[Shorewall-newbies] Trying to get shorewall to work inbound. Perhaps arp/routing issues.

Zot O'Connor zot at zotconsulting.com
Wed Feb 11 16:46:56 PST 2004


I have a dsl line with 13 addresses.

They are all in a row, but not in a subnettable block.

On my floppyfw firewall, I have ine IP for the outside (REAL_OUT_IP) and
one for the inside (REAL_INSIDE_IP).  Then it arps the IPs, then routes
each IP to /32 on the inside nic for each IP to the inside addresses.

I then use ipchains to do the filtering.

I also have a fake IP range that is on the same LAN that I nat out
bound.  I have the .1 as a alias to the inside nic.

All of this is pretty much done by hand in the firewall.ini.

So the current router looks like this:

DSL_ISP
  |
  |
__|_____________________________________________
REAL_OUT_IP                    MASQ/NAT to REAL_OUT_IP
________________________________________________
REAL_INSIDE_IP                 FAKE_INSIDE_IP
____________________________________________________________
  |                                   |
  |                                   |
LAN Machines (REAL_IPs)   LAN Machines (FAKE_IP)



This works, but I want to add QOS, ssh, and ipsec.

So I am migrating to bering-uclib/shorewall......

I tried to follow the various docs.  I see where to add arp address, but
they always assume that the inside IPs are not the same as the outside
IPs...

I can get outbound traffic working for the FAKE_IP and REAL_IP LAN
machines.

I cannot get inbound traffic working.

I can see from the rejects, that all2all is getting called in the OUTPUT
chain and killing the connection.

I am assuming this is because REAL_OUT_IP and REAL_INSIDE_IP(s) are in
the same class C, thus it is trying to filter the OUTSIDE rules and the
INSIDE rules are coming after:

Chain OUTPUT (policy DROP)
target     prot opt source               destination   
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
DROP      !icmp --  0.0.0.0/0            0.0.0.0/0           state INVALID 
fw2net     all  --  0.0.0.0/0            0.0.0.0/0           
all2all    all  --  0.0.0.0/0            REAL_IP_BASE.0/24     
all2all    all  --  0.0.0.0/0            REAL_IP_BASE.1 
all2all    all  --  0.0.0.0/0            REAL_IP_BASE.2
all2all    all  --  0.0.0.0/0            REAL_IP_BASE.3
all2all    all  --  0.0.0.0/0            REAL_IP_BASE.4
all2all    all  --  0.0.0.0/0            REAL_IP_BASE.5

In my rules I open things like mail:
ACCEPT  net     real1   tcp ssh,smtp,www,dns,ssmtp,https,auth
ACCEPT  net     real1   udp dns,auth

Having set real1 in the zones and hosts.
	
So before I start posting a lot more about this, are there any examples
that cover this scenario?  It is not that uncommon.  In the past I have
used transparent bridging, which I supposed I should use, but that might
effect the routing.

Thanks.

-- 
Zot O'Connor <zot at zotconsulting.com>
White Knight Hackers, Inc.



More information about the Shorewall-newbies mailing list