shorewall & ipsec

'chris' — Tue, 14 Mar 2006 05:05:59 GMT

hi

short information:
[1] local
[2] remote

local network:
192.168.115.0/24

remote firewall
201.X.X.2

remote network:
192.168.0.0/24
192.168.2.0/24
192.168.1.0/24

shorewall firewall is running on debian sarge ipsec gateway [1]
gateway has 3 ipsec tunnels with the remote firewall [2]

shorewall is active
ipsec tunnels are working !

from the local network over ipsec gateway [1]
I can reach all ports (ping,smb etc.) from the remote site.
but from the remote site everything is blocked !
I cannot ping, smb etc.

my shorewall configuration:

zones:
net Net Internet
loc Local Private net
vpn1 A VPN 192.168.0.0/24
vpn2 B VPN 192.168.2.0/24
vpn3 C VPN 192.168.1.0/24

hosts:
vpn1 eth0:192.168.0.0/24
vpn2 eth0:192.168.2.0/24
vpn3 eth0:192.168.1.0/24

interfaces:
net eth0 detect norfc1918,routefilter,blacklist,tcpflags,nosmurfs,logmartians
loc eth1 detect routeback

masq:
eth0 eth1
eth0:!192.168.0.0/24 192.168.115.0/24
eth0:!192.168.2.0/24 192.168.115.0/24
eth0:!192.168.1.0/24 192.168.115.0/24

policy:
loc all ACCEPT
fw net ACCEPT
fw loc ACCEPT
net all DROP info
# The FOLLOWING POLICY MUST BE LAST
all all REJECT info
loc vpn1 ACCEPT
vpn1 loc ACCEPT
loc vpn2 ACCEPT
vpn2 loc ACCEPT
loc vpn3 ACCEPT
vpn3 loc ACCEPT

roules:
ACCEPT net $FW tcp ssh,www,https,ftp
ACCEPT net fw udp https,domain
ACCEPT fw net udp domain
ACCEPT net:201.X.X.2 $FW tcp
ACCEPT net:201.X.X.2 $FW udp

knows someone howto allow all ports from the remote site [2]
to the local network behind the vpn gateway [1] ?

greetings
chris

Re: shorewall & ipsec

Steven E. Protter — Tue, 14 Mar 2006 08:15:09 GMT

Shalom,

Shorewall is merely a code generator that creates iptables code.

You need an iptables statement that accepts all traffic on a particular port.
-A ACCEPT -s -p

SEP

Re: shorewall & ipsec

'chris' — Tue, 14 Mar 2006 12:41:35 GMT

I've tried already to change roules on different ways.
If I try ping from the remote site,
then I get the following message in the log:

Mar 14 18:34:10 ext kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT=eth1 src=192.168.0.6 DST=192.168.115.2 LEN=60 TOS=0x00 PREC=0x00 TTL=126 ID=50162 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=5125

Re: shorewall & ipsec

'chris' — Sat, 18 Mar 2006 08:59:56 GMT

--------------------------------------------------------------------------------------------------------
# shorewall show capabilities

Shorewall-2.2.3 Chain capabilities at mydomain.net - Sam MÃ¤r 18 14:45:08 CET 2006

Counters reset Sat Mar 18 14:45:04 CET 2006

iptables: Table does not exist (do you need to insmod?)
--------------------------------------------------------------------------------------------------------

perhaps this is the problem ?

# depmod -a

seems not to help

# iptables --version
iptables v1.2.11

knows someone what's missing ?

Re: shorewall & ipsec

Vitaly Karasik_1 — Sat, 18 Mar 2006 15:33:19 GMT

can you send us "iptables -L" output?

thanks,
Vitaly

Re: shorewall & ipsec

'chris' — Sat, 18 Mar 2006 16:17:57 GMT

shorewall is stopped:

# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

shorewall is started:

# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
eth0_in all -- anywhere anywhere
eth1_in all -- anywhere anywhere
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:INPUT:REJECT:'
reject all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
eth0_fwd all -- anywhere anywhere
eth1_fwd all -- anywhere anywhere
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:FORWARD:REJECT:'
reject all -- anywhere anywhere

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
fw2net all -- anywhere anywhere
fw2loc all -- anywhere anywhere
all2all all -- anywhere 192.168.0.0/24
all2all all -- anywhere 192.168.2.0/24
all2all all -- anywhere 192.168.1.0/24
all2all all -- anywhere 201.X.X.2
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:OUTPUT:REJECT:'
reject all -- anywhere anywhere

Chain AllowICMPs (2 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed
ACCEPT icmp -- anywhere anywhere icmp time-exceeded

Chain Drop (1 references)
target prot opt source destination
RejectAuth all -- anywhere anywhere
dropBcast all -- anywhere anywhere
AllowICMPs icmp -- anywhere anywhere
dropInvalid all -- anywhere anywhere
DropSMB all -- anywhere anywhere
DropUPnP all -- anywhere anywhere
dropNotSyn tcp -- anywhere anywhere
DropDNSrep all -- anywhere anywhere

Chain DropDNSrep (2 references)
target prot opt source destination
DROP udp -- anywhere anywhere udp spt:domain

Chain DropSMB (1 references)
target prot opt source destination
DROP udp -- anywhere anywhere udp dpt:loc-srv
DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn
DROP udp -- anywhere anywhere udp dpt:microsoft-ds
DROP tcp -- anywhere anywhere tcp dpt:loc-srv
DROP tcp -- anywhere anywhere tcp dpt:netbios-ssn
DROP tcp -- anywhere anywhere tcp dpt:microsoft-ds

Chain DropUPnP (2 references)
target prot opt source destination
DROP udp -- anywhere anywhere udp dpt:1900

Chain Reject (4 references)
target prot opt source destination
RejectAuth all -- anywhere anywhere
dropBcast all -- anywhere anywhere
AllowICMPs icmp -- anywhere anywhere
dropInvalid all -- anywhere anywhere
RejectSMB all -- anywhere anywhere
DropUPnP all -- anywhere anywhere
dropNotSyn tcp -- anywhere anywhere
DropDNSrep all -- anywhere anywhere

Chain RejectAuth (2 references)
target prot opt source destination
reject tcp -- anywhere anywhere tcp dpt:auth

Chain RejectSMB (1 references)
target prot opt source destination
reject udp -- anywhere anywhere udp dpt:loc-srv
reject udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn
reject udp -- anywhere anywhere udp dpt:microsoft-ds
reject tcp -- anywhere anywhere tcp dpt:loc-srv
reject tcp -- anywhere anywhere tcp dpt:netbios-ssn
reject tcp -- anywhere anywhere tcp dpt:microsoft-ds

Chain all2all (9 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:all2all:REJECT:'
reject all -- anywhere anywhere

Chain dropBcast (2 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE = broadcast
DROP all -- anywhere anywhere PKTTYPE = multicast

Chain dropInvalid (2 references)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID

Chain dropNotSyn (2 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN

Chain dynamic (4 references)
target prot opt source destination

Chain eth0_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
net2all all -- anywhere anywhere
net2all all -- anywhere 192.168.0.0/24
net2all all -- anywhere 192.168.1.0/24
net2all all -- anywhere 192.168.2.0/24
net2all all -- anywhere 201.X.X.2
vpn_frwd all -- 192.168.0.0/24 anywhere
vpn_frwd all -- 192.168.1.0/24 anywhere
vpn_frwd all -- 192.168.2.0/24 anywhere
vpn_frwd all -- 201.X.X.2 anywhere

Chain eth0_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
net2fw all -- anywhere anywhere
all2all all -- 192.168.0.0/24 anywhere
all2all all -- 192.168.1.0/24 anywhere
all2all all -- 192.168.2.0/24 anywhere
all2all all -- 201.X.X.2 anywhere

Chain eth1_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
loc2all all -- anywhere anywhere
loc2vpn all -- anywhere 192.168.0.0/24
loc2vpn all -- anywhere 192.168.1.0/24
loc2vpn all -- anywhere 192.168.2.0/24
loc2vpn all -- anywhere 201.X.X.2

Chain eth1_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
loc2all all -- anywhere anywhere

Chain fw2loc (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere

Chain fw2net (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT esp -- anywhere 201.X.X.2
ACCEPT ah -- anywhere 201.X.X.2
ACCEPT udp -- anywhere 201.X.X.2 udp dpt:isakmp state NEW
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT all -- anywhere anywhere

Chain icmpdef (0 references)
target prot opt source destination

Chain loc2all (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere

Chain loc2vpn (4 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere

Chain net2all (6 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Drop all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:net2all:DROP:'
DROP all -- anywhere anywhere

Chain net2fw (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT esp -- 201.X.X.2 anywhere
ACCEPT ah -- 201.X.X.2 anywhere
ACCEPT udp -- 201.X.X.2 anywhere udp dpt:isakmp state NEW
ACCEPT tcp -- anywhere anywhere multiport dports ssh,www,https,ftp,re-mail-ck
ACCEPT udp -- anywhere anywhere multiport dports https,domain,isakmp,4500
ACCEPT tcp -- 201.X.X.2 anywhere
ACCEPT udp -- 201.X.X.2 anywhere
ACCEPT icmp -- 201.X.X.2 anywhere
net2all all -- anywhere anywhere

Chain reject (11 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE = broadcast
DROP all -- anywhere anywhere PKTTYPE = multicast
DROP all -- 255.255.255.255 anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT icmp -- anywhere anywhere reject-with icmp-host-unreachable
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain shorewall (0 references)
target prot opt source destination

Chain smurfs (0 references)
target prot opt source destination
LOG all -- 255.255.255.255 anywhere LOG level info prefix `Shorewall:smurfs:DROP:'
DROP all -- 255.255.255.255 anywhere
LOG all -- BASE-ADDRESS.MCAST.NET/4 anywhere LOG level info prefix `Shorewall:smurfs:DROP:'
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere

Chain vpn2loc (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere

Chain vpn_frwd (4 references)
target prot opt source destination
all2all all -- anywhere anywhere
vpn2loc all -- anywhere anywhere

Re: shorewall & ipsec

'chris' — Sun, 19 Mar 2006 08:45:44 GMT

# iptables -Ln

iptables: Table does not exist (do you need to insmod?)

topic Re: shorewall & ipsec in Operating System - Linux

shorewall & ipsec

Re: shorewall & ipsec

Re: shorewall & ipsec

Re: shorewall & ipsec

Re: shorewall & ipsec

Re: shorewall & ipsec

Re: shorewall & ipsec