LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 06-17-2013, 08:25 AM   #1
linux_adm
LQ Newbie
 
Registered: Jun 2013
Posts: 1

Rep: Reputation: Disabled
Ubuntu 12.04 Shorewall + OpenVpn - limited communication


Hi,

I have some issues with one of my servers (let's call it ServerA). It runs Ubuntu 12.04 with:
- Shorewall (4.4.26.1)
- OpenVPN (2.2.1 x86_64-linux-gnu)
- Squid (3.1.19)

ServerA connects to the internet router by eth0. It connects via eth1 to the internal network. Openvpn is offered via tap0. The interface br0 bridges the interfaces eth1 and tap0.

I can connect from outside (with ClientA) via OpenVPN to the server. I get an IP address from OpenVPN, can ping ServerA (and vice versa) and connect through the proxy to the internet.

BUT: I can not reach any client or server connected to ServerA via eth1.
I spent a lot of time to investigate the issue. I found that my ping from ClientA to ClientB reaches ClientB, but the response packet seems to be dropped by ServerA.
A ping from ClientB to ClientA is also dropped by ServerA.

How can I figure out why ServerA drops the packages from internal LAN (ClientB) to ClientA?

Here are some of my config files. Please let me know what kind of information you need to help me:
---------------------------------------------------------------

/etc/openvpn/server.conf
ca ./easy-rsa2/keys/ca.crt
cert ./easy-rsa2/keys/srv.crt
key ./easy-rsa2/keys/srv.key
dh ./easy-rsa2/keys/dh1024.pem
local 192.168.0.45
port 1194
proto udp
dev tap0
persist-key
persist-tun
mode server
server-bridge 10.0.10.2 255.255.255.0 10.0.10.60 10.0.10.70
client-to-client
client-cert-not-required
username-as-common-name
plugin /usr/lib/openvpn/openvpn-auth-pam.so /etc/pam.d/openvpn
keepalive 10 120
comp-lzo
verb 9
status openvpn-status.log
log openvpn.log
mute 5
script-security 3
ifconfig-pool-persist ipp.txt
push route 10.0.10.0 255.255.255.0
duplicate-cn
user openvpn
group openvpn

/etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
ext eth0 detect tcpflags,nosmurfs,routefilter,logmartians
lan br0 detect bridge,routeback,logmartians,routefilter=0

/etc/shorewall/masq
eth0 10.0.10.0/24

/etc/shorewall/policy
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
lan fw ACCEPT
lan ext ACCEPT
fw lan ACCEPT
fw ext ACCEPT
#Block all incoming connections
ext fw REJECT info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info

/etc/shorewall/rules
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATEUSER/ MARK CONNLIMIT TIME HEADERS SWITCH
# PORT PORT(S) DEST LIMIT GROUP
SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW

# Don't allow connection pickup from the net
#
#Invalid(DROP) ext all
#
# Accept DNS connections from the firewall to the network
#
DNS(ACCEPT) $FW ext
#
#
# Allow Ping from the local network
#
Ping(ACCEPT) lan $FW
Ping(ACCEPT) $FW lan
#
#
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
#

#Ping(DROP) ext $FW

REDIRECT lan 3128 tcp www -
#
# old rules
#
ACCEPT ext $FW udp openvpn
ACCEPT lan ext tcp 3000
REJECT lan ext tcp www
REJECT lan ext tcp https

/etc/shorewall/tunnels
openvpnserver:1194 lan 10.0.10.2

/etc/shorewall/zones
fw firewall
ext ipv4
lan ipv4
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Can I do this with OpenVPN (and Shorewall) ... lidbjork Linux - Networking 1 09-06-2012 03:14 AM
Limited screen resolution in Ubuntu 8.10 dow30 Linux - Newbie 3 04-07-2009 07:27 PM
Fault in KDE processes communication: Could not read network communication list Magnus Johansson MEPIS 0 03-30-2008 12:50 PM
example of OpenVPN behind firewall shorewall manchox Linux - Networking 1 10-16-2006 12:22 PM
openvpn and shorewall problem from outside network nbccbn Linux - Networking 1 07-12-2005 01:24 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:43 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration