>> /rules
>> DNAT net vpn1:192.168.1.2 tcp 25 - S.S.S.S
>> ACCEPT net vpn1:192.168.1.2 tcp 25
You have both DNAT and ACCEPT for the same zone/port - DROP the DNAT. I'm not
an expert by any stretch of the imagination I would think the following would
work:
ACCEPT vpn1 loc:192.168.1.2 tcp 25
Or if you trust the client vpn side - use the policy file:
vpn1 loc ACCEPT
loc vpn1 ACCEPT
However, to stress Tom's point of reading, you existing configuration is
combining a DNAT on a source address that's part of a VPN, i.e. mixing
Encapsulation/encryption with NAT [address translation]. Again, I'm no expert
but I doubt that will work especially since it's on the same host. I have
never used openvpn (only openswan and strongswan) but the zone,tunnel,host and
masq files take care of the network connections - the policy and rules take
care of the access.
Vernon
-----------------------
Vernon (Andy) Fort
Provident Solutions, LLC
Office - (615) 406-5540
http://www.provident-solutions.com
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
