At our main office, I have a single machine that provides routing and firewalling. We will call that machine HUB. There are two branch offices that connect to HUB via IPsec tunnels to access the private network in which HUB is connected to. We will call those branch offices BRANCH A and BRANCH B. BRANCH A | <- Internet / ipsec -> | HUB | <- Internet / ipsec -> | BRANCH B I want BRANCH A''s subnet to be able to access network resources on BRANCH B''s subnet and vice versa through the HUB router. I''ve added all the necessary entries to "zones", "hosts", "interfaces", and "policy". BRANCH A can access HUB''s subnet no problem, and BRANCH B can access HUB''s subnet no problem, but packets were being DROPPED from BRANCH A to BRANCH B, which were clearly visible from Shorewall and syslog (Shorewall:FORWARD:DROP). /etc/shorewall/policy had entries to ACCEPT traffic between BRANCH A and BRANCH B. I solved the problem by manually adding an iptables rule (eth0 is the public/ipsec interface): Iptables -I FORWARD -i eth0 -o eth0 -j ACCEPT -m policy -pol ipsec -mode tunnel -dir in In order to get this to work with Shorewall, I added that ''iptables'' line to /etc/shorewall/start. Is there a better way to add an iptables policy rule to Shorewall''s config files to allow packets from two IPsec routable subnets to pass? Mike Rosile International I.T. Director Interzone Entertainment Tel: +1 (417) 887-8118 x 1006 Fax: +1 (417) 887-7577 URL: http://interzonegames.com E-mail: mike.rosile@interzonegames.com<mailto:mike.rosile@interzonegames.com> ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Mike Rosile wrote:> I solved the problem by manually adding an iptables rule (eth0 is the > public/ipsec interface): > > Iptables –I FORWARD –i eth0 –o eth0 –j ACCEPT –m policy –pol ipsec –mode > tunnel –dir in > > > > In order to get this to work with Shorewall, I added that ‘iptables’ > line to /etc/shorewall/start. Is there a better way to add an iptables > policy rule to Shorewall’s config files to allow packets from two IPsec > routable subnets to pass?Yes. And if we knew what your Shorewall configuration looks like, we would be able to tell you what it is. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Mike Rosile wrote:> I want BRANCH A’s subnet to be able to access network resources on > BRANCH B’s subnet and vice versa through the HUB router. I’ve added all > the necessary entries to “zones”, “hosts”, “interfaces”, and “policy”. > BRANCH A can access HUB’s subnet no problem, and BRANCH B can access > HUB’s subnet no problem, but packets were being DROPPED from BRANCH A to > BRANCH B, which were clearly visible from Shorewall and syslog > (Shorewall:FORWARD:DROP). /etc/shorewall/policy had entries to ACCEPT > traffic between BRANCH A and BRANCH B.I''ve taken another look at this report and suggest that you refer to Shorewall FAQ 17. It points out that when traffic is dropped or rejected in the FORWARD chain and the IN= and OUT= interfaces are the same, then the first thing to try is setting the ''routeback'' option on that interface in /etc/shorewall/interfaces. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/