Hi
I've been having a heck of a time getting this straight, and could use a hand.
Any help would be appreciated!
I have a hosted VPS that's connected to my home/ofc over a VPN.
The VPN endpoint boxes are the VPS and my home/ofc firewall.
Both boxes are running Shorewall.
And, I have a mail server on another machine on my home/ofc's lan.
I've got all simple pinging/communication between machines/lan across the VPN
like I need.
I need to get the firewall rules working, especially DNAT & masq, for the
mailserver
Here's a diagram of what I've got in place
---------------------
(1) VPS + Shorewall firewall
eth0: A.A.A.1/32
B.B.B.1/32
C.C.C.1/32
tun0: 172.20.0.1/24
loc: 192.168.0.1/24
---------------------
|
|
---------------------
(2) HOME/OFC FIREWALL + Shorewall firewall
eth0: D.D.D.2/29
eth1: 192.168.1.2/24
tun0: 172.20.0.2/24
loc: 127.0.0.1/8
---------------------
|
|
---------------------
(3) HOME/OFC LAN MAILSERVER
eth0: 192.168.1.50/24
loc: 127.0.0.1/8
---------------------
I need to
(1) open the VPS's port 25 to the net
(2) translate the inbound traffic from the net to the mail server
(3) translate the mailserver's outbound mail traffic to appear to only/always
originate from A.A.A.1
To do that, following Shorewall docs as best as I could, I set up this config
Shorewall @ VPS
/zones
#ZONE TYPE OPTIONS
fw firewall
net ipv4
loc ipv4
vpn1 ipv4
/interfaces
#ZONE INTERFACE OPTIONS
net eth0
tcpflags,routefilter=1
loc lo
- tun+ -
/hosts
#ZONE HOST(S) OPTIONS
vpn1 tun+:172.20.0.0/24
/rules
?SECTION NEW
...
DNAT net loc:192.168.0.1/24 tcp 25,587
- A.A.A.1
...
Shorewall @ HOME/OFC FIREWALL
/zones
#ZONE TYPE OPTIONS
fw firewall
net ipv4
int ipv4
loc ipv4
vpn1 ipv4
/interfaces
#ZONE INTERFACE OPTIONS
net eth0
tcpflags,nosmurfs,logmartians=1,routefilter=1,sourceroute=0
int eth1
logmartians=1,routefilter=1
loc lo
- tun+ -
/hosts
#ZONE HOST(S) OPTIONS
vpn1 tun+:172.20.0.0/24
/masq
#INTFC:DEST SOURCE ADDRESS PROTO
PORT(S) IPSEC MARK USER/
#
GROUP
eth0 192.168.1.50 A.A.A.1 tcp
25,587
When I compile the firewalls I get no errors.
But after reloading the firewalls, if I try to telnet in from an external site
(IP = X.X.X.15), I get
telnet -4 A.A.A.1 25
Trying A.A.A.1...
and no farther. Just sits there :-/
a tcpdump on the VPS's external interface is seeing the traffic inbound
tcpdump -i eth0 -vvv -n | egrep "A.A.A.1"
tcpdump: listening on eth0, link-type EN10MB (Ethernet),
capture size 65535 bytes
X.X.X.15.58202 > A.A.A.1.25: Flags [S], cksum 0x576f
(correct), seq 2016956801, win 32768, options [mss 1460,nop,wscale
3,sackOK,nop,nop,nop,nop,TS val 1 ecr 0], length 0
X.X.X.15.58202 > A.A.A.1.25: Flags [S], cksum 0x5763
(correct), seq 2016956801, win 32768, options [mss 1460,nop,wscale
3,sackOK,nop,nop,nop,nop,TS val 13 ecr 0], length 0
I must have missed something in the setup. :-/
Any help here? How to I get this traffic INBOUND, over the VPN and to/from the
mailserver?
Cheers,
Jerry
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
