hi all,
I have a problem with a VPN server (poptop) behind a shorewall firewall.
according with http://www.shorewall.net/PPTP.htm#ServerBehind
(and because the fw have multiple external IP address) I have:
/etc/shorewall/rules:
###############################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
#
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
DNAT ext dmz:$DMZ_VPN tcp 1723 - $EXT_VPN
DNAT ext dmz:$DMZ_VPN 47 - - $EXT_VPN
DNAT ext dmz:$DMZ_VPN icmp - - $EXT_VPN
$EXT_VPN=A.B.C.105 (defined in /etc/shorewall/params)
# shorewall version
3.2.3
now, if I do a (in the fw):
# tcpdump tcp port 1723 or proto 47
I see this:
15:34:42.599363 A.B.C.105.1723 > 200.51.45.27.3204: . ack 349 win 5840 (DF)
15:34:45.229530 A.B.C.100 > 200.51.45.27: gre [KSv1] ID:8000 S:1 ppp:
^^^^^^^^^
\ -> this is wrong ! should be A.B.C.105
Conf-Req(1), ACCM=00000000, Auth-Prot CHAP/MSCHAPv2, Magic-Num=83484876,
PFC, ACFC (DF)
15:34:48.239518 A.B.C.100 > 200.51.45.27: gre [KSv1] ID:8000 S:2 ppp:
Conf-Req(1), ACCM=00000000, Auth-Prot CHAP/MSCHAPv2, Magic-Num=83484876,
PFC, ACFC (DF)
...
[snip; it tries 10 times]
...
15:35:12.331008 A.B.C.105.1723 > 200.51.45.27.3204: F 189:189(0) ack 349
win 5840 (DF)
15:35:13.489379 A.B.C.105.1723 > 200.51.45.27.3204: F 189:189(0) ack 349
win 5840 (DF)
15:35:13.925613 200.51.45.27.3204 > A.B.C.5.1723: F 349:349(0) ack 190
win 64672 (DF)
15:35:13.925658 A.B.C.5.1723 > 200.51.45.27.3204: . ack 350 win 5840 (DF)
as you can see, the TCP/port 1723 is correctly SNAT''ed with A.B.C.105,
BUT the protocol 47 (GRE) is NOT !
I also tried with:
# cat /etc/shorewall/masq
###############################################################################
#INTERFACE SUBNET ADDRESS PROTO PORT(S)
IPSEC
eth0 eth1 $EXT_SALIDA
eth0 eth3 $EXT_SALIDA
eth0 eth1 $EXT_VPN 47
but the problem remains,
the protocol 47 is not being SNAT''ed with the correct external IP.
any idea ??
Saluda Atte.
--
Lic. Sergio A. Kessler
Departamento de Informática
INCUCAI TE 4788-8300 (118)
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Sergio A. Kessler wrote:> I also tried with: > # cat /etc/shorewall/masq > ############################################################################### > #INTERFACE SUBNET ADDRESS PROTO PORT(S) > IPSEC > eth0 eth1 $EXT_SALIDA > eth0 eth3 $EXT_SALIDA > eth0 eth1 $EXT_VPN 47 > > but the problem remains, > the protocol 47 is not being SNAT''ed with the correct external IP.Try putting the GRE entry first -- in /etc/shorewall/masq, the first match is the one that is used. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
hi tom, Tom Eastep wrote:> Sergio A. Kessler wrote: > >> I also tried with: >> # cat /etc/shorewall/masq >> ############################################################################### >> #INTERFACE SUBNET ADDRESS PROTO PORT(S) >> IPSEC >> eth0 eth1 $EXT_SALIDA >> eth0 eth3 $EXT_SALIDA >> eth0 eth1 $EXT_VPN 47 >> >> but the problem remains, >> the protocol 47 is not being SNAT''ed with the correct external IP. > > Try putting the GRE entry first -- in /etc/shorewall/masq, the first match is > the one that is used.yes !! it worked ! thanks tom ! anyway, I''m still wondering why the rule -- in /etc/shorewall/rules DNAT ext dmz:$DMZ_VPN 47 - - $EXT_VPN is not working as I expected... thanks, /sergio ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Sergio A. Kessler wrote:> hi tom, > > Tom Eastep wrote: >> Sergio A. Kessler wrote: >> >>> I also tried with: >>> # cat /etc/shorewall/masq >>> ############################################################################### >>> #INTERFACE