Shorewall blocking vpn connections

rmasprey · October 14, 2016, 6:22pm

NethServer release 7.2.1511 (beta2):
Firewall Rules:

I have been testing Nethserver in my home office for a while, and so far I love the product. Not so long ago I did a fresh install of version 7 (couldn’t figure out a way to upgrade from 6.8) when it was released and recently after a possible software update I have an issue. I log into some clients VPN’s for remote support, and recently this stopped working. I have never configured firewall rules, I did create some port forwarding for my own VPN which also has stopped working recently.

I did a tail on the firewall log and noticed the following when I try to establish a vpn connection to a client’s MS Server.

Oct 14 19:02:56 mail kernel: Shorewall:net2fw:DROP:IN=ens3 OUT=MAC=52:54:00:c9:4e:d6:e0:91:f5:f9:6d:5e:08:00 SRC=1.1.1.1 (ip changed for security) DST=10.0.0.100 LEN=56 TOS=0x18 PREC=0x00 TTL=115 ID=9816 PROTO=47

I then tried to create a firewall rule, saying accept any source, any destination, any service, and always and the GRE 47 still gets dropped.

Any suggestion as to where to start trouble shooting will be greatly appreciated.

filippo_carletti · October 14, 2016, 9:42pm

net2fw means a connection from the internet to the firewall. I understand that you have initiated a connection from your client to a remote system through the firewall.
It seems that nethserver can’t correlate incoming and outgoing traffic (established connections).

Find kernel connections with:
grep 1.1.1.1 /proc/net/nf_conntrack
(substitute 1.1.1.1 with the real ip).

filippo_carletti · October 14, 2016, 10:28pm

I guess you are using PPTP.
Maybe, we need to load the helper like we do for ftp.
Add the following line to /etc/shorewall/rules:
HELPER {source:loc, proto:tcp, dport:1723, helper:pptp}
Then:
shorewall check
look for errors and:
shorewall restart

rmasprey · October 15, 2016, 8:00am

Thanks for the reply filippo_carletti, output of that command is

> [root@mail ~]# grep 1.1.1.1 /proc/net/nf_conntrack
> ipv4     2 gre      47 29 timeout=30, stream_timeout=180 src=192.168.16.23 dst=1.1.1.1 srckey=0x0 dstkey=0xf89d [UNREPLIED] src=1.1.1.1 dst=10.0.0.100 srckey=0xf89d dstkey=0x0 mark=0 zone=0 use=2
> ipv4     2 tcp      6 431994 ESTABLISHED src=192.168.16.23 dst=1.1.1.1 sport=57673 dport=1723 src=1.1.1.1 dst=10.0.0.100 sport=1723 dport=57673 [ASSURED] mark=0 zone=0 use=2

`

rmasprey · October 15, 2016, 8:12am

Yes, it is a PPTP connection I am trying to establish.

Adding the line resolved the issue.[quote=“filippo_carletti, post:3, topic:4672”]
HELPER {source:loc, proto:tcp, dport:1723, helper:pptp}
[/quote]

Thank you so much for the help, I am now able to connect to clients servers. Do I need to add that to the e-smith template? If the firewall restarts from the web interface will that change be lost?

rmasprey · October 15, 2016, 8:28am

I still can’t create a connection to my PPTP vpn, GRE47 still gets dropped on incoming connections.

Oct 15 10:14:30 mail kernel: Shorewall:net2fw:DROP:IN=ens3 OUT= MAC=52:54:00:c9:4e:d6:e0:91:f5:f9:6d:5e:08:00 SRC=41.13.0.244 DST=10.0.0.100 LEN=52 TOS=0x18 PREC=0x00 TTL=114 ID=5745 PROTO=47

I tried adding “HELPER {source:net, proto:tcp, dport:1723, helper:pptp}” but that did not work. After some reading last night my understanding of GRE was incorrect, I alsways through of it as open port 47, which I did on the firewall, but of course its a protocol not port if I understand it correctly now.

giacomo · October 17, 2016, 9:09am

Hi Richard,
I just pushed a couple of fixes in the firewall module.

The pptp2 should now work without any change to your configuration.
Can you please try the fix?

Just type this command:

yum --enablerepo=nethserver-testing update nethserver-firewall-base*

giacomo · October 17, 2016, 9:09am

Reference (even if the the title seems unrelated ):

rmasprey · October 18, 2016, 6:15am

Hi Giacomo,

Thanks for the fixes, after applying your update I am able to connect to clients server no issue, and the fix stayed permanent after a reboot, unlike the previous entries I added to the /etc/shorewall/rules.

Incoming connections to my pp2p are still failing, I need to do a bit more testing and see if Nethserver is dropping it or if its something else on myside.

Will keep you updated.

enzoturri · November 10, 2016, 5:37pm

Hi @rmasprey
Can you update us on your test. I’m curious

rmasprey · November 11, 2016, 6:56am

Hi @enzoturri

I have not done much testing on the incoming VPN connections to my network, not really needed it. I have had no problems connecting to my clients servers since doing the update.

PPTP is quite old and insecure from what I have been reading, I want to rather configure the VPN on Nethserver for my own network.