Re: [Shorewall-users] Please assist with configuration to transparent tunnel from public access on one server, over a vpn, to service on an internal server

Wed, 30 Sep 2020 10:34:41 -0700 

On 9/30/2020 7:12 PM, JadoNena via Shorewall-users wrote:
> 
> Instead of debugging broken, I am just looking for documentation & examples.
> So I can read & follow the examples and build it the right way to start.
> 
> 
> My situation is still pretty simple.
> 2 sites, connected over a VPN.  One facing the internet, the other on my LAN, 
> providing a service.
> I want to expose that service to the internet.
> 
> All of the examples I can find so far do not include the extra leg of the vpn.
> 
> So for this
> 
>       (1)
>       off-site
>       ip: 111.111.111.111
> 
>       (2)
>       my public server + Shorewall
> 
>               intfc: eth1
>               ip: 1.2.3.4
> 
>               dummy intfc: dummy1
>               ip: 10.0.1.1/24
> 
>               vpn intfc: wg1
>               endpoint: 10.200.200.1
> 
>       (4)
>       my internal server + Shorewall
> 
>               vpn intfc: wg2
>               endpoint: 10.200.200.2
> 
>               intfc: eth2
>               lan ip: 10.0.2.2/24
>               |
>               |-- service: listening on port 1234
> 
> 
> I've added ONE rule to shorewall configuration @ (2)
> 
>       DNAT    net:111.111.111.111    wg:10.0.2.2    tcp    1234    -    
> 1.2.3.4
> 
> From internal, @ (2)
> 
>       telnet 10.0.2.2 1234
> 
> works.
> 
> From external, @ (1),
> 
>       telnet 1.2.3.4 1234
> 
> gets traffic TO
> 
>       vpn intfc: wg1
>       endpoint: 10.200.200.1
> 
> but does not get to the other side
> 
>       vpn intfc: wg2
>       endpoint: 10.200.200.2
> 
> Something needs to tell the system to allow that traffic when it comes from 
> external, not just internal.
> 
> Where do I add the rule or route in Shorewall to do that ?
> What are the right documents & examples for managing & redirecting INCOMING 
> traffic from the internet like this, not outgoing TO the internet ?
> 

All that we have is at shorewall.org (for DNAT, the rules file is what
you need to look into).

Please see (1) if you need more help.


In other words, we need a 'dump' of the issue, if you want our help.

1)  https://shorewall.org/support.htm#Guidelines

-- 
Matt Darfeuille <[email protected]>
Community: https://sourceforge.net/p/shorewall/mailman/message/37107049/
SPC: https://sourceforge.net/p/shorewall/mailman/message/36596609/
Homepage: https://shorewall.org


_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to