Shorewall users - Nov 2013 - Forwarding external traffic to another external server?

I''m trying to use my VPS server (single interface of course) as  
somewhat of a VPN gateway to my other location (which is not  
accessible directly from some places) where the openvpn server is  
running, and am kind of lost as to what to try next.

I tried a redirect rule, but apparently shorewall didn''t like that (it
just failed to start).
I tried adding the rules via command line directly from a bit of  
searching I did:

sysctl net.ipv4.ip_forward=1
iptables -t nat -A PREROUTING -p udp --dport 1194 -j DNAT  
--to-destination <siteb ip>:1194
iptables -t nat -A POSTROUTING -j MASQUERADE

When I did that dmesg gave Forward:Reject messages.

Can someone point me to the correct way to do this?

Thanks!

-- 
Mark D. Montgomery II
http://www.techiem2.net




------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most 
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk

On 11/4/2013 10:04 PM, Mark D. Montgomery II wrote:
> I''m trying to use my VPS server (single interface of course) as
somewhat
> of a VPN gateway to my other location (which is not accessible directly
> from some places) where the openvpn server is running, and am kind of
> lost as to what to try next.
> 
> I tried a redirect rule, but apparently shorewall didn''t like that
(it
> just failed to start).
> I tried adding the rules via command line directly from a bit of
> searching I did:
> 
> sysctl net.ipv4.ip_forward=1
> iptables -t nat -A PREROUTING -p udp --dport 1194 -j DNAT
> --to-destination <siteb ip>:1194
> iptables -t nat -A POSTROUTING -j MASQUERADE
> 
> When I did that dmesg gave Forward:Reject messages.
> 
> Can someone point me to the correct way to do this?
That is Shorewall FAQ 2 with the ''loc'' zone replaced by the
''net'' zone.
Also note FAQ 2c.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most 
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk

Ok.  I made the changes as best as I could understand them from the  
FAQ and restarted shorewall (currently 3.4.8 if that makes a  
difference).


interfaces:
net eth0 detect dhcp,routefilter,tcpflags,nosmurfs,blacklist,routeback

masq:
eth0:vps_ip eth0 home_ip udp 1194

rules:
DNAT net net:home_ip udp 1194 - vps_ip

shorewall.conf:
IP_FORWARDING=ON

When I start openvpn it times out connecting.
When I run iptraf on the vps I see the connection come in, but it  
doesn''t seem to be getting out to the home location where the vpn  
server is (no activity there showing the connecting coming in).

Thanks!

Mark II



Quoting Tom Eastep <teastep@shorewall.net>:
> On 11/4/2013 10:04 PM, Mark D. Montgomery II wrote:
>> I''m trying to use my VPS server (single interface of course)
as somewhat
>> of a VPN gateway to my other location (which is not accessible directly
>> from some places) where the openvpn server is running, and am kind of
>> lost as to what to try next.
>>
>> I tried a redirect rule, but apparently shorewall didn''t like
that (it
>> just failed to start).
>> I tried adding the rules via command line directly from a bit of
>> searching I did:
>>
>> sysctl net.ipv4.ip_forward=1
>> iptables -t nat -A PREROUTING -p udp --dport 1194 -j DNAT
>> --to-destination <siteb ip>:1194
>> iptables -t nat -A POSTROUTING -j MASQUERADE
>>
>> When I did that dmesg gave Forward:Reject messages.
>>
>> Can someone point me to the correct way to do this?
>
> That is Shorewall FAQ 2 with the ''loc'' zone replaced by
the ''net'' zone.
> Also note FAQ 2c.
>
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________

-- 
Mark D. Montgomery II
http://www.techiem2.net




------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most 
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk

I just upgraded shorewall (4.5.18 now) and rebooted the vps and still no go.
iptables -L shows in the net2net chain:

  ACCEPT     udp  --  anywhere             home_hostname  ctorigdst  
vps_hostname udp dpt:openvpn


Quoting "Mark D. Montgomery II" <techiem2@techiem2.net>:
> Ok.  I made the changes as best as I could understand them from the  
> FAQ and restarted shorewall (currently 3.4.8 if that makes a  
> difference).
>
>
> interfaces:
> net eth0 detect dhcp,routefilter,tcpflags,nosmurfs,blacklist,routeback
>
> masq:
> eth0:vps_ip eth0 home_ip udp 1194
>
> rules:
> DNAT net net:home_ip udp 1194 - vps_ip
>
> shorewall.conf:
> IP_FORWARDING=ON
>
> When I start openvpn it times out connecting.
> When I run iptraf on the vps I see the connection come in, but it  
> doesn''t seem to be getting out to the home location where the vpn
> server is (no activity there showing the connecting coming in).
>
> Thanks!
>
> Mark II
>
>
>
> Quoting Tom Eastep <teastep@shorewall.net>:
>
>> On 11/4/2013 10:04 PM, Mark D. Montgomery II wrote:
>>> I''m trying to use my VPS server (single interface of
course) as somewhat
>>> of a VPN gateway to my other location (which is not accessible
directly
>>> from some places) where the openvpn server is running, and am kind
of
>>> lost as to what to try next.
>>>
>>> I tried a redirect rule, but apparently shorewall didn''t
like that (it
>>> just failed to start).
>>> I tried adding the rules via command line directly from a bit of
>>> searching I did:
>>>
>>> sysctl net.ipv4.ip_forward=1
>>> iptables -t nat -A PREROUTING -p udp --dport 1194 -j DNAT
>>> --to-destination <siteb ip>:1194
>>> iptables -t nat -A POSTROUTING -j MASQUERADE
>>>
>>> When I did that dmesg gave Forward:Reject messages.
>>>
>>> Can someone point me to the correct way to do this?
>>
>> That is Shorewall FAQ 2 with the ''loc'' zone replaced
by the ''net'' zone.
>> Also note FAQ 2c.
>>
>> -Tom
>> --
>> Tom Eastep        \ When I die, I want to go like my Grandfather who
>> Shoreline,         \ died peacefully in his sleep. Not screaming like
>> Washington, USA     \ all of the passengers in his car
>> http://shorewall.net \________________________________________________
>
>
> -- 
> Mark D. Montgomery II
> http://www.techiem2.net

-- 
Mark D. Montgomery II
http://www.techiem2.net




------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most 
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk

On 11/6/2013 1:22 AM, Mark D. Montgomery II wrote:
> I just upgraded shorewall (4.5.18 now) and rebooted the vps and still no
> go.
> iptables -L shows in the net2net chain:
> 
>  ACCEPT     udp  --  anywhere             home_hostname  ctorigdst
> vps_hostname udp dpt:openvpn
Please forward the output of ''shorewall dump'' collected as
described at
http://www.shorewall.net/support.htm#Guidelines.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most 
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk

Ok.
Connecting From (current remote location): 50.197.38.198
Connecting To (VPS): 173.255.225.115
Trying to Redirect to (Home/VPN Server): 98.239.173.35

Shorewall started manually and dump run after I started the vpn trying  
to connect.
Dump attached.

Thanks.

Mark II


Quoting Tom Eastep <teastep@shorewall.net>:
> On 11/6/2013 1:22 AM, Mark D. Montgomery II wrote:
>> I just upgraded shorewall (4.5.18 now) and rebooted the vps and still
no
>> go.
>> iptables -L shows in the net2net chain:
>>
>>  ACCEPT     udp  --  anywhere             home_hostname  ctorigdst
>> vps_hostname udp dpt:openvpn
>
> Please forward the output of ''shorewall dump'' collected
as described at
> http://www.shorewall.net/support.htm#Guidelines.
>
> Thanks,
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________

-- 
Mark D. Montgomery II
http://www.techiem2.net





------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most 
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk

On 11/6/2013 4:08 PM, Mark D. Montgomery II wrote:
> Ok.
> Connecting From (current remote location): 50.197.38.198
> Connecting To (VPS): 173.255.225.115
> Trying to Redirect to (Home/VPN Server): 98.239.173.35
> 
> Shorewall started manually and dump run after I started the vpn trying
> to connect.
> Dump attached.
> 
Your /etc/shorewall/masq rule is wrong.

You want udp 1194 connection *to* 98.219.143.35 to have their source
address rewritten as 173.255.225.115.

eth0:98.239.173.35 	0.0.0.0/0	173.255.225.115

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most 
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk

On 11/7/2013 6:59 AM, Tom Eastep wrote:
> On 11/6/2013 4:08 PM, Mark D. Montgomery II wrote:
>> Ok.
>> Connecting From (current remote location): 50.197.38.198
>> Connecting To (VPS): 173.255.225.115
>> Trying to Redirect to (Home/VPN Server): 98.239.173.35
>>
>> Shorewall started manually and dump run after I started the vpn trying
>> to connect.
>> Dump attached.
>>
> 
> Your /etc/shorewall/masq rule is wrong.
> 
> You want udp 1194 connection *to* 98.219.143.35 to have their source
> address rewritten as 173.255.225.115.
> 
> eth0:98.239.173.35 	0.0.0.0/0	173.255.225.115
Or more restrictively:

eth0:98.239.173.35	0.0.0.0/0	173.255.225.115	udp	1194

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most 
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk

Thanks Tom!

That worked perfectly.

Mark II

Quoting Tom Eastep <teastep@shorewall.net>:
> On 11/7/2013 6:59 AM, Tom Eastep wrote:
>> On 11/6/2013 4:08 PM, Mark D. Montgomery II wrote:
>>> Ok.
>>> Connecting From (current remote location): 50.197.38.198
>>> Connecting To (VPS): 173.255.225.115
>>> Trying to Redirect to (Home/VPN Server): 98.239.173.35
>>>
>>> Shorewall started manually and dump run after I started the vpn
trying
>>> to connect.
>>> Dump attached.
>>>
>>
>> Your /etc/shorewall/masq rule is wrong.
>>
>> You want udp 1194 connection *to* 98.219.143.35 to have their source
>> address rewritten as 173.255.225.115.
>>
>> eth0:98.239.173.35 	0.0.0.0/0	173.255.225.115
>
> Or more restrictively:
>
> eth0:98.239.173.35	0.0.0.0/0	173.255.225.115	udp	1194
>
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________

-- 
Mark D. Montgomery II
http://www.techiem2.net




------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most 
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk