Shorewall and static routing?

Kenneth Burgener kenneth at
Sat Aug 11 23:39:47 MDT 2007

Sorry for the delay in my response.

Gabriel Gunderson wrote:
> On Fri, 2007-08-10 at 10:56 -0600, Kenneth Burgener wrote:
>> I have in my rules:
>>   DNAT            net             lan:  udp     1194 -
>> 65.X.X.X
> This looks like a shorewallism.  What does the 65.X.X.X stand for?  Is
> that your public IP obfuscated?  If so, I assume the whole thing is
> spelled out in your config?

Yes, that is my public Qwest IP address obfuscated.

>> Here is how I am adding a static route:
>>   route add -net netmask gw dev
>> eth1
> This shouldn't need the "dev eth1" What do you get without it.  Still, I
> doubt it makes any difference.

Yeah, adding the "dev eth1" does not appear to make any difference.

>> My policy has:
>>   $FW             net             ACCEPT
>>   $FW             lan             ACCEPT
>>   lan             $FW             ACCEPT
>>   lan             net             ACCEPT
>> I watch the message log, and it does not appear that shorewall is
>> dropping any connections
> If you are dropping packet anywhere?  If so, are they *ALL* being
> logged?  When I say *ALL* I mean *ALL*.  Otherwise, it's like a
> blackhole and troubleshooting is a nightmare.

They are not being logged anywhere I can tell.  To me it seems that they
are just disappearing into a black hole.

>> so it appears that I am just doing the routing wrong.
> Keep it simple.  Try pinging the VPN gw ( from the 10.10.10.X
> subnet without using any OpenVPN stuff.  First establish the route and
> then try for a VPN connection.  Run tcpdump with the right filters on
> both the router and the VPN gw (don't tell me OpenVPN is running on
> Windows and doesn't have tcpdump!).

I ran tcpdump on the gateway, and as far as I can tell I can see the
traffic coming in, and being routed back out.  I am just not sure where
it is being routed to.

> Let us know what you find out.
> Gabe

Thanks for your response.


More information about the PLUG mailing list