On 9/14/10 8:05 AM, David López Zajara (Er_Maqui) wrote: > Hi, > > It's my first time writing on the list, for one question: > > If isn't the correct site, please tell me and ignore message. > > I have multiple shorewall configured across my networks, but i have one > problem with one of them: > First, include an schema: > > ------------ ------------ > | | | | > | VPN1 | | VPN2 | > | | | | > ------------ ------------ > | | > ------------ ------------ > | | | | > | FW |------| eth0 | > | | | | > ------------ ------------ > | | > ------------ ------------ > | | | | > | VPN3 | | VPN4 | > | | | | > ------------ ------------ > The concept are simple. I have 4 VPN connections, and one LAN on eth0. > > All VPN can connect to the LAN, and the LAN can connect to the VPN's. > > My problem are who try to send one packet from one VPN to another. The > machines have the routes configured correctly, but the FW reject these > packages. > > My configuration are: > > zones: > PPTP ipv4 > interfaces: > PPTP ppp+ > policy: > PPTP all ACCEPT > > But, when i try to send a ping from VPN1 to VPN2, i receive these log on the > FW: > Sep 14 16:57:35 fw kernel: [12250627.652278] > Shorewall:FORWARD:REJECT:IN=ppp0 OUT=ppp2 SRC=192.168.101.202 > DST=192.168.100.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 > CODE=0 ID=2538 SEQ=1 > I don't know what's the problem but i need to allow traffic forward between > ppp's interfaces. I've tried to declare each interface with these config:
192.168.101.202 is not in any of your defined zones. > > > /etc/shorewall/zones: > > #ZONE TYPE > vpn1 ipv4 > vpn2 ipv4 > vpn3 ipv4 > > /etc/shorewall/interfaces: > > #ZONE INTERFACE BROADCAST OPTIONS > - ppp+ > > /etc/shorewall/hosts: > > #ZONE HOST(S) OPTIONS > vpn1 ppp+:192.168.1.0/24 > vpn2 ppp+:192.168.2.0/24 > vpn3 ppp+:192.168.3.0/24 > > (Obiously changing the IP configuration) WHY? IP addresses are not secrets! Hiding your real addresses just slows down the solution to your problem. As I mentioned above, 192.168.101.202 isn't in any of your zones. That would cause the message that you are seeing, but I suspect you just messed up changing the addresses. > And, adding: > > policy: > VPN1 all ACCEPT > VPN2 all ACCEPT > VPN3 all ACCEPT > But in this case, i can connect FW->VPN, but the reverse case doesn't work > (VPN->FW). Obiously, the communication between VPN's doesn't work too. You can try adding the 'routeback' option to each of your entries in /etc/shorewall/hosts. But with the information you have given us, it's hard to know exactly what the problem is. If that doesn't correct the problem, please follow the instructions at http://www.shorewall.net/support.htm#Guidelines when posting a follow-up report. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users