I have seem lots of posts regarding VPN tunnels, but I''m still not
getting the Shorewall config right, so here is my first post asking for
help!
I''m running Shorewall version 3.4.1 as in a 2-interface DNAT
masquerading configuration, and apart from keeping up to date, this has
been happy for well over a year now.
The problem comes when I attach a laptop to my internal ("loc")
network
that runs an application which listens for an incoming connection.
The connection is mediated over a "FirePass" (F5, ssh) VPN tunnel into
my office network.
The VPN endpoint machinery allocates an IP address and propagates that
around the Office network in the usual DHCP dDNS style.
I know which ports I''m listening on at the laptop.
So how do I tell Shorewall that this particular laptop can receive
connections from the office network on these ports, given that I don''t
know what IP has been allocated at the VPN endpoint?
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
On 4/27/07, Mark J Hewitt <mjh@elsabio.demon.co.uk> wrote:> I have seem lots of posts regarding VPN tunnels, but I''m still not > getting the Shorewall config right, so here is my first post asking for > help!I think that you''re going to have to make a nice network diagram and host it somewhere. I can''t understand what you''re network looks like. Prasanna. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Not sure about nice, but lets try this very simplified picture:
Laptop (SSL VPN Endpoint)
|
+-----------+---------- (Home LAN)
|
Firewall (Shorewall, DNAT config)
|
Big Bad Internet
|
Office VPN Endpoint
|
-----+---+---+---+---+----- (Office LAN)
|
My Server
So I have a listener on the Laptop.
There is a server process on My Server that wants to connect to that
listener.
When the Laptop connects, it is given a DHCP allocated IP etc.
So my question is - How do I make the port(s) on which the laptop is
listening accessible to the process on My Server ?
Thanks!
Prasanna Krishnamoorthy wrote:> On 4/27/07, Mark J Hewitt <mjh@elsabio.demon.co.uk> wrote:
>> I have seem lots of posts regarding VPN tunnels, but I''m still
not
>> getting the Shorewall config right, so here is my first post asking for
>> help!
> I think that you''re going to have to make a nice network diagram
and
> host it somewhere. I can''t understand what you''re network
looks like.
>
> Prasanna.
>
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
Mark J Hewitt wrote:>Not sure about nice, but lets try this very simplified picture: > >Laptop (SSL VPN Endpoint) > | > +-----------+---------- (Home LAN) > | > Firewall (Shorewall, DNAT config) > | > Big Bad Internet > | > Office VPN Endpoint > | >-----+---+---+---+---+----- (Office LAN) > | > My Server > > >So I have a listener on the Laptop. >There is a server process on My Server that wants to connect to that >listener. >When the Laptop connects, it is given a DHCP allocated IP etc. > >So my question is - How do I make the port(s) on which the laptop is >listening accessible to the process on My Server ?So your laptop builds a VPN tunnel to the office network, and gets an address from the office ? This is how I believe it normally works. If this is the case then you do nothing in Shorewall as it takes no part in managing traffic across the VPN (it only has to pass the encrypted packets). The server simply connects to the OFFICE IP address given to the client by the office VPN gateway and the VPN system will take care of passing them along to the laptop. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/