Fabian Zaremba
2013-Jul-12 11:52 UTC
Shorewall rejects the connections without logs - no traffic on tun0 if shorewall is enabled
Hello everybody! I am encountering a problem with my installation of shorewall as I am trying to configure an openvpn tunnel to my private network. My host is running Debian Squeeze 2.6.32-19-pve, Shorewall version 4.4.11.6. I am trying to establish a connection from my dynamic ip (87.144.69.85 in this case) on tcp port 11944 to the firewalled host (openvpn, tun0). My final goal is to establish connection to a Proxmox OpenVZ container and reject any other traffic from the vpn. The major problem however is that my connection gets completely rejected and nothing is logged - not in /var/log/messages or in any other log file. ''shorewall show log'' also shows no messages related to my connection. If I issue ''shorewall clear'' my connection is working. After a ''shorewall start'' it is being rejected again. I honestly do not know how I could further debug this issue - any help would be greatly appreciated! I am attaching a summary of my running shorewall config and the output of shorewall dump. Thank you in advance! Fabian ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
Ruth Ivimey-Cook
2013-Jul-12 11:56 UTC
Re: Shorewall rejects the connections without logs - no traffic on tun0 if shorewall is enabled
Fabian> If I issue ''shorewall clear'' my connection is working. > After a ''shorewall start'' it is being rejected again. > I honestly do not know how I could further debug this issue - any help > would be greatly appreciated!I''m no expert at shorewall but it would seem you have a "drop" where you would like, for these purposes, a "logdrop". Possibly the relevant "drop" is in the default setup rather than an explicit rule? HTH Ruth -- Software Manager & Engineer Tel: 01223 414180 Blog: http://www.ivimey.org/blog LinkedIn: http://uk.linkedin.com/in/ruthivimeycook/ ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
Fabian Zaremba
2013-Jul-12 12:16 UTC
Re: Shorewall rejects the connections without logs - no traffic on tun0 if shorewall is enabled
Thank you for your answer Ruth, but as I am using shorewall I am not modifiying iptables rules manually so there should be no ''default setup''. My default rule setup should be empty and I think this is the reason my connection is working after a ''shorewall clear''. Shorewall should be set up to produce log messages for every packet it drops /rejects. Even more strange, I usually setup my rules for dropping - but my connections gets rejected (again without a log entry).> I''m no expert at shorewall but it would seem you have a "drop" where > you would like, for these purposes, a "logdrop". Possibly the relevant > "drop" is in the default setup rather than an explicit rule?TIA Fabian ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
Fabian Zaremba
2013-Jul-12 15:18 UTC
Re: Shorewall rejects the connections without logs - no traffic on tun0 if shorewall is enabled
I found my problem being an old DNAT rule that I must have overlooked. If a list admin reads this: I would be glad if you could remove my original attachment (I realized too late that it would appear on the webinterface of sourceforge). Thanks for the help! ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk