Re: [Shorewall-users] Shorewall config for Mailserver-on-LAN , over a VPN to staticIPs on a VPS?

[surfer]

replacing

        /interfaces
        -       vpn1      tun+          optional
        +       vpn1      tun1          optional

seems to fix the 'tun1 is disabled' problem

that, plus additionally changing

        /shorewall.conf
        -       USE_DEFAULT_RT=Yes
        +       USE_DEFAULT_RT=No

        /providers (line 11)
        -       isp        1        -        -           EXT_IF      detect     
           balance                -
        -       vpn        2        -        -           tun1        10.0.0.1   
           fallback               -
        +       isp        1        -        main        EXT_IF      detect     
           balance                INT_IF
        +       vpn        2        -        main        tun1        10.0.0.1   
           fallback               INT_IF

apparently fixes the can't-connect-from-external-host problem

after recompile/push

then at CLIENT

        shorewall-lite restart
                Restarting Shorewall Lite....
                Initializing...
                Processing init user exit ...
                Processing tcclear user exit ...
                Setting up Route Filtering...
                Setting up Martian Logging...
                Setting up Accept Source Routing...
                Setting up Proxy ARP...
                Adding Providers...
                Preparing iptables-restore input...
                Running /usr/sbin/iptables-restore...
                IPv4 Forwarding Enabled
                Processing start user exit ...
                Processing started user exit ...
                done.

        shorewall-lite status -i
                Shorewall Lite-4.6.2.2 Status at core - Sun Jul 27 19:06:45 PDT 
2014

                Shorewall Lite is running
                State:Started (Sun Jul 27 19:06:10 PDT 2014) from 
/usr/local/etc/shorewall/client/ (/var/lib/shorewall-lite/firewall compiled by 
Shorewall version 4.6.2.2)

                   Interface eth0 is Enabled
                   Interface tun1 is Enabled

        shorewall show routing
                ...
                Table isp:

                S.S.S.1 dev eth0 scope link src S.S.S.S
                S.S.S.0/24 dev eth0 proto kernel scope link src S.S.S.S
                192.168.1.0/24 dev eth1 proto kernel scope link src 
192.168.1.100
                169.254.0.0/16 dev eth0 scope link
                default via S.S.S.1 dev eth0 src S.S.S.S

                Table vpn:

                10.0.0.1 dev tun1 scope link src 10.0.0.2
                10.0.0.0/24 dev tun1 proto kernel scope link src 10.0.0.2
                192.168.1.0/24 dev eth1 proto kernel scope link src 
192.168.1.100
                192.168.0.0/24 via 10.0.0.1 dev tun1
                default via 10.0.0.1 dev tun1 src 10.0.0.2


AND, from external host, telnet now connects

        telnet S.S.S.S 25
                Trying S.S.S.S...
                Connected to mx.mydomain.com.
                Escape character is '^]'.
                220 mx.mydomain.com ESMTP

and at SMTP

        Jul 27 19:18:13 mx postfix/smtpd[24537]: connect from unknown[X.X.X.X]


(1) that's inbound, haven't tested outbound yet -- or actual mailing for that 
matter
(2) WHY the problems occur without these ^^ changes is still open
(3) I don't yet understand what the effects of USE_DEFAULT_RT=Yes->No will be

------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users