Re: [Shorewall-users] VPN Ping Rejected

Tom Eastep Thu, 29 Mar 2018 13:19:17 -0700

On 03/29/2018 11:59 AM, colony.three--- via Shorewall-users wrote:
> I don't understand why my ping through IPSec VPN is being rejected? 
> When I 'shorewall clear', it pings.
> 
> [138450.833070] Shorewall:INPUT:REJECT:IN=eth0 OUT=
> MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=192.168.1.114
> DST=192.168.1.16 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=44281 DF PROTO=ICMP
> TYPE=8 CODE=0 ID=10 SEQ=48
> [138450.833140] Shorewall:OUTPUT:REJECT:IN= OUT=eth0 SRC=192.168.1.16
> DST=192.168.1.114 LEN=112 TOS=0x00 PREC=0xC0 TTL=64 ID=32617 PROTO=ICMP
> TYPE=3 CODE=1 [SRC=192.168.1.114 DST=192.168.1.16 LEN=84 TOS=0x00
> PREC=0x00 TTL=64 ID=44281 DF PROTO=ICMP TYPE=8 CODE=0 ID=10 SEQ=48 ]
> [138451.840340] Shorewall:INPUT:REJECT:IN=eth0 OUT=
> MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=192.168.1.114
> DST=192.168.1.16 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=44409 DF PROTO=ICMP
> TYPE=8 CODE=0 ID=10 SEQ=49
> [138451.840413] Shorewall:OUTPUT:REJECT:IN= OUT=eth0 SRC=192.168.1.16
> DST=192.168.1.114 LEN=112 TOS=0x00 PREC=0xC0 TTL=64 ID=33142 PROTO=ICMP
> TYPE=3 CODE=1 [SRC=192.168.1.114 DST=192.168.1.16 LEN=84 TOS=0x00
> PREC=0x00 TTL=64 ID=44409 DF PROTO=ICMP TYPE=8 CODE=0 ID=10 SEQ=49 ]
> [138453.080442] Shorewall:INPUT:REJECT:IN=eth0 OUT=
> MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=192.168.1.114
> DST=192.168.1.16 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=44493 DF PROTO=ICMP
> TYPE=8 CODE=0 ID=10 SEQ=50
> [138453.080539] Shorewall:OUTPUT:REJECT:IN= OUT=eth0 SRC=192.168.1.16
> DST=192.168.1.114 LEN=112 TOS=0x00 PREC=0xC0 TTL=64 ID=33370 PROTO=ICMP
> TYPE=3 CODE=1 [SRC=192.168.1.114 DST=192.168.1.16 LEN=84 TOS=0x00
> PREC=0x00 TTL=64 ID=44493 DF PROTO=ICMP TYPE=8 CODE=0 ID=10 SEQ=50 ]
> [138453.821013] Shorewall:INPUT:REJECT:IN=eth0 OUT=
> MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=192.168.1.114
> DST=192.168.1.16 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=44587 DF PROTO=ICMP
> TYPE=8 CODE=0 ID=10 SEQ=51
> [138453.821035] Shorewall:OUTPUT:REJECT:IN= OUT=eth0 SRC=192.168.1.16
> DST=192.168.1.114 LEN=112 TOS=0x00 PREC=0xC0 TTL=64 ID=33962 PROTO=ICMP
> TYPE=3 CODE=1 [SRC=192.168.1.114 DST=192.168.1.16 LEN=84 TOS=0x00
> PREC=0x00 TTL=64 ID=44587 DF PROTO=ICMP TYPE=8 CODE=0 ID=10 SEQ=51 ]
> [138454.832916] Shorewall:INPUT:REJECT:IN=eth0 OUT=
> MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=192.168.1.114
> DST=192.168.1.16 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=44703 DF PROTO=ICMP
> TYPE=8 CODE=0 ID=10 SEQ=52
> [138454.832981] Shorewall:OUTPUT:REJECT:IN= OUT=eth0 SRC=192.168.1.16
> DST=192.168.1.114 LEN=112 TOS=0x00 PREC=0xC0 TTL=64 ID=34910 PROTO=ICMP
> TYPE=3 CODE=1 [SRC=192.168.1.114 DST=192.168.1.16 LEN=84 TOS=0x00
> PREC=0x00 TTL=64 ID=44703 DF PROTO=ICMP TYPE=8 CODE=0 ID=10 SEQ=52 ]
> 
> Current Shorewall.
> 
> Ping(ACCEPT)    $FW             net             icmp    3,echo-request
> Ping(ACCEPT)    $FW             vpn             icmp    3,echo-request
> Ping(ACCEPT)   net:192.168.1.0/24 $FW        icmp    3,echo-request
> Ping(ACCEPT)    vpn             $FW             icmp    3,echo-request
>


As always, when packets are rejected in the INPUT or OUTPUT chains, it
indicates that the SOURCE or DEST addresses respectively are not in any
defined zone. See Shorewall FAQ 17.

The above rules are overkill. You simply need:

Ping(ACCEPT)    $FW     net
Ping(ACCEPT)    $FW     vpn
Ping(ACCEPT)    net:192.168.1.0/24      $FW
Ping(ACCEPT)    vpn     $FW

-Tom
-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________

signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] VPN Ping Rejected

Reply via email to