HPE Community
Operating System - Linux
1820254 Members
2952 Online
109622 Solutions
New Discussion юеВ

shorewall & ipsec

 
SOLVED
Go to solution
'chris'
Super Advisor

тАО03-13-2006 09:05 PM

тАО03-13-2006 09:05 PM

shorewall & ipsec

hi

short information:
[1] local
[2] remote

local network:
192.168.115.0/24

remote firewall
201.X.X.2

remote network:
192.168.0.0/24
192.168.2.0/24
192.168.1.0/24

shorewall firewall is running on debian sarge ipsec gateway [1]
gateway has 3 ipsec tunnels with the remote firewall [2]

shorewall is active
ipsec tunnels are working !

from the local network over ipsec gateway [1]
I can reach all ports (ping,smb etc.) from the remote site.
but from the remote site everything is blocked !
I cannot ping, smb etc.

my shorewall configuration:

zones:
net Net Internet
loc Local Private net
vpn1 A VPN 192.168.0.0/24
vpn2 B VPN 192.168.2.0/24
vpn3 C VPN 192.168.1.0/24

hosts:
vpn1 eth0:192.168.0.0/24
vpn2 eth0:192.168.2.0/24
vpn3 eth0:192.168.1.0/24

interfaces:
net eth0 detect norfc1918,routefilter,blacklist,tcpflags,nosmurfs,logmartians
loc eth1 detect routeback

masq:
eth0 eth1
eth0:!192.168.0.0/24 192.168.115.0/24
eth0:!192.168.2.0/24 192.168.115.0/24
eth0:!192.168.1.0/24 192.168.115.0/24

policy:
loc all ACCEPT
fw net ACCEPT
fw loc ACCEPT
net all DROP info
# The FOLLOWING POLICY MUST BE LAST
all all REJECT info
loc vpn1 ACCEPT
vpn1 loc ACCEPT
loc vpn2 ACCEPT
vpn2 loc ACCEPT
loc vpn3 ACCEPT
vpn3 loc ACCEPT

roules:
ACCEPT net $FW tcp ssh,www,https,ftp
ACCEPT net fw udp https,domain
ACCEPT fw net udp domain
ACCEPT net:201.X.X.2 $FW tcp
ACCEPT net:201.X.X.2 $FW udp


knows someone howto allow all ports from the remote site [2]
to the local network behind the vpn gateway [1] ?

greetings
chris

0 Kudos
Reply
6 REPLIES 6
Steven E. Protter
Exalted Contributor

тАО03-14-2006 12:15 AM

тАО03-14-2006 12:15 AM

Solution

Re: shorewall & ipsec

Shalom,

Shorewall is merely a code generator that creates iptables code.

You need an iptables statement that accepts all traffic on a particular port.
-A ACCEPT -s -p

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
'chris'
Super Advisor

тАО03-14-2006 04:41 AM

тАО03-14-2006 04:41 AM

Re: shorewall & ipsec

I've tried already to change roules on different ways.
If I try ping from the remote site,
then I get the following message in the log:

Mar 14 18:34:10 ext kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT=eth1 src=192.168.0.6 DST=192.168.115.2 LEN=60 TOS=0x00 PREC=0x00 TTL=126 ID=50162 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=5125
0 Kudos
Reply
'chris'
Super Advisor

тАО03-18-2006 12:59 AM

тАО03-18-2006 12:59 AM

Re: shorewall & ipsec

--------------------------------------------------------------------------------------------------------
# shorewall show capabilities

Shorewall-2.2.3 Chain capabilities at mydomain.net - Sam M├Г┬дr 18 14:45:08 CET 2006

Counters reset Sat Mar 18 14:45:04 CET 2006

iptables: Table does not exist (do you need to insmod?)
--------------------------------------------------------------------------------------------------------

perhaps this is the problem ?

# depmod -a

seems not to help

# iptables --version
iptables v1.2.11

knows someone what's missing ?


0 Kudos
Reply
Vitaly Karasik_1
Honored Contributor

тАО03-18-2006 07:33 AM

тАО03-18-2006 07:33 AM

Re: shorewall & ipsec

can you send us "iptables -L" output?

thanks,
Vitaly
Reply
'chris'
Super Advisor

тАО03-18-2006 08:17 AM

тАО03-18-2006 08:17 AM

Re: shorewall & ipsec

shorewall is stopped:

# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


shorewall is started:

# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
eth0_in all -- anywhere anywhere
eth1_in all -- anywhere anywhere
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:INPUT:REJECT:'
reject all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
eth0_fwd all -- anywhere anywhere
eth1_fwd all -- anywhere anywhere
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:FORWARD:REJECT:'
reject all -- anywhere anywhere

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
fw2net all -- anywhere anywhere
fw2loc all -- anywhere anywhere
all2all all -- anywhere 192.168.0.0/24
all2all all -- anywhere 192.168.2.0/24
all2all all -- anywhere 192.168.1.0/24
all2all all -- anywhere 201.X.X.2
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:OUTPUT:REJECT:'
reject all -- anywhere anywhere

Chain AllowICMPs (2 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed
ACCEPT icmp -- anywhere anywhere icmp time-exceeded

Chain Drop (1 references)
target prot opt source destination
RejectAuth all -- anywhere anywhere
dropBcast all -- anywhere anywhere
AllowICMPs icmp -- anywhere anywhere
dropInvalid all -- anywhere anywhere
DropSMB all -- anywhere anywhere
DropUPnP all -- anywhere anywhere
dropNotSyn tcp -- anywhere anywhere
DropDNSrep all -- anywhere anywhere

