hi all, I have a problem with a VPN server (poptop) behind a shorewall firewall. according with http://www.shorewall.net/PPTP.htm#ServerBehind (and because the fw have multiple external IP address) I have: /etc/shorewall/rules: ############################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT PORT(S) DEST # #SECTION ESTABLISHED #SECTION RELATED SECTION NEW DNAT ext dmz:$DMZ_VPN tcp 1723 - $EXT_VPN DNAT ext dmz:$DMZ_VPN 47 - - $EXT_VPN DNAT ext dmz:$DMZ_VPN icmp - - $EXT_VPN $EXT_VPN=A.B.C.105 (defined in /etc/shorewall/params) # shorewall version 3.2.3 now, if I do a (in the fw): # tcpdump tcp port 1723 or proto 47 I see this: 15:34:42.599363 A.B.C.105.1723 > 200.51.45.27.3204: . ack 349 win 5840 (DF) 15:34:45.229530 A.B.C.100 > 200.51.45.27: gre [KSv1] ID:8000 S:1 ppp: ^^^^^^^^^ \ -> this is wrong ! should be A.B.C.105 Conf-Req(1), ACCM=00000000, Auth-Prot CHAP/MSCHAPv2, Magic-Num=83484876, PFC, ACFC (DF) 15:34:48.239518 A.B.C.100 > 200.51.45.27: gre [KSv1] ID:8000 S:2 ppp: Conf-Req(1), ACCM=00000000, Auth-Prot CHAP/MSCHAPv2, Magic-Num=83484876, PFC, ACFC (DF) ... [snip; it tries 10 times] ... 15:35:12.331008 A.B.C.105.1723 > 200.51.45.27.3204: F 189:189(0) ack 349 win 5840 (DF) 15:35:13.489379 A.B.C.105.1723 > 200.51.45.27.3204: F 189:189(0) ack 349 win 5840 (DF) 15:35:13.925613 200.51.45.27.3204 > A.B.C.5.1723: F 349:349(0) ack 190 win 64672 (DF) 15:35:13.925658 A.B.C.5.1723 > 200.51.45.27.3204: . ack 350 win 5840 (DF) as you can see, the TCP/port 1723 is correctly SNAT''ed with A.B.C.105, BUT the protocol 47 (GRE) is NOT ! I also tried with: # cat /etc/shorewall/masq ############################################################################### #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC eth0 eth1 $EXT_SALIDA eth0 eth3 $EXT_SALIDA eth0 eth1 $EXT_VPN 47 but the problem remains, the protocol 47 is not being SNAT''ed with the correct external IP. any idea ?? Saluda Atte. -- Lic. Sergio A. Kessler Departamento de Informática INCUCAI TE 4788-8300 (118) ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Sergio A. Kessler wrote:> I also tried with: > # cat /etc/shorewall/masq > ############################################################################### > #INTERFACE SUBNET ADDRESS PROTO PORT(S) > IPSEC > eth0 eth1 $EXT_SALIDA > eth0 eth3 $EXT_SALIDA > eth0 eth1 $EXT_VPN 47 > > but the problem remains, > the protocol 47 is not being SNAT''ed with the correct external IP.Try putting the GRE entry first -- in /etc/shorewall/masq, the first match is the one that is used. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
hi tom, Tom Eastep wrote:> Sergio A. Kessler wrote: > >> I also tried with: >> # cat /etc/shorewall/masq >> ############################################################################### >> #INTERFACE SUBNET ADDRESS PROTO PORT(S) >> IPSEC >> eth0 eth1 $EXT_SALIDA >> eth0 eth3 $EXT_SALIDA >> eth0 eth1 $EXT_VPN 47 >> >> but the problem remains, >> the protocol 47 is not being SNAT''ed with the correct external IP. > > Try putting the GRE entry first -- in /etc/shorewall/masq, the first match is > the one that is used.yes !! it worked ! thanks tom ! anyway, I''m still wondering why the rule -- in /etc/shorewall/rules DNAT ext dmz:$DMZ_VPN 47 - - $EXT_VPN is not working as I expected... thanks, /sergio ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Sergio A. Kessler wrote:> hi tom, > > Tom Eastep wrote: >> Sergio A. Kessler wrote: >> >>> I also tried with: >>> # cat /etc/shorewall/masq >>> ############################################################################### >>> #INTERFACE SUBNET ADDRESS PROTO PORT(S) >>> IPSEC >>> eth0 eth1 $EXT_SALIDA >>> eth0 eth3 $EXT_SALIDA >>> eth0 eth1 $EXT_VPN 47 >>> >>> but the problem remains, >>> the protocol 47 is not being SNAT''ed with the correct external IP. >> Try putting the GRE entry first -- in /etc/shorewall/masq, the first match is >> the one that is used. > > yes !! it worked ! > thanks tom ! > > anyway, I''m still wondering why the rule -- in /etc/shorewall/rules > > DNAT ext dmz:$DMZ_VPN 47 - - $EXT_VPN > > is not working as I expected...It is working exactly as you *should* expect. The problem is that the server is sending GRE packets before the client. Normally, that is not a problem because all outbound traffic is SNATed through the same IP address. In your case, you want it to get a different source IP from other traffic -- so you must include the entry in /etc/shorewall/masq to make that work. If you load the kernel pptp helper modules (ipt_conntract_pptp and ipt_nat_pptp), you won''t need the masq entry (or that''s my understanding -- I haven''t tried it). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep wrote:> It is working exactly as you *should* expect. The problem is that the > server is sending GRE packets before the client. Normally, that is not a > problem because all outbound traffic is SNATed through the same IP > address. In your case, you want it to get a different source IP from > other traffic -- so you must include the entry in /etc/shorewall/masq to > make that work.I have updated the Shorewall PPTP documentation to include that entry. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep
2006-Sep-26 21:22 UTC
Re: shorewall not doing SNAT for proto GRE ? (with correct module names)
Tom Eastep wrote:> > If you load the kernel pptp helper modules (ipt_conntract_pptp and > ipt_nat_pptp), you won''t need the masq entry (or that''s my understanding > -- I haven''t tried it).I got the module names wrong -- should be: ip_conntrack_pptp ip_nat_pptp -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep wrote:> Sergio A. Kessler wrote: >> hi tom, >> >> Tom Eastep wrote: >>> Sergio A. Kessler wrote: >>> >>>> I also tried with: >>>> # cat /etc/shorewall/masq >>>> ############################################################################### >>>> #INTERFACE SUBNET ADDRESS PROTO PORT(S) >>>> IPSEC >>>> eth0 eth1 $EXT_SALIDA >>>> eth0 eth3 $EXT_SALIDA >>>> eth0 eth1 $EXT_VPN 47 >>>> >>>> but the problem remains, >>>> the protocol 47 is not being SNAT''ed with the correct external IP. >>> Try putting the GRE entry first -- in /etc/shorewall/masq, the first match is >>> the one that is used. >> yes !! it worked ! >> thanks tom ! >> >> anyway, I''m still wondering why the rule -- in /etc/shorewall/rules >> >> DNAT ext dmz:$DMZ_VPN 47 - - $EXT_VPN >> >> is not working as I expected... > > It is working exactly as you *should* expect. The problem is that the > server is sending GRE packets before the client.aha, *before* being the key, I understand now... thanks Tom !> Normally, that is not a > problem because all outbound traffic is SNATed through the same IP > address. In your case, you want it to get a different source IP from > other traffic -- so you must include the entry in /etc/shorewall/masq to > make that work. > > If you load the kernel pptp helper modules (ipt_conntract_pptp and > ipt_nat_pptp), you won''t need the masq entry (or that''s my understanding > -- I haven''t tried it).------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV