On 12/23/18 11:12 AM, Justin Pryzby wrote: > On Sun, Dec 23, 2018 at 10:49:30AM -0800, C. Cook wrote: >> On 12/23/18 9:04 AM, Tom Eastep wrote: >>> Clearly, your routing table indicates that the packet should be sent out >>> of eth0 rather than eth1, and since eth0 doesn't have the 'routeback' >>> option, the packet is being dropped in the FORWARD chain (see Shorewall >>> FAQ 17). >> Ok on the router in interfaces I've set routeback and routefilter on >> eth0 (outside), and routefilter on eth1 (local) and eth2 (dmz). > The DNAT line still isn't matching due to only matching packets to > eth1(local).
I don't understand this. > What's the routing table? (Or are there policy routes?) Router: # route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 50-47-96-1.evrt 0.0.0.0 UG 0 0 0 eth0 10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 50.47.96.0 0.0.0.0 255.255.248.0 U 0 0 0 eth0 link-local 0.0.0.0 255.255.0.0 U 1003 0 0 eth1 link-local 0.0.0.0 255.255.0.0 U 1004 0 0 eth2 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 ... so no mention of 10.1.5.0, which may be Ok since it's in the VPN tunnel. In Shorewall rules: DNAT net local:10.1.5.16 udp wgvpn - In the router I am trying to DNAT an IP that should be _encapsulated in the tunnel_. It must be that I should DNAT the LAN address of the WG server. *DOH!!* Now it is fscking pinging the WG server 10.1.5.16 from the phone! But I can't ping that server's LAN address, nor any other address on the LAN. So the phone app is communicating with the WG server but not the rest of the system. And no Shorewall errors in dmesg on that server. Hmm. > You can maybe run date |logger to make a timestampped log. > Or configure r/syslog to include timestamps to /var/log/syslog (messages?) I find that what I want is in /etc/profile: alias dmesg='dmesg -T --ctime'
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
