Re: [Shorewall-users] How to connect a PPTP Client behind a MultiISP shorewall config
Miguel A. Velasco wrote: > I´ll send to the list the consequences of my corrections. Thanks! > Thanks very much for your help and thanks to Shorewall Team for his > great work with this Firewall. You are welcome. Regards, -Tom -- Tom Eastep\ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \ signature.asc Description: OpenPGP digital signature -- Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] How to connect a PPTP Client behind a MultiISP shorewall config
Hello Tom, and thanks again for your advices. I answer each question down: El 19/02/2010 15:58, Tom Eastep escribió: > Miguel A. Velasco wrote: > >> I have tried running shorewall with this config but I >> haven´t internet access. Even I can´t ping from the >> firewall to 10.10.90.3 or 10.10.100.3 >> ¿Any idea? > > Yes -- just forget my suggestion. > > >> >> At this point what do you suggest me? I mean: as you say the >> problem is not in shorewall config and isn´t on the windows >> machine (pptp client) because I am able to connect this Server >> directly to pptp server, avoiding shorewall firewall > > I keep trying to tell you that you are avoiding *double NAT* when you > connect directly. I suspect that is the problem and it may not be > solvable; I don't know. The trace log you sent (which STILL DIDN'T USE > THE -n OPTION) shows both TCP and GRE traffic flowing in both > directions. So there is nothing more that I know of that you can expect > the firewall to do. Following your instrucctions, I´m going to try to configure my adsl router as a bridge and avoiding double NAT. Secondly, if it doesn´t work I´ll try to remove the pptp conntrack and nat helper modules as you comment. > >> (connecting through the adsl router ...). >> Then, when you say it´s a PPTP issue what do you exactly >> refer?. > > See above. You need to get help from PPTP experts, not Firewall experts. > > -Tom I´ll send to the list the consequences of my corrections. Thanks very much for your help and thanks to Shorewall Team for his great work with this Firewall. Miguel A. Velasco -- Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] How to connect a PPTP Client behind a MultiISP shorewall config
Tom Eastep wrote: > I keep trying to tell you that you are avoiding *double NAT* when you > connect directly. I suspect that is the problem and it may not be > solvable; I don't know. The trace log you sent (which STILL DIDN'T USE > THE -n OPTION) shows both TCP and GRE traffic flowing in both > directions. So there is nothing more that I know of that you can expect > the firewall to do. One thing that you can *try* -- remove the pptp conntrack and nat helper modules and try to connect. -Tom -- Tom Eastep\ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \ signature.asc Description: OpenPGP digital signature -- Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] How to connect a PPTP Client behind a MultiISP shorewall config
Miguel A. Velasco wrote: > I have tried running shorewall with this config but I > haven´t internet access. Even I can´t ping from the > firewall to 10.10.90.3 or 10.10.100.3 > ¿Any idea? Yes -- just forget my suggestion. > > At this point what do you suggest me? I mean: as you say the > problem is not in shorewall config and isn´t on the windows > machine (pptp client) because I am able to connect this Server > directly to pptp server, avoiding shorewall firewall I keep trying to tell you that you are avoiding *double NAT* when you connect directly. I suspect that is the problem and it may not be solvable; I don't know. The trace log you sent (which STILL DIDN'T USE THE -n OPTION) shows both TCP and GRE traffic flowing in both directions. So there is nothing more that I know of that you can expect the firewall to do. > (connecting through the adsl router ...). > Then, when you say it´s a PPTP issue what do you exactly > refer?. See above. You need to get help from PPTP experts, not Firewall experts. -Tom -- Tom Eastep\ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \ signature.asc Description: OpenPGP digital signature -- Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] How to connect a PPTP Client behind a MultiISP shorewall config
Hello Tom, and thanks very much for your comments again. I answers you some questions down: El 17/02/2010 16:33, Tom Eastep escribió: Miguel A. Velasco wrote: Hello, thanks very much for your help.I answer each of your questions or coments down: Given that your external IP addresses are in the RFC 1918 range, you are doing "double NAT" of all of your traffic. Do you know for certain that this works in a single-ISP configuration? At this point I may add that this /etc/shorewall/masq config is so confused for me. When I setup MultiISP Config I followed the instrucctions from here: http://blog.nkadesign.com/2009/sysadmin-multiple-isp-firewall- servers-and-redundancy/ and thos article helped me so much, but in the case of masq file, I never understood why this config If that configuration is confusing, then simply do this: #INTERFACESOURCE ADDRESS $ADSL_IF 0.0.0.0/0 10.10.90.3 $DSL_IF 0.0.0.0/0 10.10.100.3 I have tried running shorewall with this config but I haven´t internet access. Even I can´t ping from the firewall to 10.10.90.3 or 10.10.100.3 ¿Any idea? About your question, I don´t understand why you say I´m using double NAT ... 10.10.x.x are private addresses reserved by RFC 1918. Hosts on the internet cannot send packets to those addresses. It therefore follows that there is another router between your Shorewall system and the Internet that is rewriting the SOURCE IP address in outgoing packets to something that is routable over the Internet; so both your Shorewall system AND the other router are doing NAT. Now I understand you perfectly! Thannks for your explanation :) I think you will need to use a packet sniffer to see what is happening on the external interface. Other than the fact that you have many unneeded rules, I don't see anything wrong with your Shorewall setup. I attach three files, that are outputs of #tcpdump -e -v -i eth1 -n dst host ip_pptpserver where pptpserver is 106.Red-214-4-50 and 10.10.80.10 is my pptpclient. The IP´s server when it is connected to the vpn is 192.168.11.83. Your tcpdump output: a) Only shows outbound traffic because you specified 'dst host' rather than 'host'. b) It uses DNS names! Please always use the '-n' option so that the dump contains IP addresses rather than DNS names. Again you are true in all the comments. Now I have tested with #tcpdump -n -i eth1 -n host pptpserver_ip and I attach the dump files in case of you want to have a look. May I configure any especific rule for IP 192.168.11.83? ... Even I´ve also tried openning al zones with ACCEPT in the policy file but it hasn´t worked This isn't a Shorewall security-related issue; it is an PPTP issue. Shorewall is not causing the problem here because the PPTP client and server ARE COMMUNICATING; the SCP negotiation seems to be failing for some reason. Seeing both sides of the conversation might tell you why. At this point what do you suggest me? I mean: as you say the problem is not in shorewall config and isn´t on the windows machine (pptp client) because I am able to connect this Server directly to pptp server, avoiding shorewall firewall (connecting through the adsl router ...). Then, when you say it´s a PPTP issue what do you exactly refer?. I´ve reading a lot of documentation about kernels modules to run pptp but I´m running Kernel 2.6.x with all pptp and masquerade modules loaded ... Dou you have any idea, where could I continue investigating? Thanks very much for your help. Best Regards. Miguel A. Velasco -Tom 12:40:34.159548 IP 10.10.90.12.chromagrafx > 106.Red-213-4-45.staticIP.rima-tde.net.pptp: S 2288996179:2288996179(0) win 65535 12:40:34.246244 IP 106.Red-213-4-45.staticIP.rima-tde.net.pptp > 10.10.90.12.chromagrafx: S 1699308169:1699308169(0) ack 2288996180 win 5840 12:40:34.246555 IP 10.10.90.12.chromagrafx > 106.Red-213-4-45.staticIP.rima-tde.net.pptp: . ack 1 win 65535 12:40:34.246617 IP 10.10.90.12.chromagrafx > 106.Red-213-4-45.staticIP.rima-tde.net.pptp: P 1:157(156) ack 1 win 65535: pptp CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0) FRAME_CAP(A) BEARER_CAP(A) MAX_CHAN(0) FIRM_REV(3790) [|pptp] 12:40:34.337130 IP 106.Red-213-4-45.staticIP.rima-tde.net.pptp > 10.10.90.12.chromagrafx: . ack 157 win 6432 12:40:34.346275 IP 106.Red-213-4-45.staticIP.rima-tde.net.pptp > 10.10.90.12.chromagrafx: P 1:157(156) ack 157 win 6432: pptp CTRL_MSGTYPE=SCCRP PROTO_VER(1.0) RESULT_CODE(1) ERR_CODE(0) FRAME_CAP() BEARER_CAP() MAX_
Re: [Shorewall-users] How to connect a PPTP Client behind a MultiISP shorewall config
Miguel A. Velasco wrote: > Hello, thanks very much for your help.I answer each of your questions or > coments down: > > Given that your external IP addresses are in the RFC 1918 range, you are > doing "double NAT" of all of your traffic. Do you know for certain that > this works in a single-ISP configuration? > > At this point I may add that this /etc/shorewall/masq config is > so confused for me. When I setup MultiISP Config I followed the > instrucctions from here: > http://blog.nkadesign.com/2009/sysadmin-multiple-isp-firewall- > servers-and-redundancy/ and thos article helped me so much, > but in the case of masq file, I never understood why this > config If that configuration is confusing, then simply do this: #INTERFACESOURCE ADDRESS $ADSL_IF 0.0.0.0/0 10.10.90.3 $DSL_IF 0.0.0.0/0 10.10.100.3 > About your question, I don´t understand why you say I´m using > double NAT ... 10.10.x.x are private addresses reserved by RFC 1918. Hosts on the internet cannot send packets to those addresses. It therefore follows that there is another router between your Shorewall system and the Internet that is rewriting the SOURCE IP address in outgoing packets to something that is routable over the Internet; so both your Shorewall system AND the other router are doing NAT. > I think you will need to use a packet sniffer to see what is happening > on the external interface. Other than the fact that you have many > unneeded rules, I don't see anything wrong with your Shorewall setup. > > I attach three files, that are outputs of > #tcpdump -e -v -i eth1 -n dst host ip_pptpserver > where pptpserver is 106.Red-214-4-50 and 10.10.80.10 is my > pptpclient. > The IP´s server when it is connected to the vpn is > 192.168.11.83. Your tcpdump output: a) Only shows outbound traffic because you specified 'dst host' rather than 'host'. b) It uses DNS names! Please always use the '-n' option so that the dump contains IP addresses rather than DNS names. > > May I configure any especific rule for IP 192.168.11.83? ... > Even I´ve also tried openning al zones with ACCEPT in the policy file > but it hasn´t worked This isn't a Shorewall security-related issue; it is an PPTP issue. Shorewall is not causing the problem here because the PPTP client and server ARE COMMUNICATING; the SCP negotiation seems to be failing for some reason. Seeing both sides of the conversation might tell you why. -Tom -- Tom Eastep\ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \ signature.asc Description: OpenPGP digital signature -- SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] How to connect a PPTP Client behind a MultiISP shorewall config
Hello, thanks very much for your help.I answer each of your questions or coments down: I've an openvpn server running on the firewall and working on eth1 and I´d like to config my firewall to let a pptp client, running on my LAN (with IP 10.10.80.10), connect to a pptp remote vpn server of a different company. But I am not able to do this, an that´s my problem :) Can we have a few more details please besides "it doesn't work"? Of course, the server named Galileo which IP es 10.10.80.10 connects to pptp remote vpn successfully but the connection goes down after exactly 30 seconds ... Always 30 seconds!! /etc/shorewall/policy: #SOURCE DESTPOLICY LOG LIMIT:BURST # LEVEL loc net DROPinfo Very unfriendly policy for loc->net; much nicer for your local users if you use REJECT. That's Ok :). I change it. fw loc DROPinfo fw net DROPinfo fw dmz DROPinfo loc dmz DROPinfo ##OpenVPN -- ## vpn fw ACCEPT info fw vpn ACCEPT info net vpn DROPinfo loc vpn ACCEPT info vpn loc ACCEPT info vpn net DROPinfo vpn dmz DROPinfo ##DMZ -- ## dmz net DROPinfo dmz fw DROPinfo dmz loc DROPinfo dmz vpn DROPinfo dmz all DROPinfo ## - net all DROPinfo all all REJECT info /etc/shorewall/params: LAN_IF=eth0 ADSL_IF=eth1 DSL_IF=eth2 DMZ_IF=eth3 IP_GALILEO=10.10.80.10 --> it´s the pptp client. /etc/shorewall/masq: #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK $ADSL_IF10.10.100.3 10.10.90.3 $DSL_IF 10.10.90.3 10.10.100.3 $ADSL_IF10.10.110.0/24 $DSL_IF 10.10.110.0/24 $ADSL_IF10.10.80.0/24 $DSL_IF 10.10.80.0/24 Given that your external IP addresses are in the RFC 1918 range, you are doing "double NAT" of all of your traffic. Do you know for certain that this works in a single-ISP configuration? At this point I may add that this /etc/shorewall/masq config is so confused for me. When I setup MultiISP Config I followed the instrucctions from here: http://blog.nkadesign.com/2009/sysadmin-multiple-isp-firewall- servers-and-redundancy/ and thos article helped me so much, but in the case of masq file, I never understood why this config About your question, I don´t understand why you say I´m using double NAT ... /etc/shorewall/tcrules: #MARK SOURCE DESTPROTO DESTSOURCE USER TESTLENGTH TOS # PORT(S) PORT(S) 0x6:P 10.10.80.0/24 - tcp 80,443 #All outgoing traffic of port 1723 and gre protocol is routed through isp_6M 0x6:P 10.10.80.10 - tcp 1723 0x6:P 10.10.80.10 - udp 1723 0x6:P 10.10.80.10 - gre 0x6:P 10.10.80.10 - 47 Last rule is redundant -- gre == 47 Ok, thanks. I take note. /etc/shorewall/route_rules: #SOURCE DESTPROVIDERPRIORITY $DMZ_IF - Isp_1M 1000 /etc/shorewall/rules: (just what is concerned to pptp client config): ACCEPT loc:$IP_GALILEO net All of the following rules are redundant Again, I take note. I´ve all of this rules, because I have tried many rules to run pptp client ... ACCEPT loc:$IP_GALILEO net 47 ACCEPT loc:$IP_GALILEO net gre ACCEPT loc:$IP_GALILEO net tcp 1723 ACCEPT $FW net 47 ACCEPT $FW net gre ACCEPT $FW net tcp 1723 DNAT:info net:$DSL_IF loc:$IP_GALILEO 47 DNAT:info net:$DSL_IF loc:$IP_GALILEO tcp 1723 DNAT:info net:$DSL_IF loc:$IP_GALILEO gre I also attach a shorewall dump file to analyze and troubleshoot my network config. I would be pleasant if someone could help me with these problem. I think you will need to use a packet sniffer to see what is happening on the external interface. Other than the fact that you have many unneeded rules, I don't see anything wrong with your Shore
Re: [Shorewall-users] How to connect a PPTP Client behind a MultiISP shorewall config
Miguel A. Velasco wrote: > I've an openvpn server running on the firewall and working on eth1 and > I´d like to config my firewall to let a pptp client, running on my LAN > (with IP 10.10.80.10), connect to a pptp remote vpn server of a > different company. But I am not able to do this, an that´s my problem :) Can we have a few more details please besides "it doesn't work"? > /etc/shorewall/policy: > #SOURCE DESTPOLICY LOG LIMIT:BURST > # LEVEL > loc net DROPinfo Very unfriendly policy for loc->net; much nicer for your local users if you use REJECT. > fw loc DROPinfo > fw net DROPinfo > fw dmz DROPinfo > loc dmz DROPinfo > ##OpenVPN -- ## > vpn fw ACCEPT info > fw vpn ACCEPT info > net vpn DROPinfo > loc vpn ACCEPT info > vpn loc ACCEPT info > vpn net DROPinfo > vpn dmz DROPinfo > ##DMZ -- ## > dmz net DROPinfo > dmz fw DROPinfo > dmz loc DROPinfo > dmz vpn DROPinfo > dmz all DROPinfo > ## - > net all DROPinfo > all all REJECT info > > /etc/shorewall/params: > LAN_IF=eth0 > ADSL_IF=eth1 > DSL_IF=eth2 > DMZ_IF=eth3 > IP_GALILEO=10.10.80.10 --> it´s the pptp client. > > /etc/shorewall/masq: > #INTERFACE SOURCE ADDRESS PROTO PORT(S) > IPSEC MARK > $ADSL_IF10.10.100.3 10.10.90.3 > $DSL_IF 10.10.90.3 10.10.100.3 > $ADSL_IF10.10.110.0/24 > $DSL_IF 10.10.110.0/24 > $ADSL_IF10.10.80.0/24 > $DSL_IF 10.10.80.0/24 Given that your external IP addresses are in the RFC 1918 range, you are doing "double NAT" of all of your traffic. Do you know for certain that this works in a single-ISP configuration? > /etc/shorewall/tcrules: > #MARK SOURCE DESTPROTO DESTSOURCE USER > TESTLENGTH TOS > # PORT(S) PORT(S) > 0x6:P 10.10.80.0/24 - tcp 80,443 > #All outgoing traffic of port 1723 and gre protocol is routed through > isp_6M > 0x6:P 10.10.80.10 - tcp 1723 > 0x6:P 10.10.80.10 - udp 1723 > 0x6:P 10.10.80.10 - gre > 0x6:P 10.10.80.10 - 47 Last rule is redundant -- gre == 47 > > /etc/shorewall/route_rules: > #SOURCE DESTPROVIDERPRIORITY > $DMZ_IF - Isp_1M 1000 > > /etc/shorewall/rules: (just what is concerned to pptp client config): > ACCEPT loc:$IP_GALILEO net All of the following rules are redundant > ACCEPT loc:$IP_GALILEO net 47 > ACCEPT loc:$IP_GALILEO net gre > ACCEPT loc:$IP_GALILEO net tcp 1723 > ACCEPT $FW net 47 > ACCEPT $FW net gre > ACCEPT $FW net tcp 1723 > DNAT:info net:$DSL_IF loc:$IP_GALILEO 47 > DNAT:info net:$DSL_IF loc:$IP_GALILEO tcp 1723 > DNAT:info net:$DSL_IF loc:$IP_GALILEO gre > > > I also attach a shorewall dump file to analyze and troubleshoot my > network config. I would be pleasant if someone could help me with these > problem. I think you will need to use a packet sniffer to see what is happening on the external interface. Other than the fact that you have many unneeded rules, I don't see anything wrong with your Shorewall setup. -Tom -- Tom Eastep\ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \ signature.asc Description: OpenPGP digital signature -- SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
