[Shorewall-newbies] Routing and MASQ

Francesca C Smith fsmith at ladylinux.com
Fri Dec 5 01:19:12 PST 2003


Hello,

Please attach your configs as a attachment .. and Shorewall status ..

You can send them in a zip file .. and I will not publish your public IP's ..

This is kinda the mess I have at my Corp office ..

Francesca
At 12:51 AM 12/5/2003, Bill.Light at kp.org wrote:

>I'll try here...I'm desperate resorting to ASCII art...
>
>Semi-Working configuration - can't get the routing piece I want though...
>
>
>    Internet
>       *
>       * eth0
>       *
>**************                  *****************
>* Shorewall1 ** eth1 **** eth0 ** DMZ http/mail *
>**************                  *****************
>       *
>       * eth2
>       *
>       *
>       * eth0
>       *
>**************            ************************
>* Shorewall2 ** eth1 ******      Hub/Switch      *
>**************            ************************
>       *                      *   *   *   *   *
>       * eth2                 *   *   *   *   *
>       *                      *   *   *   *   printers (cups)
>**************               *   *   *   *
>*    ISDN    *               *   *   *   Samba PDC
>*     to     *               *   *   *
>*   Office   *               *   *   W2K boxes
>**************               *   *
>                              *   Other Linux boxes
>                              *
>                              Cisco AP350 (that I haven't touched yet)
>
>What I have:
>
>* "Shorewall2"  CAN use Citrix to get to a Windows Terminal Server in the 
>Office
>* "Shorewall2"  CAN ping anything in the Office subnet
>* "Shorewall2"  CAN traceroute anything in the Office subnet
>* "Shorewall1"  SuSE Professional 7.3 running Shorewall 1.4.8
>* "Shorewall2"  SuSE Professional 9.0 running Shorewall 1.4.8
>
>What I want:
>
>* To sign on to anything connected to the Hub/Switch and get into the 
>office subnet (i.e. ping, traceroute, citrix)
>* Ergo - I want routing THROUGH "Shorewall2" and I need it masqueraded...
>
>What I've done:
>
>* Most recent suggestion from Tom on the "expert" list was a "simple" MASQ 
>entry -     eth1   eth2
>      === I tried that last month, and it doesn't work any better now than 
> it did then
>* Just for giggles     eth2        eth1
>* Then again the "proper"    eth1        eth2        172.x.x.x  # My 
>Office IP
>* Or also     eth1        172.x.x.0/24        172.x.x.x
>
>Things I know:
>
>* My office will swallow REJECT anything that is not coming from it's own 
>subnet
>* All the rest of the boxes plugged into the Hub/Switch can access the 
>Internet and each other and the printers just fine
>* I had this working with a SuSE 7.3 and an "old" Shorewall 1.3.x exactly 
>the way I wanted - something between "new" SuSE and "new" Shorewall is 
>different enough to have screwed me up for over a month.
>* I am just as frustrated with this as Tom is with me
>* I am absolutely paranoid about posting my "real" IP addresses (even if 
>they are private) in case I ever do get compromised - I don't want a "road 
>map" posted on the Internet.
>* I will be the first to admit that this is probably a routing problem, 
>but without masq of shorewall, a "clear" will cause my private subnet to 
>bounce anyway ... even if routing is 100 %
>
>Can someone see the forest ?    All I see are trees !
>
>- Bill
>The Sufficiently Talented Fool
>_______________________________________________
>Shorewall-newbies mailing list
>Post: Shorewall-newbies at lists.shorewall.net
>Subscribe/Unsubscribe: 
>https://lists.shorewall.net/mailman/listinfo/shorewall-newbies
>Support: http://www.shorewall.net/support.htm
>FAQ: http://www.shorewall.net/FAQ.htm

"No Problems Only Solutions"
Francesca C. Smith
Lady Linux Internet Services
fsmith at ladylinux.com




More information about the Shorewall-newbies mailing list