SUBNET ADDRESS PROTO PORT(S) >>> IPSEC >>> eth0 eth1 $EXT_SALIDA >>> eth0 eth3 $EXT_SALIDA >>> eth0 eth1 $EXT_VPN 47 >>> >>> but the problem remains, >>> the protocol 47 is not being SNAT''ed with the correct external IP. >> Try putting the GRE entry first -- in /etc/shorewall/masq, the first match is >> the one that is used. > > yes !! it worked ! > thanks tom ! > > anyway, I''m still wondering why the rule -- in /etc/shorewall/rules > > DNAT ext dmz:$DMZ_VPN 47 - - $EXT_VPN > > is not working as I expected...It is working exactly as you *should* expect. The problem is that the server is sending GRE packets before the client. Normally, that is not a problem because all outbound traffic is SNATed through the same IP address. In your case, you want it to get a different source IP from other traffic -- so you must include the entry in /etc/shorewall/masq to make that work. If you load the kernel pptp helper modules (ipt_conntract_pptp and ipt_nat_pptp), you won''t need the masq entry (or that''s my understanding -- I haven''t tried it). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep wrote:> It is working exactly as you *should* expect. The problem is that the > server is sending GRE packets before the client. Normally, that is not a > problem because all outbound traffic is SNATed through the same IP > address. In your case, you want it to get a different source IP from > other traffic -- so you must include the entry in /etc/shorewall/masq to > make that work.I have updated the Shorewall PPTP documentation to include that entry. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep
2006-Sep-26 21:22 UTC
Re: shorewall not doing SNAT for proto GRE ? (with correct module names)
Tom Eastep wrote:> > If you load the kernel pptp helper modules (ipt_conntract_pptp and > ipt_nat_pptp), you won''t need the masq entry (or that''s my understanding > -- I haven''t tried it).I got the module names wrong -- should be: ip_conntrack_pptp ip_nat_pptp -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep wrote:> Sergio A. Kessler wrote: >> hi tom, >> >> Tom Eastep wrote: >>> Sergio A. Kessler wrote: >>> >>>> I also tried with: >>>> # cat /etc/shorewall/masq >>>> ############################################################################### >>>> #INTERFACE SUBNET ADDRESS PROTO PORT(S) >>>> IPSEC >>>> eth0 eth1 $EXT_SALIDA >>>> eth0 eth3 $EXT_SALIDA >>>> eth0 eth1 $EXT_VPN 47 >>>> >>>> but the problem remains, >>>> the protocol 47 is not being SNAT''ed with the correct external IP. >>> Try putting the GRE entry first -- in /etc/shorewall/masq, the first match is >>> the one that is used. >> yes !! it worked ! >> thanks tom ! >> >> anyway, I''m still wondering why the rule -- in /etc/shorewall/rules >> >> DNAT ext dmz:$DMZ_VPN 47 - - $EXT_VPN >> >> is not working as I expected... > > It is working exactly as you *should* expect. The problem is that the > server is sending GRE packets before the client.aha, *before* being the key, I understand now... thanks Tom !> Normally, that is not a > problem because all outbound traffic is SNATed through the same IP > address. In your case, you want it to get a different source IP from > other traffic -- so you must include the entry in /etc/shorewall/masq to > make that work. > > If you load the kernel pptp helper modules (ipt_conntract_pptp and > ipt_nat_pptp), you won''t need the masq entry (or that''s my understanding > -- I haven''t tried it).------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV