Scorpy wrote: > Dsl0 – internet interface > Eth0 – local network > > I have linux box with shorewall 2.2.
Which hasn't been supported since Dec 1, 2005! > And on the local network I also > have a hardware router. I have connected WAN port with settings of my > linux box What does that mean? Does in mean that you assigned an RFC 1918 address to the WAN port and set the router's default gateway to the IP address of the internal interface on your linux box? > and then created one more local network behind hardware > router. It works fine. > > I then wanted to use VPN function of this hardware router Hopefully the router's VPN supports NAT-T(Nat traversal) and you have configured the VPN to use it; otherwise, this probably won't work at all). > so i created > ACCEPT and DNAT rules on shorewall so that all traffic is permited from > one external IP to this internat IP of hardware router. Did you add an SNAT rule (/etc/shorewall/masq) so that traffic from this router appears to come from that external IP address? > Now i know that the connection works fine if i try to send packets from > my hardware router to other side, but when the hardware router from the > other side responds, I get REJECT error on the shorewall. The traffic that is being logged is coming INTO your firewall on eth0 -- it isn't a response from '...the other side'. > I dont > understand why is shorewall rejecting local traffic. 'detectnets', maybe? > This is the message: > Shorewall:all2all:REJECT:IN=eth0 OUT= > MAC=00:40:f4:b2:94:96:00:19:cb:2c:df:87:08:00 SRC=85.x.x.x DST=193.x.x.x > LEN=104 TOS=0x00 PREC=0x00 TTL=245 ID=36536 PROTO=UDP SPT=500 DPT=500 LEN=84 > > There are external IP loged on the internal network. I dont get it. I don't either -- but then you really haven't given us anything to go on (no Shorewall configuration or dump -- oh, Shorewall 2.2 didn't even have a 'dump' command. You really should upgrade....). > I have accept rules for all port and tcp, udp, ah and esp for NET:IP to > FW and NET:IP to LOC. > > DNAT is created for NET:IP to LOC:IP for all ports and all protocols. Again, what about SNAT? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
