[Shorewall-newbies] eth1 to eth1 cross network problem

Tom Eastep teastep at shorewall.net
Tue Jan 20 09:35:54 PST 2004


On Tuesday 20 January 2004 09:20 am, Garrett Johnson wrote:
> Sorry my Linux based web email defaults to html.   I believe I understand
> the setting however I don't believe this is accessible in the Webmin
> interface for shorewall.
>
> Here is the original "post".
>
> Thanks
> Garrett
>
> We have a Three Interface firewall/proxy setup with Shorewall.
>
> eth0-Gigabit/Power Users  10.1.10.0
> eth1-regular users - 100VG anylan 10.1.1.0
> eth2 - Internet Connection 192.168.7.0 -> Internet Router
>
> The firewall is working to the outside and between the interfaces as
> expected.  However we also have a seperate internal network 192.168.1.0
> that is routed on eth1 through 10.1.1.145 then to 10.1.5.45 on arcnet then
> back to 192.168.1.201 on an ethernet network (its 2000 feet of underground
> arcnet cable).  From eth0 I can ping and view everything on the 192.168.1.0
> network however shorewall is rejecting the connection in the FORWARD chain
> and the all2all chain.
>
> Jan 20 10:17:16 FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=10.1.1.128
> DST=10.1.5.145 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=563 PROTO=ICMP TYPE=8
> CODE=0 ID=512 SEQ=1792
>
> and
>
> Jan 20 10:17:59 all2all:REJECT:IN= OUT=eth1 SRC=10.1.1.55 DST=10.1.1.128
> LEN=120 TOS=0x00 PREC=0xC0 TTL=64 ID=4392 PROTO=ICMP TYPE=11 CODE=0
> [SRC=10.1.1.128 DST=10.1.5.145 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=591
> PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=3840 ]
>
> I have a rule that says any local(eth0,eth1) to any local ACCEPT.
>
> I don't know where I tell the local zone that 192.168.1.0 and 10.1.5.0 are
> local networks.
>
> I am using the webmin interface to configure shorewall.

Then you are going to have to use something other than webmin (e.g., a text 
editor) to configure the 'routeback' option on eth1 in 
/etc/shorewall/interfaces.

The reference documentation for your situation may be found in one of:

http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html 
http://www.shorewall.net/Multiple_Zones.html

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net




More information about the Shorewall-newbies mailing list