On 12/22/18 4:17 PM, C. Cook wrote: > I've set up WireGuard on a VM in my LAN. In the LAN's router I am > port-forwarding my chosen (UDP) WireGuard port to the WireGuard server > in the LAN. (All CentOS 7.6) I've forwarded the shorewall.dmp from the > WG server to Tom. > > For the life of me I can not get the WG phone app communicating with the > server. O am getting occasional Shorewall blockages, but because times > are not in the line I don't know when they relate. For example this is > on the router: > > [1123910.652480] FORWARD REJECT IN=eth0 OUT=eth0 > MAC=00:1f:5b:69:23:8c:f6:b5:2f:a2:db:8e:08:00 SRC=172.58.40.50 > DST=10.1.50.16 LEN=176 TOS=0x00 PREC=0x00 TTL=53 ID=0 PROTO=UDP > SPT=37262 DPT=7962 LEN=156 > [1123915.644317] FORWARD REJECT IN=eth0 OUT=eth0 > MAC=00:1f:5b:6:23:8c:f6:b5:2f:a2:db:8e:08:00 SRC=172.58.40.50 > DST=10.1.50.16 LEN=176 TOS=0x00 PREC=0x00 TTL=53 ID=0 PROTO=UDP > SPT=37262 DPT=7962 LEN=156 > > Here's the DNAT in rules: > > DNAT net local:10.1.50.16 udp wgvpn - > > So FFS it's supposed to receive it in eth0, but then it's supposed to > send it back out eth1 not eth0. > > Interfaces: > > net eth0 tcpflags,dhcp,nosmurfs,routefilter,sourceroute=0 > local eth1 tcpflags,nosmurfs,routefilter > > Any idea what's going on? >
Clearly, your routing table indicates that the packet should be sent out of eth0 rather than eth1, and since eth0 doesn't have the 'routeback' option, the packet is being dropped in the FORWARD chain (see Shorewall FAQ 17). -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
