[Shorewall-newbies] Routing and MASQ

Bill.Light at kp.org Bill.Light at kp.org
Thu Dec 4 21:51:29 PST 2003


I'll try here...I'm desperate resorting to ASCII art...

Semi-Working configuration - can't get the routing piece I want though...


   Internet
      *
      * eth0
      *
**************                  *****************
* Shorewall1 ** eth1 **** eth0 ** DMZ http/mail *
**************                  *****************
      *
      * eth2
      *
      *
      * eth0
      *
**************            ************************
* Shorewall2 ** eth1 ******      Hub/Switch      *
**************            ************************
      *                      *   *   *   *   * 
      * eth2                 *   *   *   *   *
      *                      *   *   *   *   printers (cups)
**************               *   *   *   *
*    ISDN    *               *   *   *   Samba PDC
*     to     *               *   *   *
*   Office   *               *   *   W2K boxes
**************               *   *
                             *   Other Linux boxes
                             *
                             Cisco AP350 (that I haven't touched yet)

What I have:

* "Shorewall2"  CAN use Citrix to get to a Windows Terminal Server in the 
Office
* "Shorewall2"  CAN ping anything in the Office subnet
* "Shorewall2"  CAN traceroute anything in the Office subnet
* "Shorewall1"  SuSE Professional 7.3 running Shorewall 1.4.8
* "Shorewall2"  SuSE Professional 9.0 running Shorewall 1.4.8

What I want:

* To sign on to anything connected to the Hub/Switch and get into the 
office subnet (i.e. ping, traceroute, citrix)
* Ergo - I want routing THROUGH "Shorewall2" and I need it masqueraded...

What I've done:

* Most recent suggestion from Tom on the "expert" list was a "simple" MASQ 
entry -     eth1   eth2
     === I tried that last month, and it doesn't work any better now than 
it did then
* Just for giggles     eth2     eth1
* Then again the "proper"    eth1       eth2    172.x.x.x  # My Office IP
* Or also     eth1      172.x.x.0/24    172.x.x.x

Things I know:

* My office will swallow REJECT anything that is not coming from it's own 
subnet
* All the rest of the boxes plugged into the Hub/Switch can access the 
Internet and each other and the printers just fine
* I had this working with a SuSE 7.3 and an "old" Shorewall 1.3.x exactly 
the way I wanted - something between "new" SuSE and "new" Shorewall is 
different enough to have screwed me up for over a month.
* I am just as frustrated with this as Tom is with me
* I am absolutely paranoid about posting my "real" IP addresses (even if 
they are private) in case I ever do get compromised - I don't want a "road 
map" posted on the Internet.
* I will be the first to admit that this is probably a routing problem, 
but without masq of shorewall, a "clear" will cause my private subnet to 
bounce anyway ... even if routing is 100 %

Can someone see the forest ?    All I see are trees !

- Bill
The Sufficiently Talented Fool
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shorewall.net/pipermail/shorewall-newbies/attachments/20031204/ea44fc34/attachment-0001.htm


More information about the Shorewall-newbies mailing list