Ubuntu 12.04 Shorewall + OpenVpn - limited communication
Hi,
I have some issues with one of my servers (let's call it ServerA). It runs Ubuntu 12.04 with: - Shorewall (4.4.26.1) - OpenVPN (2.2.1 x86_64-linux-gnu) - Squid (3.1.19) ServerA connects to the internet router by eth0. It connects via eth1 to the internal network. Openvpn is offered via tap0. The interface br0 bridges the interfaces eth1 and tap0. I can connect from outside (with ClientA) via OpenVPN to the server. I get an IP address from OpenVPN, can ping ServerA (and vice versa) and connect through the proxy to the internet. BUT: I can not reach any client or server connected to ServerA via eth1. I spent a lot of time to investigate the issue. I found that my ping from ClientA to ClientB reaches ClientB, but the response packet seems to be dropped by ServerA. A ping from ClientB to ClientA is also dropped by ServerA. How can I figure out why ServerA drops the packages from internal LAN (ClientB) to ClientA? Here are some of my config files. Please let me know what kind of information you need to help me: --------------------------------------------------------------- /etc/openvpn/server.conf ca ./easy-rsa2/keys/ca.crt cert ./easy-rsa2/keys/srv.crt key ./easy-rsa2/keys/srv.key dh ./easy-rsa2/keys/dh1024.pem local 192.168.0.45 port 1194 proto udp dev tap0 persist-key persist-tun mode server server-bridge 10.0.10.2 255.255.255.0 10.0.10.60 10.0.10.70 client-to-client client-cert-not-required username-as-common-name plugin /usr/lib/openvpn/openvpn-auth-pam.so /etc/pam.d/openvpn keepalive 10 120 comp-lzo verb 9 status openvpn-status.log log openvpn.log mute 5 script-security 3 ifconfig-pool-persist ipp.txt push route 10.0.10.0 255.255.255.0 duplicate-cn user openvpn group openvpn /etc/shorewall/interfaces #ZONE INTERFACE BROADCAST OPTIONS ext eth0 detect tcpflags,nosmurfs,routefilter,logmartians lan br0 detect bridge,routeback,logmartians,routefilter=0 /etc/shorewall/masq eth0 10.0.10.0/24 /etc/shorewall/policy #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST lan fw ACCEPT lan ext ACCEPT fw lan ACCEPT fw ext ACCEPT #Block all incoming connections ext fw REJECT info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info /etc/shorewall/rules #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATEUSER/ MARK CONNLIMIT TIME HEADERS SWITCH # PORT PORT(S) DEST LIMIT GROUP SECTION ALL #SECTION ESTABLISHED #SECTION RELATED SECTION NEW # Don't allow connection pickup from the net # #Invalid(DROP) ext all # # Accept DNS connections from the firewall to the network # DNS(ACCEPT) $FW ext # # # Allow Ping from the local network # Ping(ACCEPT) lan $FW Ping(ACCEPT) $FW lan # # # Drop Ping from the "bad" net zone.. and prevent your log from being flooded.. # #Ping(DROP) ext $FW REDIRECT lan 3128 tcp www - # # old rules # ACCEPT ext $FW udp openvpn ACCEPT lan ext tcp 3000 REJECT lan ext tcp www REJECT lan ext tcp https /etc/shorewall/tunnels openvpnserver:1194 lan 10.0.10.2 /etc/shorewall/zones fw firewall ext ipv4 lan ipv4 |
All times are GMT -5. The time now is 03:21 AM. |