[Shorewall-newbies] Trying to get shorewall to work inbound.
Perhaps arp/routing issues.
zot at zotconsulting.com
Wed Feb 11 16:46:56 PST 2004
I have a dsl line with 13 addresses.
They are all in a row, but not in a subnettable block.
On my floppyfw firewall, I have ine IP for the outside (REAL_OUT_IP) and
one for the inside (REAL_INSIDE_IP). Then it arps the IPs, then routes
each IP to /32 on the inside nic for each IP to the inside addresses.
I then use ipchains to do the filtering.
I also have a fake IP range that is on the same LAN that I nat out
bound. I have the .1 as a alias to the inside nic.
All of this is pretty much done by hand in the firewall.ini.
So the current router looks like this:
REAL_OUT_IP MASQ/NAT to REAL_OUT_IP
LAN Machines (REAL_IPs) LAN Machines (FAKE_IP)
This works, but I want to add QOS, ssh, and ipsec.
So I am migrating to bering-uclib/shorewall......
I tried to follow the various docs. I see where to add arp address, but
they always assume that the inside IPs are not the same as the outside
I can get outbound traffic working for the FAKE_IP and REAL_IP LAN
I cannot get inbound traffic working.
I can see from the rejects, that all2all is getting called in the OUTPUT
chain and killing the connection.
I am assuming this is because REAL_OUT_IP and REAL_INSIDE_IP(s) are in
the same class C, thus it is trying to filter the OUTSIDE rules and the
INSIDE rules are coming after:
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
DROP !icmp -- 0.0.0.0/0 0.0.0.0/0 state INVALID
fw2net all -- 0.0.0.0/0 0.0.0.0/0
all2all all -- 0.0.0.0/0 REAL_IP_BASE.0/24
all2all all -- 0.0.0.0/0 REAL_IP_BASE.1
all2all all -- 0.0.0.0/0 REAL_IP_BASE.2
all2all all -- 0.0.0.0/0 REAL_IP_BASE.3
all2all all -- 0.0.0.0/0 REAL_IP_BASE.4
all2all all -- 0.0.0.0/0 REAL_IP_BASE.5
In my rules I open things like mail:
ACCEPT net real1 tcp ssh,smtp,www,dns,ssmtp,https,auth
ACCEPT net real1 udp dns,auth
Having set real1 in the zones and hosts.
So before I start posting a lot more about this, are there any examples
that cover this scenario? It is not that uncommon. In the past I have
used transparent bridging, which I supposed I should use, but that might
effect the routing.
Zot O'Connor <zot at zotconsulting.com>
White Knight Hackers, Inc.
More information about the Shorewall-newbies