LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Ubuntu 12.04 Shorewall + OpenVpn - limited communication (https://www.linuxquestions.org/questions/linux-networking-3/ubuntu-12-04-shorewall-openvpn-limited-communication-4175466340/)

linux_adm 06-17-2013 08:25 AM
Ubuntu 12.04 Shorewall + OpenVpn - limited communication
 
Hi,

I have some issues with one of my servers (let's call it ServerA). It runs Ubuntu 12.04 with:
- Shorewall (4.4.26.1)
- OpenVPN (2.2.1 x86_64-linux-gnu)
- Squid (3.1.19)

ServerA connects to the internet router by eth0. It connects via eth1 to the internal network. Openvpn is offered via tap0. The interface br0 bridges the interfaces eth1 and tap0.

I can connect from outside (with ClientA) via OpenVPN to the server. I get an IP address from OpenVPN, can ping ServerA (and vice versa) and connect through the proxy to the internet.

BUT: I can not reach any client or server connected to ServerA via eth1.
I spent a lot of time to investigate the issue. I found that my ping from ClientA to ClientB reaches ClientB, but the response packet seems to be dropped by ServerA.
A ping from ClientB to ClientA is also dropped by ServerA.

How can I figure out why ServerA drops the packages from internal LAN (ClientB) to ClientA?

Here are some of my config files. Please let me know what kind of information you need to help me:
---------------------------------------------------------------

/etc/openvpn/server.conf
ca ./easy-rsa2/keys/ca.crt
cert ./easy-rsa2/keys/srv.crt
key ./easy-rsa2/keys/srv.key
dh ./easy-rsa2/keys/dh1024.pem
local 192.168.0.45
port 1194
proto udp
dev tap0
persist-key
persist-tun
mode server
server-bridge 10.0.10.2 255.255.255.0 10.0.10.60 10.0.10.70
client-to-client
client-cert-not-required
username-as-common-name
plugin /usr/lib/openvpn/openvpn-auth-pam.so /etc/pam.d/openvpn
keepalive 10 120
comp-lzo
verb 9
status openvpn-status.log
log openvpn.log
mute 5
script-security 3
ifconfig-pool-persist ipp.txt
push route 10.0.10.0 255.255.255.0
duplicate-cn
user openvpn
group openvpn

/etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
ext eth0 detect tcpflags,nosmurfs,routefilter,logmartians
lan br0 detect bridge,routeback,logmartians,routefilter=0

/etc/shorewall/masq
eth0 10.0.10.0/24

/etc/shorewall/policy
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
lan fw ACCEPT
lan ext ACCEPT
fw lan ACCEPT
fw ext ACCEPT
#Block all incoming connections
ext fw REJECT info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info

/etc/shorewall/rules
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATEUSER/ MARK CONNLIMIT TIME HEADERS SWITCH
# PORT PORT(S) DEST LIMIT GROUP
SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW

# Don't allow connection pickup from the net
#
#Invalid(DROP) ext all
#
# Accept DNS connections from the firewall to the network
#
DNS(ACCEPT) $FW ext
#
#
# Allow Ping from the local network
#
Ping(ACCEPT) lan $FW
Ping(ACCEPT) $FW lan
#
#
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
#

#Ping(DROP) ext $FW

REDIRECT lan 3128 tcp www -
#
# old rules
#
ACCEPT ext $FW udp openvpn
ACCEPT lan ext tcp 3000
REJECT lan ext tcp www
REJECT lan ext tcp https

/etc/shorewall/tunnels
openvpnserver:1194 lan 10.0.10.2

/etc/shorewall/zones
fw firewall
ext ipv4
lan ipv4


All times are GMT -5. The time now is 03:21 AM.