I am trying to set up a single PC (no LAN) as a VPN
client, using shorewall and racoon under Debian 4
(kernel 2.6.18). The PC is connected to a cable modem
on eth0. I am finding that I can not even ping any
addresses on the remote LAN - the trace in
/var/log/messages does not show any communication with
the VPN gateway when I attempt it.
No errors are reported on during the start up of
shorewall. Running "shorewall show messages" gives the
error:
iptables: No chain/target/match by that name
However running "shorewall check" does not find any
problems with my kernel configuration. There is no
entry in the routing tables for the VPN gateway or
remote LAN.
My shorewall configuration is:
/etc/shorewall/tunnels:
ipsec:noah net 80.168.19.2
/etc/shorewall/hosts:
#ZONE HOST(S) OPTIONS
vpn eth0:192.0.2.0/24
/etc/shorewall/interfaces:
#ZONE INTERFACE BROADCAST OPTIONS
vpn ipsec0
net eth0 detect dhcp
/etc/shorewall/zones:
fw firewall
vpn ipv4 proto=esp,mode=tunnel
net ipv4
/etc/shorewall/policy:
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
$FW vpn ACCEPT info
vpn $FW ACCEPT info
vpn net ACCEPT info
$FW net ACCEPT info
net all DROP info
all all REJECT info
/etc/shorewall/rules:
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
USER/
# PORT(S) PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
ACCEPT $FW vpn:80.168.19.2 udp
500
ACCEPT vpn:80.168.19.2 $FW udp
500
ACCEPT $FW vpn:80.168.19.2 50
ACCEPT vpn:80.168.19.2 $FW 50
ACCEPT $FW vpn:80.168.19.2 51
ACCEPT vpn:80.168.19.2 $FW 51
Is there anything wrong with this configuration?
Could there be another problem. Any help would be
appreciated.
Daniel
___________________________________________________________
Yahoo! Mail is the world''s favourite email. Don''t settle for
less, sign up for
your free account today
http://uk.rd.yahoo.com/evt=44106/*http://uk.docs.yahoo.com/mail/winter07.html
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
Daniel Everett wrote:> I am trying to set up a single PC (no LAN) as a VPN > client, using shorewall and racoon under Debian 4 > (kernel 2.6.18). The PC is connected to a cable modem > on eth0. I am finding that I can not even ping any > addresses on the remote LAN - the trace in > /var/log/messages does not show any communication with > the VPN gateway when I attempt it. > > No errors are reported on during the start up of > shorewall. Running "shorewall show messages" gives the > error: > > iptables: No chain/target/match by that nameShorewall has no ''show messages'' command. Did you possibly want ''shorewall show log''?> > However running "shorewall check" does not find any > problems with my kernel configuration. There is no > entry in the routing tables for the VPN gateway or > remote LAN.That is normal under Racoon.> > My shorewall configuration is: > > /etc/shorewall/tunnels: > > ipsec:noah net 80.168.19.2 > > /etc/shorewall/hosts: > > #ZONE HOST(S) OPTIONS > vpn eth0:192.0.2.0/24> > /etc/shorewall/interfaces: > > #ZONE INTERFACE BROADCAST OPTIONS > vpn ipsec0The above is not correct -- remove it.> net eth0 detect dhcp > > /etc/shorewall/zones: > > fw firewall > vpn ipv4 proto=esp,mode=tunnelThe zone type should be ''ipsec'', not ''ipv4''; either than you you need to specify ''ipsec'' in the OPTIONS in your /etc/shorewall/hosts entry.> net ipv4 > > /etc/shorewall/policy: > > #SOURCE DEST POLICY LOG LIMIT:BURST > # LEVEL > $FW vpn ACCEPT info > vpn $FW ACCEPT info > vpn net ACCEPT info > $FW net ACCEPT info > net all DROP info > all all REJECT info > > /etc/shorewall/rules: > > #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE > USER/ > # PORT(S) PORT(S) DEST LIMIT GROUP > #SECTION ESTABLISHED > #SECTION RELATED > SECTION NEW > ACCEPT $FW vpn:80.168.19.2 udp > 500 > ACCEPT vpn:80.168.19.2 $FW udp > 500 > ACCEPT $FW vpn:80.168.19.2 50 > ACCEPT vpn:80.168.19.2 $FW 50 > ACCEPT $FW vpn:80.168.19.2 51 > ACCEPT vpn:80.168.19.2 $FW 51 > > Is there anything wrong with this configuration?Please see my comments above.> Could there be another problem.Sure. Start by removing Shorewall from the equation (temporarily ''shorewall clear''). Once the VPN is working, then correct your Shorewall configuration and ''shorewall start''. