vpnc versus Shorewall problem
Tobias Weisserth <tobias.weisserth <at> gmx.net>
2005-06-12 19:37:19 GMT
I have been using Shorewall for quite a while now but I recently
stumbled over a new setup that stopped me cold. I don't know how to
I have an ordinary GNU/Linux box (2.6.11) connected to a nonpublic
network with one interface eth0 which gets an IP through DHCP like
172.17.x.y. Traffic is not routed to the Internet in this subnet. In
order to connect to the Internet I have to build a VPN connection to a
Cisco Concentrator box inside this network (172.17.0.1).
I also get the addresses of two DNS servers assigned by this DHCP
server (10.0.251.1, 10.0.251.2) which are ofcourse outside my reach as
long as I don't have a connection to the VPN Gateway.
I can connect to the Cisco VPN Gateway using "vpnc", a free alternative
to the Cisco client, which makes use of a "tun0" device. The "tun0"
device also receives an IP address from a DHCP server, something like
How do I setup Shorewall, so that I can connect to the Cisco
Concentrator while at the same time blocking all inbound traffic that I
I started out with the one-interface setup described in the quick
guides through I realise that I seem to have two devices (eth, tun0).
When I'm using this initial setup I can establish the VPN link but
cannot use it. As soon as I shut down Shorewall, I can use the VPN
tunnel, but everything is wide open.