[Shorewall-newbies] Trying to get shorewall to work inbound. Perhaps arp/routing issues.

Zot O'Connor zot at zotconsulting.com
Wed Feb 11 16:46:56 PST 2004

I have a dsl line with 13 addresses.

They are all in a row, but not in a subnettable block.

On my floppyfw firewall, I have ine IP for the outside (REAL_OUT_IP) and
one for the inside (REAL_INSIDE_IP).  Then it arps the IPs, then routes
each IP to /32 on the inside nic for each IP to the inside addresses.

I then use ipchains to do the filtering.

I also have a fake IP range that is on the same LAN that I nat out
bound.  I have the .1 as a alias to the inside nic.

All of this is pretty much done by hand in the firewall.ini.

So the current router looks like this:

REAL_OUT_IP                    MASQ/NAT to REAL_OUT_IP
  |                                   |
  |                                   |
LAN Machines (REAL_IPs)   LAN Machines (FAKE_IP)

This works, but I want to add QOS, ssh, and ipsec.

So I am migrating to bering-uclib/shorewall......

I tried to follow the various docs.  I see where to add arp address, but
they always assume that the inside IPs are not the same as the outside

I can get outbound traffic working for the FAKE_IP and REAL_IP LAN

I cannot get inbound traffic working.

I can see from the rejects, that all2all is getting called in the OUTPUT
chain and killing the connection.

I am assuming this is because REAL_OUT_IP and REAL_INSIDE_IP(s) are in
the same class C, thus it is trying to filter the OUTSIDE rules and the
INSIDE rules are coming after:

Chain OUTPUT (policy DROP)
target     prot opt source               destination   
ACCEPT     all  --             
DROP      !icmp --             state INVALID 
fw2net     all  --             
all2all    all  --            REAL_IP_BASE.0/24     
all2all    all  --            REAL_IP_BASE.1 
all2all    all  --            REAL_IP_BASE.2
all2all    all  --            REAL_IP_BASE.3
all2all    all  --            REAL_IP_BASE.4
all2all    all  --            REAL_IP_BASE.5

In my rules I open things like mail:
ACCEPT  net     real1   tcp ssh,smtp,www,dns,ssmtp,https,auth
ACCEPT  net     real1   udp dns,auth

Having set real1 in the zones and hosts.
So before I start posting a lot more about this, are there any examples
that cover this scenario?  It is not that uncommon.  In the past I have
used transparent bridging, which I supposed I should use, but that might
effect the routing.


Zot O'Connor <zot at zotconsulting.com>
White Knight Hackers, Inc.

More information about the Shorewall-newbies mailing list