Chain DropDNSrep (2 references)
target prot opt source destination
DROP udp -- anywhere anywhere udp spt:domain

Chain DropSMB (1 references)
target prot opt source destination
DROP udp -- anywhere anywhere udp dpt:loc-srv
DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn
DROP udp -- anywhere anywhere udp dpt:microsoft-ds
DROP tcp -- anywhere anywhere tcp dpt:loc-srv
DROP tcp -- anywhere anywhere tcp dpt:netbios-ssn
DROP tcp -- anywhere anywhere tcp dpt:microsoft-ds

Chain DropUPnP (2 references)
target prot opt source destination
DROP udp -- anywhere anywhere udp dpt:1900

Chain Reject (4 references)
target prot opt source destination
RejectAuth all -- anywhere anywhere
dropBcast all -- anywhere anywhere
AllowICMPs icmp -- anywhere anywhere
dropInvalid all -- anywhere anywhere
RejectSMB all -- anywhere anywhere
DropUPnP all -- anywhere anywhere
dropNotSyn tcp -- anywhere anywhere
DropDNSrep all -- anywhere anywhere

Chain RejectAuth (2 references)
target prot opt source destination
reject tcp -- anywhere anywhere tcp dpt:auth

Chain RejectSMB (1 references)
target prot opt source destination
reject udp -- anywhere anywhere udp dpt:loc-srv
reject udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn
reject udp -- anywhere anywhere udp dpt:microsoft-ds
reject tcp -- anywhere anywhere tcp dpt:loc-srv
reject tcp -- anywhere anywhere tcp dpt:netbios-ssn
reject tcp -- anywhere anywhere tcp dpt:microsoft-ds

Chain all2all (9 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:all2all:REJECT:'
reject all -- anywhere anywhere

Chain dropBcast (2 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE = broadcast
DROP all -- anywhere anywhere PKTTYPE = multicast

Chain dropInvalid (2 references)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID

Chain dropNotSyn (2 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN

Chain dynamic (4 references)
target prot opt source destination

Chain eth0_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
net2all all -- anywhere anywhere
net2all all -- anywhere 192.168.0.0/24
net2all all -- anywhere 192.168.1.0/24
net2all all -- anywhere 192.168.2.0/24
net2all all -- anywhere 201.X.X.2
vpn_frwd all -- 192.168.0.0/24 anywhere
vpn_frwd all -- 192.168.1.0/24 anywhere
vpn_frwd all -- 192.168.2.0/24 anywhere
vpn_frwd all -- 201.X.X.2 anywhere

Chain eth0_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
net2fw all -- anywhere anywhere
all2all all -- 192.168.0.0/24 anywhere
all2all all -- 192.168.1.0/24 anywhere
all2all all -- 192.168.2.0/24 anywhere
all2all all -- 201.X.X.2 anywhere

Chain eth1_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
loc2all all -- anywhere anywhere
loc2vpn all -- anywhere 192.168.0.0/24
loc2vpn all -- anywhere 192.168.1.0/24
loc2vpn all -- anywhere 192.168.2.0/24
loc2vpn all -- anywhere 201.X.X.2

Chain eth1_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
loc2all all -- anywhere anywhere

Chain fw2loc (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere

Chain fw2net (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT esp -- anywhere 201.X.X.2
ACCEPT ah -- anywhere 201.X.X.2
ACCEPT udp -- anywhere 201.X.X.2 udp dpt:isakmp state NEW
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT all -- anywhere anywhere

Chain icmpdef (0 references)
target prot opt source destination

Chain loc2all (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere

Chain loc2vpn (4 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere

Chain net2all (6 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Drop all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:net2all:DROP:'
DROP all -- anywhere anywhere

Chain net2fw (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT esp -- 201.X.X.2 anywhere
ACCEPT ah -- 201.X.X.2 anywhere
ACCEPT udp -- 201.X.X.2 anywhere udp dpt:isakmp state NEW
ACCEPT tcp -- anywhere anywhere multiport dports ssh,www,https,ftp,re-mail-ck
ACCEPT udp -- anywhere anywhere multiport dports https,domain,isakmp,4500
ACCEPT tcp -- 201.X.X.2 anywhere
ACCEPT udp -- 201.X.X.2 anywhere
ACCEPT icmp -- 201.X.X.2 anywhere
net2all all -- anywhere anywhere

Chain reject (11 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE = broadcast
DROP all -- anywhere anywhere PKTTYPE = multicast
DROP all -- 255.255.255.255 anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT icmp -- anywhere anywhere reject-with icmp-host-unreachable
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain shorewall (0 references)
target prot opt source destination

Chain smurfs (0 references)
target prot opt source destination
LOG all -- 255.255.255.255 anywhere LOG level info prefix `Shorewall:smurfs:DROP:'
DROP all -- 255.255.255.255 anywhere
LOG all -- BASE-ADDRESS.MCAST.NET/4 anywhere LOG level info prefix `Shorewall:smurfs:DROP:'
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere

Chain vpn2loc (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere

Chain vpn_frwd (4 references)
target prot opt source destination
all2all all -- anywhere anywhere
vpn2loc all -- anywhere anywhere



0 Kudos
Reply
'chris'
Super Advisor

тАО03-19-2006 12:45 AM

тАО03-19-2006 12:45 AM

Re: shorewall & ipsec

# iptables -Ln

iptables: Table does not exist (do you need to insmod?)
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.