Shorewall users - Feb 2010 - How to connect a PPTP Client behind a MultiISP shorewall config

Miguel A. Velasco wrote:
> I''ve an openvpn server running on the firewall and working on eth1
and
> I´d like to config my firewall to let a pptp client, running on my LAN
> (with IP 10.10.80.10), connect to a pptp remote vpn server of a
> different company. But I am not able to do this, an that´s my problem :)
Can we have a few more details please besides "it doesn''t
work"?

> /etc/shorewall/policy:
> #SOURCE         DEST            POLICY          LOG             LIMIT:BURST
> #                                               LEVEL
> loc             net             DROP            info
Very unfriendly policy for loc->net; much nicer for your local users if
you use REJECT.
> fw              loc             DROP            info
> fw              net             DROP            info
> fw              dmz             DROP            info
> loc             dmz             DROP            info
> ##OpenVPN ------ ##
> vpn             fw              ACCEPT          info
> fw              vpn             ACCEPT          info
> net             vpn             DROP            info
> loc             vpn             ACCEPT          info
> vpn             loc             ACCEPT          info
> vpn             net             DROP            info
> vpn             dmz             DROP            info
> ##DMZ ---------- ##
> dmz             net             DROP            info
> dmz             fw              DROP            info
> dmz             loc             DROP            info
> dmz             vpn             DROP            info
> dmz             all             DROP            info
> ## -------------
> net             all             DROP            info
> all             all             REJECT          info
> 
> /etc/shorewall/params:
> LAN_IF=eth0
> ADSL_IF=eth1
> DSL_IF=eth2
> DMZ_IF=eth3
> IP_GALILEO=10.10.80.10 --> it´s the pptp client.
> 
> /etc/shorewall/masq:
> #INTERFACE              SOURCE          ADDRESS         PROTO   PORT(S)
> IPSEC   MARK
> $ADSL_IF                10.10.100.3     10.10.90.3
> $DSL_IF                 10.10.90.3      10.10.100.3
> $ADSL_IF                10.10.110.0/24
> $DSL_IF                 10.10.110.0/24
> $ADSL_IF                10.10.80.0/24
> $DSL_IF                 10.10.80.0/24
Given that your external IP addresses are in the RFC 1918 range, you are
doing "double NAT" of all of your traffic. Do you know for certain
that
this works in a single-ISP configuration?

> /etc/shorewall/tcrules:
> #MARK   SOURCE          DEST            PROTO   DEST    SOURCE  USER
> TEST    LENGTH  TOS
> #                                               PORT(S) PORT(S)
> 0x6:P   10.10.80.0/24   -               tcp     80,443
> #All outgoing traffic of port 1723 and gre protocol is routed through
> isp_6M
> 0x6:P   10.10.80.10     -               tcp     1723
> 0x6:P   10.10.80.10     -               udp     1723
> 0x6:P   10.10.80.10     -               gre
> 0x6:P   10.10.80.10     -               47
Last rule is redundant -- gre == 47
> 
> /etc/shorewall/route_rules:
> #SOURCE                 DEST                    PROVIDER        PRIORITY
> $DMZ_IF                 -                       Isp_1M          1000
> 
> /etc/shorewall/rules: (just what is concerned to pptp client config):
> ACCEPT  loc:$IP_GALILEO net
All of the following rules are redundant
> ACCEPT  loc:$IP_GALILEO net             47
> ACCEPT  loc:$IP_GALILEO net             gre
> ACCEPT  loc:$IP_GALILEO net             tcp     1723
> ACCEPT  $FW             net             47
> ACCEPT  $FW             net             gre
> ACCEPT  $FW             net             tcp     1723
> DNAT:info       net:$DSL_IF     loc:$IP_GALILEO         47
> DNAT:info       net:$DSL_IF     loc:$IP_GALILEO         tcp     1723
> DNAT:info       net:$DSL_IF     loc:$IP_GALILEO         gre
> 
> 
> I also attach a shorewall dump file to analyze and troubleshoot my
> network config. I would be pleasant if someone could help me with these
> problem.
I think you will need to use a packet sniffer to see what is happening
on the external interface. Other than the fact that you have many
unneeded rules, I don''t see anything wrong with your Shorewall setup.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
http://p.sf.net/sfu/solaris-dev2dev

Miguel A. Velasco wrote:
> Hello, thanks very much for your help.I answer each of your questions or
> coments down:
> 
> Given that your external IP addresses are in the RFC 1918 range, you are
> doing "double NAT" of all of your traffic. Do you know for
certain that
> this works in a single-ISP configuration?
> 
>     At this point I may add that this /etc/shorewall/masq config is
>     so confused for me. When I setup MultiISP Config I followed the
>     instrucctions from here:
>     http://blog.nkadesign.com/2009/sysadmin-multiple-isp-firewall-
>     servers-and-redundancy/ and thos article helped me so much,
>     but in the case of masq file, I never understood why this
>     config ....
	If that configuration is confusing, then simply do this:

	#INTERFACE        SOURCE          ADDRESS
        $ADSL_IF          0.0.0.0/0       10.10.90.3
        $DSL_IF           0.0.0.0/0       10.10.100.3
>     About your question, I don´t understand why you say I´m using
>     double NAT ...
	10.10.x.x are private addresses reserved by RFC 1918. Hosts on
        the internet cannot send packets to those addresses. It
        therefore follows that there is another router between your
        Shorewall system and the Internet that is rewriting the SOURCE
        IP address in outgoing packets to something that is routable
        over the Internet; so both your Shorewall system AND the other
        router are doing NAT.
> I think you will need to use a packet sniffer to see what is happening
> on the external interface. Other than the fact that you have many
> unneeded rules, I don''t see anything wrong with your Shorewall
setup.
> 
>     I attach three files, that are outputs of
>     #tcpdump -e -v -i eth1 -n dst host ip_pptpserver
>     where pptpserver is 106.Red-214-4-50 and 10.10.80.10 is my
>     pptpclient.
>     The IP´s server when it is connected to the vpn is
>     192.168.11.83.
Your tcpdump output:

	a) Only shows outbound traffic because you specified ''dst
host''
           rather than ''host''.
        b) It uses DNS names! Please always use the ''-n''
option so that
           the dump contains IP addresses rather than DNS names.
> 
> May I configure any especific rule for IP 192.168.11.83? ...
> Even I´ve also tried openning al zones with ACCEPT in the policy file
> but it hasn´t worked....
This isn''t a Shorewall security-related issue; it is an PPTP issue.
Shorewall is not causing the problem here because the PPTP client and
server ARE COMMUNICATING; the SCP negotiation seems to be failing for
some reason. Seeing both sides of the conversation might tell you why.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
http://p.sf.net/sfu/solaris-dev2dev

Miguel A. Velasco wrote:
>         I have tried running shorewall with this config but I
>         haven´t internet access. Even I can´t ping from the
>         firewall to 10.10.90.3 or 10.10.100.3 ....
>         ¿Any idea?
Yes -- just forget my suggestion.

> 
>     At this point what do you suggest me? I mean: as you say the
>     problem is not in shorewall config and isn´t on the windows
>     machine (pptp client) because I am able to connect this Server
>     directly to pptp server, avoiding shorewall firewall
I keep trying to tell you that you are avoiding *double NAT* when you
connect directly. I suspect that is the problem and it may not be
solvable; I don''t know. The trace log you sent (which STILL
DIDN''T USE
THE -n OPTION) shows both TCP and GRE traffic flowing in both
directions. So there is nothing more that I know of that you can expect
the firewall to do.
>     (connecting through the adsl router ...).
>     Then, when you say it´s a PPTP issue what do you exactly
>     refer?.
See above. You need to get help from PPTP experts, not Firewall experts.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

Tom Eastep wrote:
> I keep trying to tell you that you are avoiding *double NAT* when you
> connect directly. I suspect that is the problem and it may not be
> solvable; I don''t know. The trace log you sent (which STILL
DIDN''T USE
> THE -n OPTION) shows both TCP and GRE traffic flowing in both
> directions. So there is nothing more that I know of that you can expect
> the firewall to do.
One thing that you can *try* -- remove the pptp conntrack and nat helper
modules and try to connect.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

Hello Tom, and thanks again for your advices. I answer each question down:

El 19/02/2010 15:58, Tom Eastep escribió:
> Miguel A. Velasco wrote:
>
>>          I have tried running shorewall with this config but I
>>          haven´t internet access. Even I can´t ping from the
>>          firewall to 10.10.90.3 or 10.10.100.3 ....
>>          ¿Any idea?
>
> Yes -- just forget my suggestion.
>
>
>>
>>      At this point what do you suggest me? I mean: as you say the
>>      problem is not in shorewall config and isn´t on the windows
>>      machine (pptp client) because I am able to connect this Server
>>      directly to pptp server, avoiding shorewall firewall
>
> I keep trying to tell you that you are avoiding *double NAT* when you
> connect directly. I suspect that is the problem and it may not be
> solvable; I don''t know. The trace log you sent (which STILL
DIDN''T USE
> THE -n OPTION) shows both TCP and GRE traffic flowing in both
> directions. So there is nothing more that I know of that you can expect
> the firewall to do.
	Following your instrucctions, I´m going to try to configure my
	adsl router as a bridge and avoiding double NAT.
	Secondly, if it doesn´t work I´ll try to remove the pptp
	conntrack and nat helper modules as you comment.
>
>>      (connecting through the adsl router ...).
>>      Then, when you say it´s a PPTP issue what do you exactly
>>      refer?.
>
> See above. You need to get help from PPTP experts, not Firewall experts.
>
> -Tom
I´ll send to the list the consequences of my corrections.
Thanks very much for your help and thanks to Shorewall Team for his 
great work with this Firewall.

Miguel A. Velasco

------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

Miguel A. Velasco wrote:
> I´ll send to the list the consequences of my corrections.
Thanks!
> Thanks very much for your help and thanks to Shorewall Team for his 
> great work with this Firewall.
You are welcome.

Regards,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev