Miguel A. Velasco wrote: > Hello, thanks very much for your help.I answer each of your questions or > coments down:
> > Given that your external IP addresses are in the RFC 1918 range, you are > doing "double NAT" of all of your traffic. Do you know for certain that > this works in a single-ISP configuration? > > At this point I may add that this /etc/shorewall/masq config is > so confused for me. When I setup MultiISP Config I followed the > instrucctions from here: > http://blog.nkadesign.com/2009/sysadmin-multiple-isp-firewall- > servers-and-redundancy/ and thos article helped me so much, > but in the case of masq file, I never understood why this > config .... If that configuration is confusing, then simply do this: #INTERFACE SOURCE ADDRESS $ADSL_IF 0.0.0.0/0 10.10.90.3 $DSL_IF 0.0.0.0/0 10.10.100.3 > About your question, I don´t understand why you say I´m using > double NAT ... 10.10.x.x are private addresses reserved by RFC 1918. Hosts on the internet cannot send packets to those addresses. It therefore follows that there is another router between your Shorewall system and the Internet that is rewriting the SOURCE IP address in outgoing packets to something that is routable over the Internet; so both your Shorewall system AND the other router are doing NAT. > I think you will need to use a packet sniffer to see what is happening > on the external interface. Other than the fact that you have many > unneeded rules, I don't see anything wrong with your Shorewall setup. > > I attach three files, that are outputs of > #tcpdump -e -v -i eth1 -n dst host ip_pptpserver > where pptpserver is 106.Red-214-4-50 and 10.10.80.10 is my > pptpclient. > The IP´s server when it is connected to the vpn is > 192.168.11.83. Your tcpdump output: a) Only shows outbound traffic because you specified 'dst host' rather than 'host'. b) It uses DNS names! Please always use the '-n' option so that the dump contains IP addresses rather than DNS names. > > May I configure any especific rule for IP 192.168.11.83? ... > Even I´ve also tried openning al zones with ACCEPT in the policy file > but it hasn´t worked.... This isn't a Shorewall security-related issue; it is an PPTP issue. Shorewall is not causing the problem here because the PPTP client and server ARE COMMUNICATING; the SCP negotiation seems to be failing for some reason. Seeing both sides of the conversation might tell you why. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