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Thu, Jun 28, 2007 at 06:53:21AM -0700, Tom Eastep wrote:> > No errors are reported on during the start up of > > shorewall. Running "shorewall show messages" gives the > > error: > > > > iptables: No chain/target/match by that name > > Shorewall has no ''show messages'' command. Did you possibly want ''shorewall > show log''?Perhaps this syntax wants rethinking - arguments of the form [foo|bar|baz|<anything else>] are usually trouble, as you can''t give a particularly good error message when the user makes a mistake like this. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Andrew Suffield wrote:> On Thu, Jun 28, 2007 at 06:53:21AM -0700, Tom Eastep wrote: >>> No errors are reported on during the start up of >>> shorewall. Running "shorewall show messages" gives the >>> error: >>> >>> iptables: No chain/target/match by that name >> Shorewall has no ''show messages'' command. Did you possibly want ''shorewall >> show log''? > > Perhaps this syntax wants rethinking - arguments of the form > [foo|bar|baz|<anything else>] are usually trouble, as you can''t > give a particularly good error message when the user makes a mistake > like this.Making a syntax change at this point would mean that many pieces of advise recorded in the list archives would no longer work. So I''m not in favor of such a change at this late date. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Andrew Suffield wrote: >> On Thu, Jun 28, 2007 at 06:53:21AM -0700, Tom Eastep wrote: >>>> No errors are reported on during the start up of >>>> shorewall. Running "shorewall show messages" gives the >>>> error: >>>> >>>> iptables: No chain/target/match by that name >>> Shorewall has no ''show messages'' command. Did you possibly want ''shorewall >>> show log''? >> Perhaps this syntax wants rethinking - arguments of the form >> [foo|bar|baz|<anything else>] are usually trouble, as you can''t >> give a particularly good error message when the user makes a mistake >> like this. > > Making a syntax change at this point would mean that many pieces of advise > recorded in the list archives would no longer work. > > So I''m not in favor of such a change at this late date.Where there''s a will, there''s a way: gateway:/etc/shorewall.keep # shorewall show chain foo Shorewall 3.4.4 Chain foo at gateway - Thu Jun 28 10:58:51 PDT 2007 Counters reset Wed Jun 27 13:28:16 PDT 2007 iptables: No chain/target/match by that name gateway:/etc/shorewall.keep # shorewall show foo usage shorewall show [ -x ] [ -m ] [-f] [ -t {filter|mangle|nat} ] [ chain... gateway:/etc/shorewall.keep # -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Tom Eastep wrote: >> Andrew Suffield wrote: >>> On Thu, Jun 28, 2007 at 06:53:21AM -0700, Tom Eastep wrote: >>>>> No errors are reported on during the start up of >>>>> shorewall. Running "shorewall show messages" gives the >>>>> error: >>>>> >>>>> iptables: No chain/target/match by that name >>>> Shorewall has no ''show messages'' command. Did you possibly want ''shorewall >>>> show log''? >>> Perhaps this syntax wants rethinking - arguments of the form >>> [foo|bar|baz|<anything else>] are usually trouble, as you can''t >>> give a particularly good error message when the user makes a mistake >>> like this. >> Making a syntax change at this point would mean that many pieces of advise >> recorded in the list archives would no longer work. >> >> So I''m not in favor of such a change at this late date. > > Where there''s a will, there''s a way: > > gateway:/etc/shorewall.keep # shorewall show chain foo > Shorewall 3.4.4 Chain foo at gateway - Thu Jun 28 10:58:51 PDT 2007 > > Counters reset Wed Jun 27 13:28:16 PDT 2007 > > iptables: No chain/target/match by that name > gateway:/etc/shorewall.keep # shorewall show foo > usage shorewall show [ -x ] [ -m ] [-f] [ -t {filter|mangle|nat} ] [ chain... > gateway:/etc/shorewall.keep #and: gateway:/etc/shorewall.keep # shorewall show dynamic Shorewall 3.4.4 Chain dynamic at gateway - Thu Jun 28 11:03:04 PDT 2007 Counters reset Wed Jun 27 13:28:16 PDT 2007 Chain dynamic (18 references) pkts bytes target prot opt in out source destination 0 0 DROP 0 -- * * 206.124.57.2 0.0.0.0/0 gateway:/etc/shorewall.keep # -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
