Menu
▾
▴
Re: [Shorewall-users] IPSEC & masq
|
From: Raimonds C. <ra...@ap...> - 2015-02-14 00:15:21
|
On 14.02.2015 00:10, Tom Eastep wrote: > On 2/13/2015 12:03 PM, Raimonds Cicans wrote: >> I have following Shorewall (4.5.21.10) configuration (simplified) >> >> --- Zone file --- >> zlan ipv4 >> zdmz ipv4 >> zinet ipv4 >> zvpn ipv4 >> >> --- Interfaces file --- >> zlan lan >> zdmz dmz >> zinet inet >> >> --- Hosts file --- >> zvpn inet:remote_internal_lan,remote_external_ip ipsec >> >> --- Masq file --- >> inet dmz >> inet lan >> >> --- Policy file --- >> $FW all ACCEPT >> zlan zinet ACCEPT >> zlan zdmz ACCEPT >> zlan zvpn ACCEPT >> >> zinet all DROP info >> all all REJECT info >> >> --- Tunnels file --- >> ipsec zinet remote_external_ip >> >> --------------------- >> >> Everything is working fine, but I need to add access from zdmz zone to zvpn. >> In FreeSwan configuration only zlan have access to zvpn, so it looks I >> need some >> kind of masquerading. >> Is this theoretically possible? >> >> I tried following: >> 1. step >> add to beginning of Policy file: >> zdmz zvpn ACCEPT >> >> 2. step >> add to beginning of Masq file >> inet:remote_internal_lan dmz ip_of_lan_interface >> >> But when I try to ping zvpn hosts from zdmz I get: >> Shorewall:zdmz2zinet:REJECT:IN=dmz OUT=inet ... SRC=some_zdmz_ip >> DST=some_zvpn_ip >> >> Honestly speaking in second step I tried almost all possible >> combinations of IP/net addresses >> and when I ping I always get same error. >> >> What I am doing wrong? >> > > As far as Netfilter is concerned, the traffic is not zdmz->zvpn but > zvpn->zinet. So, in addition to the masq entry, you need a rule: > > ACCEPT net:remote_internal_lan zdmz > Little fix - it should be other way around: ACCEPT zdmz zinet:remote_internal_lan Thank you anyway! Raimonds Cicans |
