Trying to configure shorewall to allow bridged vpn traffic to the local subnet

perlchun · 06-20-2008, 03:22 PM

Hello,

I'm having a really hard time trying to configure shorewall to allow bridged vpn traffic in the local subnet. I'm using openvpn v2.0.9 , Shorewall v4.0.10 with the Shorewall-Perl compiler on a dedicated Debian 2.6.18 system.

The firewall is a three interface setup with:
eth0 = loc
eth1 = dmz
eth2 = net

My Openvpn client (XP) seems to connect ok, the tap interface gets assigned an ip, but I am unable to ping anything in the subnet.
If you can shed some light on this for me I would be very grateful. Please let me know if you need to see anything else.

The output of "brctl show" is:
bridge name bridge id STP enabled interfaces
br0 8000.00010287046a no eth0
tap0
--------------------------------------------------------------------------------------

Here's a look at my shorewall setup:
shorewall/zones:
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
road ipv4
net ipv4
loc ipv4
dmz ipv4
-----------------------------------
shorewall/interfaces:
#ZONE INTERFACE BROADCAST OPTIONS

net eth2 detect tcpflags,dhcp,routefilter,nosmurfs,logmartians,routeback
loc br0 detect dhcp,bridge,routeback,routefilter
dmz eth1 detect routeback
----------------------------------
shorewall/masq:
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
eth2 br0
eth2 eth1
---------------------------------

Thank You,

San-Raal · 06-23-2008, 04:49 AM

I think, you don't have shorewall configured properly, because you have a zone assigned to "road" (from your /etc/shorewall/zones), but no interface assigned to that zone (/etc/shorewall/interfaces).

Please post your /etc/shorewall/policy file.

perlchun · 06-24-2008, 10:51 AM

Hi,

I've since updated my shorewall configuration as follows:

fyi, the .200 ip address below is for our loc interface on the firewall. I'm not sure if I should be putting that or if I should use .100 as per my openvpn server-bridge configuration below.

-----------------------
rules:
-----------------------
ACCEPT loc net
DNAT road loc:10.100.100.200 udp 1194

# Accept SSH/FTP connection to systems in the DMZ
SSH/ACCEPT net dmz:10.100.222.81 - - - 206.165.217.81
SSH/ACCEPT net dmz:10.100.222.82 - - - 206.165.217.82
HTTP/ACCEPT net dmz:10.100.222.82 - - - 206.165.217.82
HTTPS/ACCEPT net dmz:10.100.222.82 - - - 206.165.217.82
FTP/ACCEPT net dmz:10.100.222.91 - - - 206.165.217.91

# Accept http and email connection to system in the LOC
HTTP/ACCEPT net road:10.100.100.10 - - - 206.165.217.69
ACCEPT net road:10.100.100.4 tcp 25 - 206.165.217.68
HTTP/ACCEPT net road:10.100.100.4 - - - 206.165.217.68
HTTPS/ACCEPT net road:10.100.100.4 - - - 206.165.217.68
IMAP/ACCEPT net road:10.100.100.4 - - - 206.165.217.68
POP3/ACCEPT net road:10.100.100.4 - - - 206.165.217.68
ACCEPT net road:10.100.100.4 tcp 25 - 206.165.217.66

# Accept DNS connections from the firewall to the Internet
#
DNS/ACCEPT $FW net
#
#
# Accept SSH connections from the local network to the firewall and DMZ
#
SSH/ACCEPT loc $FW
SSH/ACCEPT loc dmz
#
# DMZ DNS access to the Internet
#
DNS/ACCEPT dmz net
ACCEPT dmz net

# Reject Ping from the "bad" net zone.

Ping/REJECT net $FW

#
# Make ping work bi-directionally between the dmz, net, Firewall and local zone
# (assumes that the loc-> net policy is ACCEPT).
#

Ping/ACCEPT loc $FW
Ping/ACCEPT dmz $FW
Ping/ACCEPT loc dmz
Ping/ACCEPT dmz road
Ping/ACCEPT dmz net

ACCEPT $FW net icmp
ACCEPT $FW road icmp
ACCEPT $FW dmz icmp
ACCEPT loc net
# Uncomment this if using Proxy ARP and static NAT and you want to allow ping from
# the net zone to the dmz and loc

#Ping/ACCEPT net dmz
#Ping/ACCEPT net loc
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

-----------------------
policy:
-----------------------
loc dmz ACCEPT info
loc $FW ACCEPT info
loc all ACCEPT info

#Allow VPN traffic
road loc ACCEPT info
loc road ACCEPT info
#
# Policies for traffic originating from the firewall ($FW)
#
# If you want open access to the Internet from your firewall, change the
# $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL.
$FW net ACCEPT info
$FW dmz ACCEPT info
$FW road ACCEPT info
$FW all REJECT info

#
# Policies for traffic originating from the De-Militarized Zone (dmz)
#
# If you want open access from DMZ to the Internet change the following
# policy to ACCEPT. This may be useful if you run a proxy server in
# your DMZ.
dmz net ACCEPT info
dmz $FW ACCEPT info
dmz road ACCEPT info
dmz all ACCEPT info

#
# Policies for traffic originating from the Internet zone (net)
#
net dmz DROP info
net $FW DROP info
net road DROP info
net all DROP info

# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info

---------------------
zones:
---------------------
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
road ipv4
net ipv4
loc:road bport
dmz ipv4
vpn:road bport #tap interface

--------------------
interfaces:
-------------------
#ZONE INTERFACE BROADCAST OPTIONS
#pub br0 detect routefilter,bridge
road br0 detect routefilter,bridge
net eth2 detect tcpflags,dhcp,routefilter,nosmurfs,logmartians,routeback
loc br0:eth0 # detect routeback,routefilter,dhcp,bridge
dmz eth1 detect routeback
vpn br0:tap0

--------------------
tunnels:
--------------------
#TYPE ZONE GATEWAY GATEWAY
# ZONE

openvpnserver:1194 net 0.0.0.0/0

-------------------
masq:
------------------
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
eth2 br0
eth2 eth1

----------------------
I even created an action
----------------------
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
ACCEPT tap0 br0
ACCEPT br0 tap0

---------------------------------
My OpenVPN server.conf files is as follows:
---------------------------------
port 1194
proto udp
dev tap0
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key # This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 10.100.100.100 255.255.255.0 10.100.100.117 10.100.100.125
push "route 10.100.100.0 255.255.255.0"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 6

-------------------------------------

When I connect from the xp sp2 client it says:
TEST ROUTES: 0/0 succeeded len-1 ret=0 a=0 u/d=down
Route: Waiting for TUN/TAP interface to come up...
TEST ROUTES: 0/0 succeeded len-1 ret=0 a=0 u/d=down
Route: Waiting for TUN/TAP interface to come up...TEST ROUTES: 0/0 succeeded len-1 ret=0 a=0 u/d=down
Route: Waiting for TUN/TAP interface to come up...TEST ROUTES: 0/0 succeeded len-1 ret=0 a=0 u/d=down
Route: Waiting for TUN/TAP interface to come up...TEST ROUTES: 0/0 succeeded len-1 ret=0 a=0 u/d=down
Route: Waiting for TUN/TAP interface to come up...
TEST ROUTES: 0/0 succeeded len-1 ret=0 a=0 u/d=up
route ADD 10.100.100.0 MASK 255.255.255.0 10.100.100.100

Route addition via IPAPI succeeded
Initialization Sequence Completed

But I can't ping anything on the 10.100.100.0 network

Thank You

San-Raal · 06-25-2008, 04:44 AM

Thanks for all the configs, but you got it messed up a little (luckily not too much).

First of all, I want to mention, that I got a Debian 3 interface router+OpenVPN+shorewall configuration for multiple clients connecting to the VPN, with access to the loc zone. I don't use bridged interfaces (and don't know why are you...), because without them the configuration is in my opinion simplier and does its job 100% :-).

From the configs I assume that you are trying to connect two networks using OpenVPN bridge mode. The problem is that you have probably misconfigured the interfaces/zones part.

You have kinda too much in logs (the "info" part after rules) from your firewall, so I would recommend removing this logging. Then you could see, what rule is blocking the traffic. The traffic from the VPN probably ends on the rule "ALL ALL REJECT info". The reason is, that you are setting rules for the "road" zone, but you probably should be using the "vpn" zone.

Your interfaces:
#ZONE INTERFACE BROADCAST OPTIONS
road br0 detect routefilter,bridge << "road" is the whole bridge
net eth2 detect tcpflags,dhcp,routefilter,nosmurfs,logmartians,routeback
loc br0:eth0 # detect routeback,routefilter,dhcp,bridge
dmz eth1 detect routeback
vpn br0:tap0 << "vpn" is the tap0 part of the bridge

I would suggest, that you first try to remove some logs generation from the shorewall policy config file (if you have that many, you probably don't inspect them 100%). Log only the VPN parts you are trying to get working. Then try looking into your logs and find the traffic that is blocked, and where it is blocked. Afterwards I recommend a revision of your zones/interfaces files, to check if you are using the correct zones in your rules/policy. But I think, you will probably find it in the logs, why your pings are blocked.

My last recomendation is not regarding your problem, but will probably "clean" your config a little :-) You can remove the rules:
ACCEPT loc net << this is already in your policy file "loc all ACCEPT info", remov it from rules, it's ok in the policy file
DNAT road loc:10.100.100.200 udp 1194 <<don't know why are your DNATing it, but you already have a ACCEPT rule created from the tunnels file, and everything required can be configured there.

The last thing is regarding your "dmz all ACCEPT info" policy. With that you are rewriting all your custom rules like "DNS/ACCEPT dmz loc", and make them not needed. I would recommend setting it to "dmz all REJECT info", because this rule makes the DMZ a DMZ. If you can connect from the DMZ to the local zone, you don't need the DMZ zone, because the point of DMZ is layered approach to network defense. If someone compromises a system in a DMZ, he is in a restricted zone, and can't access any systems in the local zone. In your configuration, he has got open doors :-)

Sorry for the wall of text, but hope it will be helpfull.

perlchun · 06-25-2008, 09:13 PM

I now have my policy setup with
vpn road ACCEPT info

and now everytime I try to ping from the vpn client I see this in my syslog:
Jun 26 16:40:52 localhost kernel: Shorewall:vpn2road:ACCEPT:IN=br0 OUT=br0 PHYSIN=tap0 PHYSOUT=eth0 SRC=10.100.100.117 DST=255.255.255.255 LEN=45 TOS=0x00 PREC=0x00 TTL=128 ID=65117 PROTO=UDP SPT=62516 DPT=62516 LEN=25

Jun 26 16:40:52 localhost kernel: Shorewall:vpn2road:ACCEPT:IN=br0 OUT=br0 PHYSIN=tap0 PHYSOUT=eth0 SRC=192.168.1.65 DST=255.255.255.255 LEN=45 TOS=0x00 PREC=0x00 TTL=128 ID=65119 PROTO=UDP SPT=62516 DPT=62516 LEN=25
------------------

the 10.100.100.117 address is assigned to the tap interface on the xp client,

the 192.... address is assigned by my internet provider to the client.

------------------

I can see these packets coming in but I still can't ping anything from the client to the 10.100.100.0 network.

please help.

thanks.