Robert, This is a mailing list run by volunteers -- repeating your post in a short timespan only annoys us -- it doesn't get you faster service.
Robert wrote: > Hi > I've just installed Shorewall 4.4.0 on my system. It's look like that: > > Box with Linux 2.6 with: > ath0 interface with public ip (x.x.x.x) > eth0 interface with internal ip (192.168.111.1) used as gateway for my > home network > > and I am trying to set up OpenVPN tunnel with my work network from this > box > > tun0 interface with internal ip (10.8.5.254) end point (at work) > 10.8.5.253 - OpenVPN connects with remote system ip y.y.y.y > > I've some problems with this stuff. I set up shorewall and computers > from network 192.168.111.0 > can use ath0 as default gateway for internet (masq). > Also found doc (shorewall.net) and set up vpn connection but still got > for exmaple: > > kernel: martian source 10.8.5.254 from 212.77.100.101, on dev tun0 > > while ping via tun interface ( ping -c 5 -I tun0 www.wp.pl). > > First question what is wrong in my configuration? The Shorewall support page (http://www.shorewall.net/support.htm) specifically asks that you not send us your configuration unless requested. The reason for that is that your configuration reflects your solution to some problem. If all we have is your configuration, then we are forced to guess what the problem is that you are trying to solve. If you submit the output of 'shorewall dump', as requested on the page, we can then see both the problem and your solution to it. The presence of 'martian' messages indicates a problem with your routing, not with your Shorewall configuration. You can get rid of the 'martian' messages by changing the configuration of 'tun0' in /etc/shorewall/interfaces to read: vpn tun0 detect tcpflags,routefilter=0,nosmurfs,blacklist ------------- Note: I must say that this is the first time that I ever saw 'blacklist' specified on an internal interface like a VPN. > Second question: > I want to masquerade packets from host 192.168.111.21 (from my local > network) via OpenVPN tunnel defined in /etc/shorewall/tunnels. > Other host still should use eth0. > > So in /etc/shorewall/masq I add > tun0 196.168.111.21 > ath0 eth0 > > But it's not working. Again am I missing something? "it's not working" means what? That connections created after you changed your configuration and restarted Shorewall don't get masqueraded? Or that communication from 196.168.111.21 to VPN hosts fails? If so how does it fail? Because the response packets are dropped as martians? If so, the change suggested above will stop that. If you continue to have problems, please send us 'shorewall dump' output collected as described in the support article, and explain exactly what you tried and what happened in response; we will try to help you. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
