb) Interrupt:10 Base address:0xcc00 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:57 errors:0 dropped:0 overruns:0 frame:0 TX packets:57 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:5724 (5.5 Kb) TX bytes:5724 (5.5 Kb) sit0 Link encap:IPv6-in-IPv4 NOARP MTU:1480 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.26.80.1 P-t-P:10.26.80.1 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1412 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) This is when connected with vpnc. regards, Tobias ***************************************** "Email messages are supposed to be text, thank you. Text. Only text. If God had intended for email to be written in HTML, then the traditional signoff of prayers would be </amen>. " Tom Liston http://isc.sans.org/diary.php?date=2005-05-11
see below... ----- Original Message ----- From: "Tobias Weisserth" <tobias.weisserth@gmx.net> To: "Mailing List for Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Sunday, June 12, 2005 4:34 PM Subject: Re: [Shorewall-users] vpnc versus Shorewall problem> Hi again, > > On Jun 12, 2005, at 10:04 PM, Stephen Carville wrote: > > > You can treat tun<#> as a local device. In /etc/shorewall/interfaces: > > > > vpn0 tun0 detect > > > > In /etc/shorewall/policy: > > > > fw all ACCEPT > > vpn0 all REJECT > > > > This will allow all outgoing traffic from fw but block all incoming > > traffic. > > This didn''t work. > > I have some more info: > > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use > Iface > 172.17.0.1 172.17.4.254 255.255.255.255 UGH 0 0 0 > eth0 > 172.17.4.0 * 255.255.255.0 U 0 0 0 > eth0 > loopback * 255.0.0.0 U 0 0 0 > lo > default * 0.0.0.0 U 0 0 0 > tun0 > > and ifconfig output: > > eth0 Link encap:Ethernet HWaddr 00:30:84:26:4E:6E > inet addr:172.17.4.140 Bcast:172.17.4.255 Mask:255.255.255.0 > inet6 addr: fe80::230:84ff:fe26:4e6e/64 Scope:Link > UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:3672 errors:0 dropped:0 overruns:0 frame:0 > TX packets:140 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:476300 (465.1 Kb) TX bytes:51464 (50.2 Kb) > Interrupt:10 Base address:0xcc00 > > lo Link encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > inet6 addr: ::1/128 Scope:Host > UP LOOPBACK RUNNING MTU:16436 Metric:1 > RX packets:57 errors:0 dropped:0 overruns:0 frame:0 > TX packets:57 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:5724 (5.5 Kb) TX bytes:5724 (5.5 Kb) > > sit0 Link encap:IPv6-in-IPv4 > NOARP MTU:1480 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) > > tun0 Link encap:UNSPEC HWaddr > 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 > inet addr:10.26.80.1 P-t-P:10.26.80.1 Mask:255.255.255.255 > UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1412 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:500 > RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) > > This is when connected with vpnc.<snip>>From the look of this interface (above) you don''t really have any traffic onit? It also appears that you are only running a ''one-armed'' firewall? Check for instructions on configuring the samples using a one interface design. I suspect that you will need to replace your tun0 interface with the eth0 interface in the shorewall samples...and maybe add another zone for the modem? (Search the mailing list for some email/some person who needed access to their cable modem???) interfaces; tun0 net detect dhcp,routefilter,blacklist eth0 modem detect dhcp You might try to run ''shorewall clear'', generate some traffic, ''shorewall start'', generate more traffic and then send us a trace (using instructions from support page below). The tun0 device is your default gateway so you might only need to substitute tun0 for eth0 as the adsl users (ppp0) users do. Good luck. Jeff DISCLAIMER: This message was sent from The-Techy.com.
Hi everybody, I guess I found a solution. I''m using the single interface setup and added this: In /etc/shorewall/zones I added ZONE DISPLAY COMMENTS vpn VPN Remote Subnet In /etc/shorewall/interfaces I added ZONE INTERFACE BROADCAST OPTIONS vpn tun0 detect In /etc/shorewall/policy I added SOURCE DEST POLICY LOG LEVEL fw vpn ACCEPT Now the hard part. In /etc/shorewall/tunnels I added TYPE ZONE GATEWAY GATEWAY ZONE generic:tcp:500 net 172.17.0.1 Any comments? Did I miss something? regards, Tobias ***************************************** "Email messages are supposed to be text, thank you. Text. Only text. If God had intended for email to be written in HTML, then the traditional signoff of prayers would be </amen>. " Tom Liston http://isc.sans.org/diary.php?date=2005-05-11