> > telnet: connect to address 1.2.3.4: Connection refused
>
> You are not providing sufficient information to be able to conclusively
> identify the problem. However, it seems like you either do not have IP
> forwarding enabled on the Shorewall machine (seems unlikely) or there is
> a missing route somewhere along the path (more likely).
Reading lots of posts I made *some* progress. But not yet complete :-(
For the same configuration
PublicIP1: 1.2.3.4, Interface: eth1
|
[Server1 with Shorewall]
|
InternalIP1: 10.0.0.1, Interface: dummy1
|
VPN Endpoint1: 10.200.200.1, Interface: wg1
|
|
|
|
VPN Endpoint2: 10.200.200.2, Interface: wg2
|
InternalIP2: 10.0.0.2, Interface: eth2
|
[Server2 with Shorewall]
|
[ Service, listening on 10.0.0.2:1234]
In shorewall on Server 1 I created a rule
DNAT net wg:10.0.0.2 tcp 1234,41993 - 1.2.3.4
I set up my vpn so on server 1, I can telnet to the back end server
telnet -4 10.0.0.2 1234
and @ Server2 I see the traffic across the VPN
tcpdump -n -i wg2 port 1234
06:14:58.331255 IP 10.0.0.1.54842 > 10.0.0.2.1234: Flags [S],
seq 1793377570, win 64860, options [mss 1380,sackOK,TS val 3237749356 ecr
0,nop,wscale 7], length 0
06:14:58.331564 IP 10.0.0.2.1234 > 10.0.0.1.54842: Flags [S.],
seq 3658100262, ack 1793377571, win 65160, options [mss 1380,sackOK,TS val
3890768294 ecr 3237749356,nop,wscale 7], length 0
06:14:58.358453 IP 10.0.0.1.54842 > 10.0.0.2.1234: Flags [.],
ack 1, win 507, options [nop,nop,TS val 3237749397 ecr 3890768294], length 0
and I get connected to the back end
Trying 10.0.0.2...
Connected to 10.0.0.2.
Escape character is '^]'.
Next, From an EXTERNAL system I execute
telnet -4 1.2.3.4 1234
then I watch
@ Server1, the connection from the outside
tcpdump -n -i eth0 port 1234
06:11:43.718717 IP 104.xxx.xxx.xxx.11854 >
1.2.3.4.1234: Flags [SEW], seq 1508565471, win 42340, options [mss
1460,sackOK,TS val 82993745 ecr 0,nop,wscale 9], length 0
06:11:44.763856 IP 104.xxx.xxx.xxx.11854 >
1.2.3.4.1234: Flags [S], seq 1508565471, win 42340, options [mss 1460,sackOK,TS
val 82994790 ecr 0,nop,wscale 9], length 0
06:11:46.811891 IP 104.xxx.xxx.xxx.11854 >
1.2.3.4.1234: Flags [S], seq 1508565471, win 42340, options [mss 1460,sackOK,TS
val 82996838 ecr 0,nop,wscale 9], length 0
and the destination rewritten by the DNAT to the back end and sent into the VPN
tunnel at the Server1 endpoint
tcpdump -n -i wg1 port 1234
06:11:43.718942 IP 104.xxx.xxx.xxx.11854 >
10.0.0.2.1234: Flags [SEW], seq 1508565471, win 42340, options [mss
1380,sackOK,TS val 82993745 ecr 0,nop,wscale 9], length 0
06:11:44.763935 IP 104.xxx.xxx.xxx.11854 >
10.0.0.2.1234: Flags [S], seq 1508565471, win 42340, options [mss
1380,sackOK,TS val 82994790 ecr 0,nop,wscale 9], length 0
06:11:46.811986 IP 104.xxx.xxx.xxx.11854 >
10.0.0.2.1234: Flags [S], seq 1508565471, win 42340, options [mss
1380,sackOK,TS val 82996838 ecr 0,nop,wscale 9], length 0
but this traffic, the one that originates from EXTERNAL, never gets routed
across the VPN.
@ Server2
tcpdump -n -i wg2 port 1234
I don't see *any* traffic.
Since I can connect to the backend from ON the Server1, it looks like the
routes is ok?
But since I can not connect from EXTERNAL I think something is missing on the
Server1 Shorewall rules?
I did not see in any of the examples or docs yet how to add more or different
routes or rules for this example.
Jan
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
