I''m trying to make connections from over an ipsec vpn to some local machines in a zone other than loc and they''re getting dropped by vpn2net. In this example I''m trying an ssh connection from 10.88.2.1 (vpn zone) to 10.99.5.5 (iscsi zone) but it''s getting dropped in vpn2net instead of vpn2iscsi: Aug 25 17:39:08 it-router kernel: [406408.700612] Shorewall:vpn2net:REJECT:IN=eth3 OUT=eth3 SRC=10.88.2.1 DST=10.99.5.5 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=20099 DF PROTO=TCP SPT=49662 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 When I try things in the loc zone it gets dropped by vpn2loc as expected: Aug 25 17:49:52 it-router kernel: [407052.372877] Shorewall:vpn2loc:REJECT:IN=eth3 OUT=vlan4 SRC=10.88.2.1 DST=10.99.4.99 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=52304 SEQ=3 MARK=0x1 My vpn zone was last in my zones file, right after the net zone. I tried moving it above the net zone but it didn''t seem to make any difference. Dump of a the failed ssh connection attempt attached. Any help would be appreciated. Brad C ------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d
On 8/25/10 3:53 PM, Brad Clarke wrote:> I''m trying to make connections from over an ipsec vpn to some local > machines in a zone other than loc and they''re getting dropped by > vpn2net. In this example I''m trying an ssh connection from 10.88.2.1 > (vpn zone) to 10.99.5.5 (iscsi zone) but it''s getting dropped in > vpn2net instead of vpn2iscsi: > > Aug 25 17:39:08 it-router kernel: [406408.700612] > Shorewall:vpn2net:REJECT:IN=eth3 OUT=eth3 SRC=10.88.2.1 DST=10.99.5.5 > LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=20099 DF PROTO=TCP SPT=49662 > DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0Your firewall is doing exactly what you have configured it to do. - eth3 is a provider interface for traveller_wireless - vlan5 is apparently not listed in the COPY column for that interface - If you route 10.88.2.1 from eth3, it uses this routing table: 207.111.162.62 dev eth3 scope link src 207.111.162.1 207.111.162.0/26 dev eth3 proto kernel scope link src 207.111.162.1 10.99.4.0/24 dev vlan4 proto kernel scope link src 10.99.4.1 10.99.3.0/24 dev vlan3 proto kernel scope link src 10.99.3.1 192.168.10.0/24 via 10.99.4.254 dev vlan4 10.88.0.0/16 via 207.111.162.62 dev eth3 src 10.99.4.1 ------------------------------------------------------- 10.77.0.0/16 via 207.111.162.62 dev eth3 src 10.99.4.1 default via 207.111.162.62 dev eth3 src 207.111.162.1 Clearly, 10.88.2.1 is routed out of eth3, not vlan5 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d
On Wed, Aug 25, 2010 at 7:46 PM, Tom Eastep <teastep@shorewall.net> wrote:> - eth3 is a provider interface for traveller_wireless > - vlan5 is apparently not listed in the COPY column for that interfaceClearly I should get a better understanding of what my router does....routing makes my brain hurt :) Adding vlan5 to the COPY column for traveller_wireless fixed it. Thank you! Brad C ------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d