[Shorewall-users] pb with iptables snat script

Tristan DEFERT tristan.d at alphamosa.fr
Thu May 26 01:58:02 PDT 2005


Le mardi 24 mai 2005 à 06:26 -0500, Jerry Vonau a écrit :
> ----- Original Message -----
> From: "Tristan DEFERT" <tristan.d at alphamosa.fr>
> To: "Mailing List for Shorewall Users"
> <shorewall-users at lists.shorewall.net>
> Sent: Tuesday, May 24, 2005 05:18
> Subject: Re: [Shorewall-users] pb with iptables snat script
> 
> 
> > Le lundi 23 mai 2005 à 11:35 -0500, Jerry Vonau a écrit :
> > > Your question is not obscure, think I understand it.
> > > You just didn't give enough detail to make an informed answer.
> > >
> > > 10.8.0.0/16 is the vpn network, right?
> > > SOURCEIP is the external ip of the firewall?
> > > Are you using the tap or tun device with openvpn?
> > > Are you using openvpn with the bridge?
> > > What are you tring to accomplish?
> > > Allow the vpn clients access to the internet accoss the vpn only?
> > >
> > > Most of the above would of been answered if you had posted your
> > > shorewall config files, the output ip route show and ip addr show
> as
> > > stated in: http://shorewall.net/support.htm
> > >
> > > Why I'm asking is the rule that you posted has no -o stated,
> meaning
> > > that all traffic from 10.8.0.0/16 would be masq'd.
> > > Shorewall requires this -o info to do masq/snat, which is handled
> by
> > > the masq file.
> > >
> > > Without the benefit of knowing how you configured shorewall, the
> > > layout
> > > of your network, and the openvpn config, this is just a guess, in
> > > masq:
> > >
> > > INTF    10.8.0.0/16     SOURCEIP
> > >
> > > INTF would be the interface that is connected to the target
> network.
> > > Hope it helps...
> > >
> > > Jerry Vonau
> > >
> > >
> > oh sure, i can detail informations about my setup.
> > Here is a schema:
> >
> > DMZ zone (hosts with pub IPs) <==> Bridge/Firewall <==> Router <==>
> NET
> >
> > Let's say AM.0 is our corporate subnet (a whole C class of pub IPs:
> > AM.0/24)
> > The bridge/firewall has IP AM.2
> > The machines in DMZ also have IPs like AM.xxx
> >
> > Now the firewall hosts an OpenVPN server in tun mode.
> > the tun network class is 10.8.0.0/24.
> > The goal of this VPN is to allow managing DMZ computers remotely and
> > securely.
> >
> > The problem encountered was the following:
> >
> > Tunnel works fine, but the DMZ zone wasn't reacheable from VPN users
> > because the computers in DMZ zone didn't know how they could reach
> the
> > 10.8.0.0 class, and used the router address (AM.1) as gateway,
> instead
> > of the firewall.Even if i "push" to openvpn client the good route!
> > The packets arrive correctly to the target (DMZ computers), but
> cannot
> > be routed back
> > After adding the route to one computer of the DMZ, I succeded in
> > reaching this computer from VPN.
> > (route add -net 10.8.0.0 netmask 255.255.255.0 gw $AM.2)
> >
> > But i don't want to maintain routes on each computer in DMZ, so I
> tried
> > an iptables workaround.
> > That's where the custom iptables script comes:
> > iptables  -A POSTROUTING -t nat -s 10.8.0.0/16 -j SNAT --to-source
> > AM.2
> >
> > --to-source points to the firewall/bridge/gateway IP
> > -s points to OpenVPN subnet
> >
> > it works for every computer in DMZ.
> >
> > Because of shorewall great design, i think i can achieve the same
> thing
> > only with standart shorewall config files. I read all shorewall doc,
> but
> > didn't find such an exemple, nor in openvpn doc.
> >
> > So i'm asking if someone has ever been stuck with this problem, and
> > already has a clean solution (no custom script / only standart
> shorewall
> > conffiles)
> >
> > Now you have all elements to answer to me.
> >
> > Thank you guys for helping me without raising polemics and trolling
> > around about reading docs or not... i've read them more than twice .
> 
> I did answer you before,
> > in masq:
> > INTF    10.8.0.0/16     SOURCEIP
> > INTF would be the interface that is connected to the target network.
> 
> This is like setting up a 3 interface bridge box with the dmz having
> public ip addresses, except that the "local lan" interface is virtual
> (tun0).
> Your target network's interface is the bridge, so if your bridge is
> br0,
> in the MASQ file:
> 
> br0        10.8.0.0/16    AM.2
> 
> Jerry
> 
> 
Great, it works!
In fact, it was so simple! i was searching something that was obvious...
Thanks Jerry for your help!
byeee
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users at lists.shorewall.net
> Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
-- 
__________________________________________________________________
Tristan DEFERT
Société Alpha Mosa
__________________________________________________________________
Tél. (33) 03 26 48 17 56        Internet : http://www.alphamosa.fr
Fax. (33) 03 26 48 10 87               eMail : tristan.d at alphamosa.fr




More information about the Shorewall-users mailing list