I'm having a hard time understanding the shorewall config at the moment so I'm going to go back to the iptables config you posted which I assume shorewall generated and will edit this post on any findings.
EDIT Okay, I think I understand the shorewall situation a bit more. It's hard to say perfectly without looking at a few shorewall config files. From what I can tell you need to explicitly tell shorewall to trust your virtual interface (ham0). So reading up a bit on their documentation the first thing you should do is create a zone for your hamachi connection, let call it ham, in your Code:
# /etc/shorewall/zones Code:
# /etc/shorewall/interfaces Code:
# /etc/shorewall/policy OR /etc/shorewall/rules The above example, will allow all traffic in and out on the VPN network so you may want to adjust the policy accordingly. I've never used shorewall but reading the docs this should work??? Remeber to back up all config files before modifying them so you have something to fall back to ;) Ps. Like I've said I've never used shorewall before and I'm basing my suggestion from what I've read online so correct me if I am completely wrong regarding shorewall configs! |
Thank you Ken for the time you are spending on my behalf, it's much appreciated.
Before making changes, I thought it my be useful to show the "before" content of the relevant files: zones net ipv4 loc ipv4 fw firewall interfaces net eth0 detect loc ham0 detect loc ham1 detect policy loc net ACCEPT loc fw ACCEPT fw loc ACCEPT fw net ACCEPT net all DROP all all REJECT info rules INCLUDE rules.drakx rules.drakx ACCEPT net fw udp 53,5353,427,60:2000,8080 - ACCEPT net fw tcp 80,443,53,22,20,21,1900,59631 - I'm not sure what is meant by "<ZONE FOR YOUR LOCAL ETH>" |
Well, I've had a degree of success.
I have found that if I start hamachi, login, and set mode to ipv4, AND then restart shorewall, vncviewer connects to the remote desktop. In other words shorewall needs to 'refresh' after ham0 has been created by hamachi. This will explain why I had momentary unexplained connections descibed earlier (after I had meddled with the firewall). Vncviewer uses port 5900. I tried # /etc/shorewall/interfaces ham ham0 - but this came up invalid, when I ran shorewall check. When I restart shorewall, I get 14 x "iptables: Input/output error" corresponding with the number of ports in rules. I'm not sure how to avoid the need to restart shorewall after ham0 has been created. |
Update: Ok, in the shorewall documentation (http://www.shorewall.net/manpages/sh...nterfaces.html) it mentioned that detecting broadcast is deprecated and should only be used if your iptables is supported. with that said I found a few articles explaining how to configure shorewall and hamachi and it seems like they leave the broadcast detect empty.
/etc/shorewall/zones Code:
# I'm going to use ham as a zone name just because loc kinda confused me ;) Code:
# in the previous post you mentioned that the following showed up as invalid...so maybe leave out the hyphen??? Code:
# this is what confuses me a bit but here is how I interpreted it.... Let me know if it helps. Also, it seems like the hamachi daemon needs to talk with the hamachi server on a UDP port 12975. http://permalink.gmane.org/gmane.com...horewall/11568 From the same link above (the first link) /etc/shorewall/rules Code:
ACCEPT fw net tcp 12975 |
Thank you Ken. I will be away from my computer for four weeks, so I will leave trying your suggestions until I get back. Thank you for your continuing interest in my problem.
|
No problem. Sorry I haven't been able to give you a definite solution yet, and appreciate your patience as we solve this together.
|
All times are GMT -5. The time now is 10:34 AM. |