Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Shorewall blocking VPN host traffic
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
jasonpf
Tux's lil' helper
Tux's lil' helper


Joined: 23 Nov 2002
Posts: 86
Location: Tempe, AZ

PostPosted: Mon Feb 18, 2019 10:09 pm    Post subject: Shorewall blocking VPN host traffic Reply with quote

So I have a mildly unusual shorewall configuration I need help with.

First some config info:

Host system has 4 ethernet interfaces
1 is WAN, 3 are LAN
LAN ports are bridged as lan0
Docker runs on this host and network interfaces bridge to lan0 as well with static IPs
DNSMasq does DNS and DHCP, I have a file /etc/dnsmasq.hosts that is read that contains static IPs of systems (docker and physical lan)
I run shorewall with SNAT masquerade against WAN

policy:
wan all DROP
fw all ACCEPT
lan all ACCEPT
lan lan ACCEPT
all all ACCEPT

rules:
#ACTION Source Dest Proto Inbound_Port
DNAT wan lan:10.11.12.3:32400 tcp 6600

zones:
fw firewall
wan ipv4
lan ipv4

interfaces:
wan enp4s0 detect dhcp,routefilter,tcpflags
lan lan0 detect dhcp,routeback,bridge


I have a docker running VPN and privoxy on lan0 with IP 10.11.12.7 and wish to only allow it to send traffic through the WAN (masqueraded, of course) to the VPN IP, and DNS to DNS servers. I tried the following:
shorewall hosts file:
vpn lan0:10.11.12.9
vpndns enp4s0:8.8.8.8,4.2.2.2
vpnhost enp4s0:136.0.0.194

rules file:
DNAT wan lan:10.11.12.3:32400 tcp 6600
ACCEPT vpn vpndns tcp domain
ACCEPT vpn vpndns udp domain
ACCEPT vpn vpnhost udp 2049
REJECT vpn wan

zones:
vpn ipv4
vpnhost ipv4
vpndns ipv4


But this didn't work as expected (blocking all but traffic from 10.11.12.9 to the VPN host and DNS queries). Any thoughts on how I should proceed? I'm completely baffled about what I did wrong. I'm probably completely wrong in my approach, but I need some pointers. Thanks!








3 are bidged as
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum