I'm looking to have my Debian (ver 6.0.6) server act as a router between network1 (eth1, 10.0.0.0/8) and network2 (eth0, 192.168.0.0/24) while providing Internet access to network1 via OpenVPN. I would like to do this in a way that prevents network1 from accessing the Internet in any way except for OpenVPN. It should also have access to network2 (I have some Samba shares it should have access to).
So far I can get my Debain server to: 1) correctly connect to the
OpenVPN, 2) Use the VPN for all traffic while the link is up, 3)
(While the VPN links is NOT up) provide basic routing for network1 as
well as access network2 with no issue.
The problem comes with sharing my VPN connection with any host in
network1. Pings to my local network, local DNS, google DNS (8.8.8.8)
and google.com work from the Debian server as well as the host on
network1, as long as the VPN isn't up. But as soon as it (the VPN
connection) comes up, the hosts on network1 cannot access anything
except the Debian server and network2, pings to the Internet results
in "Request timed out", when pinging Google DNS for testing.
I've followed the "two interface example" found in the documentation,
which works normally without VPN, and have checked "OpenVPN",
"tunnels, "VPN basics" as well. I've configured my testing host on
network1 with a static IP address on that subnet (10.0.0.5).
(the files listed below should show some slight modification, as I
attempted to import some possible solutions from others here on the
mailing list)
**********************************************
INTERFACES
**********************************************
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect
dhcp,tcpflags,nosmurfs,routefilter,logmartians
loc eth1 detect
tcpflags,nosmurfs,routefilter,logmartians
vpn tun0 detect
vpn tap0 detect
**********************************************
ZONES
**********************************************
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
vpn ipv4
**********************************************
POLICY
**********************************************
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
$FW net ACCEPT
#VPN
loc vpn ACCEPT
#vpn all DROP
$FW vpn ACCEPT
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
**********************************************
TUNNELS
**********************************************
#TYPE ZONE GATEWAY GATEWAY ZONE
openvpnclient vpn 0.0.0.0/0
**********************************************
MASQ
**********************************************
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC
MARK
eth0 10.0.0.0/8
**********************************************
RULES (I haven't changed anything here from the example, but wanted to
supply it for completeness)
**********************************************
#ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL RATE USER/ MARK
# PORT PORT(S)
DEST LIMIT GROUP
#
# Accept DNS connections from the firewall to the network
#
DNS(ACCEPT) $FW net
#
# Accept SSH connections from the local network for administration
#
SSH(ACCEPT) loc $FW
#
# Allow Ping from the local network
#
Ping(ACCEPT) loc $FW
#
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
#
Ping(DROP) net $FW
ACCEPT $FW loc icmp
ACCEPT $FW net icmp
#
**********************************************
RULES (Haven't change anything here)
**********************************************
#INTERFACE HOST(S) OPTIONS
eth1 -
I've verified that my host should be able to route correctly through OpenVPN:
ip route get 8.8.8.8 from 10.0.0.5 iif eth1
8.8.8.8 from 10.0.0.5 via 93.182.184.129 dev tun0 src 10.0.0.1
cache <src-direct> mtu 1500 advmss 1460 hoplimit 64 iif eth1
(where 10.0.0.5 is my testing host on network1)
ip route ls
93.182.184.130 via 192.168.0.1 dev eth0
93.182.184.128/25 dev tun0 proto kernel scope link src 93.182.184.216
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.38 metric 1
10.0.0.0/8 dev eth1 proto kernel scope link src 10.0.0.1 metric 1
0.0.0.0/1 via 93.182.184.129 dev tun0
128.0.0.0/1 via 93.182.184.129 dev tun0
default via 192.168.0.1 dev eth0 proto static
I've also disable the firewall on the host on network1 to avoid any
interference from that.
If it matters my testing host on network1 is running Windows XP. I've
noticed it has some weird behavior when I change my firewall
configuration while it's running, I reset the machine between testings
to avoid these issues.
The hosts mentioned above are virtual machines on (Vmware) ESXi 5,
with network1 being a virtual network.
>From the "Shorewall Support Guide":
"Try making the connection that is failing.
/sbin/shorewall dump > /tmp/shorewall_dump.txt
Post the /tmp/status.txt file as an attachment compressed with gzip or bzip2."
Attached find the "shorewall_dump" as above, not sure what the
"status.txt" file mentioned here is, I assume it's a typo and you were
looking for the dump file.
Thank you!
shorewall_dump.txt.gz
Description: GNU Zip compressed data
------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