I use squid and shorewall on my Suse10.2. I have setup squid as transparent proxy and I use shorewall redirect rule. But this does not work for the https requests. Is there a way to use transparent proxy for http request and just let https request to pass through the firewall? Thanks, Manooch -----Original Message----- From: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: Thursday, June 28, 2007 11:04 AM To: Shorewall Users Subject: Re: [Shorewall-users] Problem setting up VPN client - novice question Tom Eastep wrote:> Tom Eastep wrote: >> Andrew Suffield wrote: >>> On Thu, Jun 28, 2007 at 06:53:21AM -0700, Tom Eastep wrote: >>>>> No errors are reported on during the start up of shorewall. >>>>> Running "shorewall show messages" gives the >>>>> error: >>>>> >>>>> iptables: No chain/target/match by that name >>>> Shorewall has no ''show messages'' command. Did you possibly want >>>> ''shorewall show log''? >>> Perhaps this syntax wants rethinking - arguments of the form >>> [foo|bar|baz|<anything else>] are usually trouble, as you can''t give >>> a particularly good error message when the user makes a mistake like >>> this. >> Making a syntax change at this point would mean that many pieces of >> advise recorded in the list archives would no longer work. >> >> So I''m not in favor of such a change at this late date. > > Where there''s a will, there''s a way: > > gateway:/etc/shorewall.keep # shorewall show chain foo Shorewall 3.4.4 > Chain foo at gateway - Thu Jun 28 10:58:51 PDT 2007 > > Counters reset Wed Jun 27 13:28:16 PDT 2007 > > iptables: No chain/target/match by that name > gateway:/etc/shorewall.keep # shorewall show foo usage shorewall show > [ -x ] [ -m ] [-f] [ -t {filter|mangle|nat} ] [ chain... > gateway:/etc/shorewall.keep #and: gateway:/etc/shorewall.keep # shorewall show dynamic Shorewall 3.4.4 Chain dynamic at gateway - Thu Jun 28 11:03:04 PDT 2007 Counters reset Wed Jun 27 13:28:16 PDT 2007 Chain dynamic (18 references) pkts bytes target prot opt in out source destination 0 0 DROP 0 -- * * 206.124.57.2 0.0.0.0/0 gateway:/etc/shorewall.keep # -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Manooch, Please don''t hijack someone else''s thread -- start a new thread. mehrm wrote:> I use squid and shorewall on my Suse10.2. > I have setup squid as transparent proxy and I use shorewall redirect rule. > But this does not work for the https requests. > Is there a way to use transparent proxy for http request and just let https > request to pass through the firewall?From http://www.shorewall.net/Shorewall_Squid_Usage.htm: Important This section gives instructions for transparent proxying of HTTP. HTTPS (normally TCP port 443) cannot be proxied transparently (stop and think about it for a minute; if HTTPS could be transparently proxied, then how secure would it be?). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Manooch, > > Please don''t hijack someone else''s thread -- start a new thread. > > mehrm wrote: >> I use squid and shorewall on my Suse10.2. >> I have setup squid as transparent proxy and I use shorewall redirect rule. >> But this does not work for the https requests. >> Is there a way to use transparent proxy for http request and just let https >> request to pass through the firewall? > > From http://www.shorewall.net/Shorewall_Squid_Usage.htm: > > Important > > This section gives instructions for transparent proxying of HTTP. HTTPS > (normally TCP port 443) cannot be proxied transparently (stop and think > about it for a minute; if HTTPS could be transparently proxied, then how > secure would it be?).And if you follow the instructions in the above article, it will work just the way that you want it to. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/