On 03/29/2018 04:15 PM, colony.three--- via Shorewall-users wrote: > > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > > On March 29, 2018 4:08 PM, Tom Eastep <teas...@shorewall.net> wrote: > >> >> >> On 03/29/2018 04:06 PM, colony.three--- via Shorewall-users wrote: >> >>> On March 29, 2018 1:17 PM, Tom Eastep teas...@shorewall.net wrote: >>> >>>> On 03/29/2018 11:59 AM, colony.three--- via Shorewall-users wrote: >>>> >>>>> I don't understand why my ping through IPSec VPN is being rejected? >>>>> >>>>> When I 'shorewall clear', it pings. >>>>> >>>>> [138450.833070] Shorewall:INPUT:REJECT:IN=eth0 OUT= >>>>> >>>>> MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=192.168.1.114 >>>>> >>>>> DST=192.168.1.16 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=44281 DF PROTO=ICMP >>>>> >>>>> TYPE=8 CODE=0 ID=10 SEQ=48 >>>>> >>>>> [138450.833140] Shorewall:OUTPUT:REJECT:IN= OUT=eth0 SRC=192.168.1.16 >>>>> >>>>> DST=192.168.1.114 LEN=112 TOS=0x00 PREC=0xC0 TTL=64 ID=32617 PROTO=ICMP >>>>> >>>>> TYPE=3 CODE=1 [SRC=192.168.1.114 DST=192.168.1.16 LEN=84 TOS=0x00 >>>>> >>>>> PREC=0x00 TTL=64 ID=44281 DF PROTO=ICMP TYPE=8 CODE=0 ID=10 SEQ=48 ] >>>>> >>>>> [138451.840340] Shorewall:INPUT:REJECT:IN=eth0 OUT= >>>>> >>>>> MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=192.168.1.114 >>>>> >>>>> DST=192.168.1.16 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=44409 DF PROTO=ICMP >>>>> >>>>> TYPE=8 CODE=0 ID=10 SEQ=49 >>>>> >>>>> [138451.840413] Shorewall:OUTPUT:REJECT:IN= OUT=eth0 SRC=192.168.1.16 >>>>> >>>>> DST=192.168.1.114 LEN=112 TOS=0x00 PREC=0xC0 TTL=64 ID=33142 PROTO=ICMP >>>>> >>>>> TYPE=3 CODE=1 [SRC=192.168.1.114 DST=192.168.1.16 LEN=84 TOS=0x00 >>>>> >>>>> PREC=0x00 TTL=64 ID=44409 DF PROTO=ICMP TYPE=8 CODE=0 ID=10 SEQ=49 ] >>>>> >>>>> [138453.080442] Shorewall:INPUT:REJECT:IN=eth0 OUT= >>>>> >>>>> MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=192.168.1.114 >>>>> >>>>> DST=192.168.1.16 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=44493 DF PROTO=ICMP >>>>> >>>>> TYPE=8 CODE=0 ID=10 SEQ=50 >>>>> >>>>> [138453.080539] Shorewall:OUTPUT:REJECT:IN= OUT=eth0 SRC=192.168.1.16 >>>>> >>>>> DST=192.168.1.114 LEN=112 TOS=0x00 PREC=0xC0 TTL=64 ID=33370 PROTO=ICMP >>>>> >>>>> TYPE=3 CODE=1 [SRC=192.168.1.114 DST=192.168.1.16 LEN=84 TOS=0x00 >>>>> >>>>> PREC=0x00 TTL=64 ID=44493 DF PROTO=ICMP TYPE=8 CODE=0 ID=10 SEQ=50 ] >>>>> >>>>> [138453.821013] Shorewall:INPUT:REJECT:IN=eth0 OUT= >>>>> >>>>> MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=192.168.1.114 >>>>> >>>>> DST=192.168.1.16 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=44587 DF PROTO=ICMP >>>>> >>>>> TYPE=8 CODE=0 ID=10 SEQ=51 >>>>> >>>>> [138453.821035] Shorewall:OUTPUT:REJECT:IN= OUT=eth0 SRC=192.168.1.16 >>>>> >>>>> DST=192.168.1.114 LEN=112 TOS=0x00 PREC=0xC0 TTL=64 ID=33962 PROTO=ICMP >>>>> >>>>> TYPE=3 CODE=1 [SRC=192.168.1.114 DST=192.168.1.16 LEN=84 TOS=0x00 >>>>> >>>>> PREC=0x00 TTL=64 ID=44587 DF PROTO=ICMP TYPE=8 CODE=0 ID=10 SEQ=51 ] >>>>> >>>>> [138454.832916] Shorewall:INPUT:REJECT:IN=eth0 OUT= >>>>> >>>>> MAC=52:54:00:c0:93:30:52:54:00:d7:db:bb:08:00 SRC=192.168.1.114 >>>>> >>>>> DST=192.168.1.16 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=44703 DF PROTO=ICMP >>>>> >>>>> TYPE=8 CODE=0 ID=10 SEQ=52 >>>>> >>>>> [138454.832981] Shorewall:OUTPUT:REJECT:IN= OUT=eth0 SRC=192.168.1.16 >>>>> >>>>> DST=192.168.1.114 LEN=112 TOS=0x00 PREC=0xC0 TTL=64 ID=34910 PROTO=ICMP >>>>> >>>>> TYPE=3 CODE=1 [SRC=192.168.1.114 DST=192.168.1.16 LEN=84 TOS=0x00 >>>>> >>>>> PREC=0x00 TTL=64 ID=44703 DF PROTO=ICMP TYPE=8 CODE=0 ID=10 SEQ=52 ] >>>>> >>>>> Current Shorewall. >>>>> >>>>> Ping(ACCEPT) $FW net icmp 3,echo-request >>>>> >>>>> Ping(ACCEPT) $FW vpn icmp 3,echo-request >>>>> >>>>> Ping(ACCEPT) net:192.168.1.0/24 $FW icmp 3,echo-request >>>>> >>>>> Ping(ACCEPT) vpn $FW icmp 3,echo-request >>>> >>>> As always, when packets are rejected in the INPUT or OUTPUT chains, it >>>> >>>> indicates that the SOURCE or DEST addresses respectively are not in any >>>> >>>> defined zone. See Shorewall FAQ 17. >>>> >>>> The above rules are overkill. You simply need: >>>> >>>> Ping(ACCEPT) $FW net >>>> >>>> Ping(ACCEPT) $FW vpn >>>> >>>> Ping(ACCEPT) net:192.168.1.0/24 $FW >>>> >>>> Ping(ACCEPT) vpn $FW >>>> >>>> -Tom >>> >>> I should have thought. But here's my zones file: >>> >>> fw firewall >>> >>> net ipv4 >>> >>> vpn ipsec >>> >>> And interfaces: >>> >>> - lo ignore >>> >>> >>> >>> net eth0 routefilter,dhcp,tcpflags >>> >>> And policy: >>> >>> $FW all REJECT info(uid) >>> >>> net all DROP info(uid) >>> >>> vpn all DROP info(uid) >>> >>> #local all REJECT info(uid) >>> >>> all all REJECT info(uid) >>> >>> Thanks, I'll make the corrections to my Ping macros. >> >> What is in your hosts file? >> >> -Tom > > hosts has: > vpn eth0:0.0.0.0/0 > ... I believe this is right when unknown IPs can come in through VPN?
You should be assigning the remote IP address via the xxxxsourceip (xxxx=right or left) setting in ipsec.conf. > > But nm I seem to have fixed it. In zones I did have mode=transport when > I'm now using tunnel. I can ping now. > That would explain the failure you were seeing. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
