Hi, I am having trouble making nat in shorewall work for my ppp clients. My clients connect using l2tp/ipsec vpn (ppp+ interfaces) and are supposed to use the server''s internet connection. My goal is to drop everything except for clients connecting to a local dns on the server and using server''s internet connection (NAT). The clients use ips in the following subnet 10.197.204.0/23. IP 10.197.204.1 is for the server (it is the gateway for the clients) and it is where the dns server listens. My current configuration is as follows: zones file: ### fw firewall net ipv4 l2tp ipv4 ### interfaces file: ### net eth0 detect tcpflags l2tp ppp+ ### policy file: ### net all DROP l2tp all DROP fw all ACCEPT all all DROP ### rules file: ### ACCEPT l2tp fw udp 53 ACCEPT l2tp fw tcp 53 ACCEPT l2tp net all ACCEPT all fw tcp 22 ACCEPT all fw udp 500 ACCEPT all fw udp 1701 ACCEPT all fw udp 4500 ### masg file: ### eth0 10.197.204.0/23 ### Thanks, Milen ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd
On 04/26/2011 02:31 AM, Milen Pankov wrote:> Hi, > > I am having trouble making nat in shorewall work for my ppp clients. My > clients connect using l2tp/ipsec vpn (ppp+ interfaces) and are supposed > to use the server''s internet connection. My goal is to drop everything > except for clients connecting to a local dns on the server and using > server''s internet connection (NAT). The clients use ips in the following > subnet 10.197.204.0/23. IP 10.197.204.1 is for the server (it is the > gateway for the clients) and it is where the dns server listens. My > current configuration is as follows: > > zones file: > ### > fw firewall > net ipv4 > l2tp ipv4 > ### > > interfaces file: > ### > net eth0 detect tcpflags > l2tp ppp+ > ### > > policy file: > ### > net all DROP > l2tp all DROP > fw all ACCEPT > all all DROP > ### > > rules file: > ### > ACCEPT l2tp fw udp 53 > ACCEPT l2tp fw tcp 53 > ACCEPT l2tp net all > ACCEPT all fw tcp 22 > ACCEPT all fw udp 500 > ACCEPT all fw udp 1701 > ACCEPT all fw udp 4500 > ### > > masg file: > ### > eth0 10.197.204.0/23 > ###Please see http://www.shorewall.net/IPSEC-2.6.html#RW-L2TP -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd
На 26.04.2011 16:52, Tom Eastep написа:> On 04/26/2011 02:31 AM, Milen Pankov wrote: >> Hi, >> >> I am having trouble making nat in shorewall work for my ppp clients. My >> clients connect using l2tp/ipsec vpn (ppp+ interfaces) and are supposed >> to use the server's internet connection. My goal is to drop everything >> except for clients connecting to a local dns on the server and using >> server's internet connection (NAT). The clients use ips in the following >> subnet 10.197.204.0/23. IP 10.197.204.1 is for the server (it is the >> gateway for the clients) and it is where the dns server listens. My >> current configuration is as follows: >> > > Please see http://www.shorewall.net/IPSEC-2.6.html#RW-L2TP > > -TomThank You. I was pretty much there. It looks I missed it while reading the documentation. -- Milen ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users