Mark D. Montgomery II
2013-Nov-05 06:04 UTC
Forwarding external traffic to another external server?
I''m trying to use my VPS server (single interface of course) as somewhat of a VPN gateway to my other location (which is not accessible directly from some places) where the openvpn server is running, and am kind of lost as to what to try next. I tried a redirect rule, but apparently shorewall didn''t like that (it just failed to start). I tried adding the rules via command line directly from a bit of searching I did: sysctl net.ipv4.ip_forward=1 iptables -t nat -A PREROUTING -p udp --dport 1194 -j DNAT --to-destination <siteb ip>:1194 iptables -t nat -A POSTROUTING -j MASQUERADE When I did that dmesg gave Forward:Reject messages. Can someone point me to the correct way to do this? Thanks! -- Mark D. Montgomery II http://www.techiem2.net ------------------------------------------------------------------------------ November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
Tom Eastep
2013-Nov-05 15:26 UTC
Re: Forwarding external traffic to another external server?
On 11/4/2013 10:04 PM, Mark D. Montgomery II wrote:> I''m trying to use my VPS server (single interface of course) as somewhat > of a VPN gateway to my other location (which is not accessible directly > from some places) where the openvpn server is running, and am kind of > lost as to what to try next. > > I tried a redirect rule, but apparently shorewall didn''t like that (it > just failed to start). > I tried adding the rules via command line directly from a bit of > searching I did: > > sysctl net.ipv4.ip_forward=1 > iptables -t nat -A PREROUTING -p udp --dport 1194 -j DNAT > --to-destination <siteb ip>:1194 > iptables -t nat -A POSTROUTING -j MASQUERADE > > When I did that dmesg gave Forward:Reject messages. > > Can someone point me to the correct way to do this?That is Shorewall FAQ 2 with the ''loc'' zone replaced by the ''net'' zone. Also note FAQ 2c. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
Mark D. Montgomery II
2013-Nov-06 00:16 UTC
Re: Forwarding external traffic to another external server?
Ok. I made the changes as best as I could understand them from the FAQ and restarted shorewall (currently 3.4.8 if that makes a difference). interfaces: net eth0 detect dhcp,routefilter,tcpflags,nosmurfs,blacklist,routeback masq: eth0:vps_ip eth0 home_ip udp 1194 rules: DNAT net net:home_ip udp 1194 - vps_ip shorewall.conf: IP_FORWARDING=ON When I start openvpn it times out connecting. When I run iptraf on the vps I see the connection come in, but it doesn''t seem to be getting out to the home location where the vpn server is (no activity there showing the connecting coming in). Thanks! Mark II Quoting Tom Eastep <teastep@shorewall.net>:> On 11/4/2013 10:04 PM, Mark D. Montgomery II wrote: >> I''m trying to use my VPS server (single interface of course) as somewhat >> of a VPN gateway to my other location (which is not accessible directly >> from some places) where the openvpn server is running, and am kind of >> lost as to what to try next. >> >> I tried a redirect rule, but apparently shorewall didn''t like that (it >> just failed to start). >> I tried adding the rules via command line directly from a bit of >> searching I did: >> >> sysctl net.ipv4.ip_forward=1 >> iptables -t nat -A PREROUTING -p udp --dport 1194 -j DNAT >> --to-destination <siteb ip>:1194 >> iptables -t nat -A POSTROUTING -j MASQUERADE >> >> When I did that dmesg gave Forward:Reject messages. >> >> Can someone point me to the correct way to do this? > > That is Shorewall FAQ 2 with the ''loc'' zone replaced by the ''net'' zone. > Also note FAQ 2c. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________-- Mark D. Montgomery II http://www.techiem2.net ------------------------------------------------------------------------------ November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
Mark D. Montgomery II
2013-Nov-06 09:22 UTC
Re: Forwarding external traffic to another external server?
I just upgraded shorewall (4.5.18 now) and rebooted the vps and still no go. iptables -L shows in the net2net chain: ACCEPT udp -- anywhere home_hostname ctorigdst vps_hostname udp dpt:openvpn Quoting "Mark D. Montgomery II" <techiem2@techiem2.net>:> Ok. I made the changes as best as I could understand them from the > FAQ and restarted shorewall (currently 3.4.8 if that makes a > difference). > > > interfaces: > net eth0 detect dhcp,routefilter,tcpflags,nosmurfs,blacklist,routeback > > masq: > eth0:vps_ip eth0 home_ip udp 1194 > > rules: > DNAT net net:home_ip udp 1194 - vps_ip > > shorewall.conf: > IP_FORWARDING=ON > > When I start openvpn it times out connecting. > When I run iptraf on the vps I see the connection come in, but it > doesn''t seem to be getting out to the home location where the vpn > server is (no activity there showing the connecting coming in). > > Thanks! > > Mark II > > > > Quoting Tom Eastep <teastep@shorewall.net>: > >> On 11/4/2013 10:04 PM, Mark D. Montgomery II wrote: >>> I''m trying to use my VPS server (single interface of course) as somewhat >>> of a VPN gateway to my other location (which is not accessible directly >>> from some places) where the openvpn server is running, and am kind of >>> lost as to what to try next. >>> >>> I tried a redirect rule, but apparently shorewall didn''t like that (it >>> just failed to start). >>> I tried adding the rules via command line directly from a bit of >>> searching I did: >>> >>> sysctl net.ipv4.ip_forward=1 >>> iptables -t nat -A PREROUTING -p udp --dport 1194 -j DNAT >>> --to-destination <siteb ip>:1194 >>> iptables -t nat -A POSTROUTING -j MASQUERADE >>> >>> When I did that dmesg gave Forward:Reject messages. >>> >>> Can someone point me to the correct way to do this? >> >> That is Shorewall FAQ 2 with the ''loc'' zone replaced by the ''net'' zone. >> Also note FAQ 2c. >> >> -Tom >> -- >> Tom Eastep \ When I die, I want to go like my Grandfather who >> Shoreline, \ died peacefully in his sleep. Not screaming like >> Washington, USA \ all of the passengers in his car >> http://shorewall.net \________________________________________________ > > > -- > Mark D. Montgomery II > http://www.techiem2.net-- Mark D. Montgomery II http://www.techiem2.net ------------------------------------------------------------------------------ November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
Tom Eastep
2013-Nov-06 14:38 UTC
Re: Forwarding external traffic to another external server?
On 11/6/2013 1:22 AM, Mark D. Montgomery II wrote:> I just upgraded shorewall (4.5.18 now) and rebooted the vps and still no > go. > iptables -L shows in the net2net chain: > > ACCEPT udp -- anywhere home_hostname ctorigdst > vps_hostname udp dpt:openvpnPlease forward the output of ''shorewall dump'' collected as described at http://www.shorewall.net/support.htm#Guidelines. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
Mark D. Montgomery II
2013-Nov-07 00:08 UTC
Re: Forwarding external traffic to another external server?
Ok. Connecting From (current remote location): 50.197.38.198 Connecting To (VPS): 173.255.225.115 Trying to Redirect to (Home/VPN Server): 98.239.173.35 Shorewall started manually and dump run after I started the vpn trying to connect. Dump attached. Thanks. Mark II Quoting Tom Eastep <teastep@shorewall.net>:> On 11/6/2013 1:22 AM, Mark D. Montgomery II wrote: >> I just upgraded shorewall (4.5.18 now) and rebooted the vps and still no >> go. >> iptables -L shows in the net2net chain: >> >> ACCEPT udp -- anywhere home_hostname ctorigdst >> vps_hostname udp dpt:openvpn > > Please forward the output of ''shorewall dump'' collected as described at > http://www.shorewall.net/support.htm#Guidelines. > > Thanks, > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________-- Mark D. Montgomery II http://www.techiem2.net ------------------------------------------------------------------------------ November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
Tom Eastep
2013-Nov-07 14:59 UTC
Re: Forwarding external traffic to another external server?
On 11/6/2013 4:08 PM, Mark D. Montgomery II wrote:> Ok. > Connecting From (current remote location): 50.197.38.198 > Connecting To (VPS): 173.255.225.115 > Trying to Redirect to (Home/VPN Server): 98.239.173.35 > > Shorewall started manually and dump run after I started the vpn trying > to connect. > Dump attached. >Your /etc/shorewall/masq rule is wrong. You want udp 1194 connection *to* 98.219.143.35 to have their source address rewritten as 173.255.225.115. eth0:98.239.173.35 0.0.0.0/0 173.255.225.115 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
Tom Eastep
2013-Nov-07 15:06 UTC
Re: Forwarding external traffic to another external server?
On 11/7/2013 6:59 AM, Tom Eastep wrote:> On 11/6/2013 4:08 PM, Mark D. Montgomery II wrote: >> Ok. >> Connecting From (current remote location): 50.197.38.198 >> Connecting To (VPS): 173.255.225.115 >> Trying to Redirect to (Home/VPN Server): 98.239.173.35 >> >> Shorewall started manually and dump run after I started the vpn trying >> to connect. >> Dump attached. >> > > Your /etc/shorewall/masq rule is wrong. > > You want udp 1194 connection *to* 98.219.143.35 to have their source > address rewritten as 173.255.225.115. > > eth0:98.239.173.35 0.0.0.0/0 173.255.225.115Or more restrictively: eth0:98.239.173.35 0.0.0.0/0 173.255.225.115 udp 1194 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
Mark D. Montgomery II
2013-Nov-10 00:28 UTC
Re: Forwarding external traffic to another external server?
Thanks Tom! That worked perfectly. Mark II Quoting Tom Eastep <teastep@shorewall.net>:> On 11/7/2013 6:59 AM, Tom Eastep wrote: >> On 11/6/2013 4:08 PM, Mark D. Montgomery II wrote: >>> Ok. >>> Connecting From (current remote location): 50.197.38.198 >>> Connecting To (VPS): 173.255.225.115 >>> Trying to Redirect to (Home/VPN Server): 98.239.173.35 >>> >>> Shorewall started manually and dump run after I started the vpn trying >>> to connect. >>> Dump attached. >>> >> >> Your /etc/shorewall/masq rule is wrong. >> >> You want udp 1194 connection *to* 98.219.143.35 to have their source >> address rewritten as 173.255.225.115. >> >> eth0:98.239.173.35 0.0.0.0/0 173.255.225.115 > > Or more restrictively: > > eth0:98.239.173.35 0.0.0.0/0 173.255.225.115 udp 1194 > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________-- Mark D. Montgomery II http://www.techiem2.net ------------------------------------------------------------------------------ November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk