LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 01-11-2013, 08:04 AM   #31
kenneth_phough
Member
 
Registered: Dec 2005
Location: Birmingham, AL
Distribution: CentOS, REHL, Vine Linux
Posts: 67

Rep: Reputation: 3

I'm having a hard time understanding the shorewall config at the moment so I'm going to go back to the iptables config you posted which I assume shorewall generated and will edit this post on any findings.

EDIT

Okay, I think I understand the shorewall situation a bit more. It's hard to say perfectly without looking at a few shorewall config files. From what I can tell you need to explicitly tell shorewall to trust your virtual interface (ham0). So reading up a bit on their documentation the first thing you should do is create a zone for your hamachi connection, let call it ham, in your
Code:
# /etc/shorewall/zones

ham             ipv4
Then add your interface to
Code:
# /etc/shorewall/interfaces

ham             ham0             -
and lastly allow traffic on the newly created zone
Code:
# /etc/shorewall/policy OR /etc/shorewall/rules

ham             <ZONE FOR YOUR LOCAL ETH>             ACCEPT
<ZONE FOR YOUR LOCAL ETH>             ham             ACCEPT
Then restart shorewall.

The above example, will allow all traffic in and out on the VPN network so you may want to adjust the policy accordingly. I've never used shorewall but reading the docs this should work???

Remeber to back up all config files before modifying them so you have something to fall back to

Ps. Like I've said I've never used shorewall before and I'm basing my suggestion from what I've read online so correct me if I am completely wrong regarding shorewall configs!

Last edited by kenneth_phough; 01-11-2013 at 08:44 AM.
 
Old 01-11-2013, 02:14 PM   #32
Johng
Member
 
Registered: Feb 2002
Location: NZ
Distribution: Mageia
Posts: 280

Original Poster
Rep: Reputation: 30
Thank you Ken for the time you are spending on my behalf, it's much appreciated.

Before making changes, I thought it my be useful to show the "before" content of the relevant files:

zones
net ipv4
loc ipv4
fw firewall

interfaces
net eth0 detect
loc ham0 detect
loc ham1 detect

policy
loc net ACCEPT
loc fw ACCEPT
fw loc ACCEPT
fw net ACCEPT
net all DROP
all all REJECT info

rules
INCLUDE rules.drakx

rules.drakx
ACCEPT net fw udp 53,5353,427,60:2000,8080 -
ACCEPT net fw tcp 80,443,53,22,20,21,1900,59631 -

I'm not sure what is meant by "<ZONE FOR YOUR LOCAL ETH>"
 
Old 01-12-2013, 09:52 PM   #33
Johng
Member
 
Registered: Feb 2002
Location: NZ
Distribution: Mageia
Posts: 280

Original Poster
Rep: Reputation: 30
Well, I've had a degree of success.

I have found that if I start hamachi, login, and set mode to ipv4, AND then restart shorewall, vncviewer connects to the remote desktop. In other words shorewall needs to 'refresh' after ham0 has been created by hamachi. This will explain why I had momentary unexplained connections descibed earlier (after I had meddled with the firewall). Vncviewer uses port 5900.

I tried # /etc/shorewall/interfaces
ham ham0 -

but this came up invalid, when I ran shorewall check.

When I restart shorewall, I get 14 x "iptables: Input/output error" corresponding with the number of ports in rules.

I'm not sure how to avoid the need to restart shorewall after ham0 has been created.
 
Old 01-15-2013, 12:48 PM   #34
kenneth_phough
Member
 
Registered: Dec 2005
Location: Birmingham, AL
Distribution: CentOS, REHL, Vine Linux
Posts: 67

Rep: Reputation: 3
Update: Ok, in the shorewall documentation (http://www.shorewall.net/manpages/sh...nterfaces.html) it mentioned that detecting broadcast is deprecated and should only be used if your iptables is supported. with that said I found a few articles explaining how to configure shorewall and hamachi and it seems like they leave the broadcast detect empty.

/etc/shorewall/zones
Code:
# I'm going to use ham as a zone name just because loc kinda confused me ;)
ham ipv4
/etc/shorewall/interfaces
Code:
# in the previous post you mentioned that the following showed up as invalid...so maybe leave out the hyphen???
#zone interface broadcast
ham   ham0      -
ham   ham1      -
/etc/shorewall/policy
Code:
# this is what confuses me a bit but here is how I interpreted it....
# prevent traffic from ham0, ham1, etc going to other zones????
# I would feel like forwarding is required for that but oh well...
ham all REJECT:info
# same confusion....I understand ham0 -> fw and vice versa but "all"? why all, idk...
# allow traffic to ham0, ham1, etc
all ham ACCEPT
Here is the link I'm basing the above config from http://permalink.gmane.org/gmane.com...horewall/11570

Let me know if it helps.

Also, it seems like the hamachi daemon needs to talk with the hamachi server on a UDP port 12975. http://permalink.gmane.org/gmane.com...horewall/11568

From the same link above (the first link)
/etc/shorewall/rules
Code:
ACCEPT fw net tcp 12975
# the link has a comment saying you may not need the udp rule but I think the person mixed it up...it's the udp that is used (according to the second link above) so it may be safe to leave out the tcp 12975...
ACCPET net fw udp 12975
I am still not sure about the 14 iptable i/o errors but will give it more thought.

Last edited by kenneth_phough; 01-15-2013 at 01:17 PM.
 
Old 01-16-2013, 12:11 AM   #35
Johng
Member
 
Registered: Feb 2002
Location: NZ
Distribution: Mageia
Posts: 280

Original Poster
Rep: Reputation: 30
Thank you Ken. I will be away from my computer for four weeks, so I will leave trying your suggestions until I get back. Thank you for your continuing interest in my problem.
 
Old 01-17-2013, 10:52 AM   #36
kenneth_phough
Member
 
Registered: Dec 2005
Location: Birmingham, AL
Distribution: CentOS, REHL, Vine Linux
Posts: 67

Rep: Reputation: 3
No problem. Sorry I haven't been able to give you a definite solution yet, and appreciate your patience as we solve this together.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
3G connecting but not available CrownAmbassador Linux - Networking 1 01-30-2008 04:44 AM
Digikam connecting as root/not connecting as regular user jayhel Slackware 5 09-29-2005 05:57 PM
About connecting myself to the n/w savimonty Linux - Networking 2 04-23-2005 05:36 AM
Connecting to AP's prompt Linux - Wireless Networking 0 04-28-2004 05:49 PM
Mysql is not connecting from servlet.But connecting from java, help pls Harish_f Linux - General 0 05-08-2002 03:21 AM


All times are GMT -5. The time now is 09:56 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration