Shorewall bloqueia tráfego openvpn?

1

Eu tenho uma instalação do Debian com shorewall, openvpn e google authenticator. Eu posso obter uma conexão vpn - mas eu não posso obter qualquer tráfego através de LAN local ou à internet - o que estou faltando aqui:

Minha configuração do tipo shorewall

shorewall.conf

IP_FORWARDING   On

/ etc / shorewall / interfaces

net     eth0            tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0
loc     eth1            tcpflags,dhcp,nosmurfs,routefilter,logmartians
dmz     eth2            tcpflags,dhcp,nosmurfs,routefilter,logmartians
road    tun             tcpflags,logmartians,nosmurfs

/ etc / shorewall / zones

fw      firewall
net     ipv4
loc     ipv4
dmz     ipv4
road    ipv4

/ etc / shorewall / rules

?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
VNC/ACCEPT      loc         all
Invalid(DROP)   net             all             tcp
DNS(ACCEPT)     $FW             net
DNS(ACCEPT)     loc             net
SSH(ACCEPT)     loc             $FW
SSH(ACCEPT)     loc             dmz
Webmin/ACCEPT   loc         fw
DNS(ACCEPT)     dmz             net
Ping(DROP)      net             $FW
Ping(ACCEPT)    loc             $FW
Ping(ACCEPT)    dmz             $FW
Ping(ACCEPT)    loc             dmz
Ping(ACCEPT)    dmz             loc
Ping(ACCEPT)    dmz             net
ACCEPT          $FW             loc             icmp
ACCEPT          $FW             net             icmp
ACCEPT          $FW             dmz             icmp
ACCEPT      net         road        all
ACCEPT      road        net         all

/ etc / shorewall / policy

    loc             net             ACCEPT
net             all             DROP            info
$FW             net             ACCEPT
dmz             net             ACCEPT
road        net         ACCEPT
all             all             REJECT          info

/ etc / shorewall / masq

eth0    192.168.0.0/16

Configuração do Openvpn

client.ovpn

client
dev tun
proto udp
remote xxx.yyy.zzz.2 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert huawiphone.crt
key huaweiphone.key
ns-cert-type server
comp-lzo
verb 3
auth-user-pass

server.conf

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh2048.pem
server 192.168.3.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 80.71.82.82"
push "dhcp-option DNS 80.71.82.83"
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 9
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn

Interfaces

eth0      Link encap:Ethernet  HWaddr 00:ec:ac:ce:e0:34
          inet addr:xxx.yyy.zzz.2  Bcast:xxx.yyy.zzz.127  Mask:255.255.255.128
          inet6 addr: fe80::2ec:acff:fece:e034/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:20128722 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9698662 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:29269888673 (27.2 GiB)  TX bytes:879126006 (838.3 MiB)
          Interrupt:16 Memory:d0900000-d0920000

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:192.168.3.1  P-t-P:192.168.3.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:4185 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:261836 (255.6 KiB)  TX bytes:0 (0.0 B)

Registre mensagens do shorewall ao tentar acessar a Internet através da vpn

Apr 23 17:44:05 firewall kernel: [430997.653171] Shorewall:FORWARD:REJECT:IN=tun0 OUT=eth0 MAC= SRC=192.168.3.6 DST=8.8.8.8 LEN=65 TOS=0x00 PREC=0x00 TTL=63 ID=205 DF PROTO=UDP SPT=10225 DPT=53 LEN=45 
Apr 23 17:44:05 firewall kernel: [430997.653228] Shorewall:OUTPUT:REJECT:IN= OUT=tun0 SRC=192.168.3.1 DST=192.168.3.6 LEN=93 TOS=0x00 PREC=0xC0 TTL=64 ID=19793 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.3.6 DST=8.8.8.8 LEN=65 TOS=0x00 PREC=0x00 TTL=63 ID=205 DF PROTO=UDP SPT=10225 DPT=53 LEN=45 ] 
Apr 23 17:44:07 firewall kernel: [430999.075572] Shorewall:FORWARD:REJECT:IN=tun0 OUT=eth0 MAC= SRC=192.168.3.6 DST=8.8.8.8 LEN=77 TOS=0x00 PREC=0x00 TTL=63 ID=220 DF PROTO=UDP SPT=18202 DPT=53 LEN=57 
Apr 23 17:44:07 firewall kernel: [430999.075610] Shorewall:OUTPUT:REJECT:IN= OUT=tun0 SRC=192.168.3.1 DST=192.168.3.6 LEN=105 TOS=0x00 PREC=0xC0 TTL=64 ID=20021 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.3.6 DST=8.8.8.8 LEN=77 TOS=0x00 PREC=0x00 TTL=63 ID=220 DF PROTO=UDP SPT=18202 DPT=53 LEN=57 ] 
Apr 23 17:44:07 firewall kernel: [430999.178094] Shorewall:FORWARD:REJECT:IN=tun0 OUT=eth0 MAC= SRC=192.168.3.6 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=231 DF PROTO=UDP SPT=12211 DPT=53 LEN=40 
Apr 23 17:44:07 firewall kernel: [430999.178132] Shorewall:OUTPUT:REJECT:IN= OUT=tun0 SRC=192.168.3.1 DST=192.168.3.6 LEN=88 TOS=0x00 PREC=0xC0 TTL=64 ID=20044 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.3.6 DST=8.8.8.8 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=231 DF PROTO=UDP SPT=12211 DPT=53 LEN=40 ] 
Apr 23 17:44:07 firewall kernel: [430999.186969] Shorewall:FORWARD:REJECT:IN=tun0 OUT=eth0 MAC= SRC=192.168.3.6 DST=8.8.8.8 LEN=70 TOS=0x00 PREC=0x00 TTL=63 ID=232 DF PROTO=UDP SPT=31313 DPT=53 LEN=50 
    
por user1621015 07.05.2017 / 02:41

1 resposta

0

De acordo com os registros do firewall, você se esqueceu de permitir as consultas do DNS.

Permitir a porta 53 udp e sua configuração funcionará melhor!

    
por 30.06.2017 / 10:15