RE: [leaf-user] Shorewall questions

Troy Aden Mon, 08 Dec 2003 13:43:47 -0800

I made these changes to shorewall and rebooted. The result was all hosts
lost Internet access.


/ETC/shorewall/hosts 

#ZONE           HOST(S)                         OPTIONS
loc             eth1:192.168.1.0/24
loc             eth1:192.168.2.0/24
loc             eth1:192.168.140.0/24
loc             eth1:192.168.142.0/24
loc             eth1:192.168.143.0/24
loc             eth1:192.168.145.0/24
loc             eth1:192.168.146.0/24
loc             eth1:192.168.147.0/24
loc             eth1:192.168.148.0/24

And then this:

/ETC/shorewall/Interfaces

#ZONE    INTERFACE      BROADCAST       OPTIONS
net     eth0        142.165.207.162
routefilter,norfc1918,tcpflags         
loc     eth1
192.168.1.255,192.168.2.255,192.168.140.255,192.168.142.255,192.168.143.255,
192.168.145.255,192.168.146.255,192.168.147.255,192.168.148.255
vpn     ipsec0                          

I watched shorewall load and it did show all of these networks as defining
the "loc" zone as I would expect. I am just not sure why we lost Internet
access after that point. Do I need to define these subnets as for example
"192.168.1.0/24,192.168.2.0/24...)

I think I may not have given all the information in my previous post. Here
are the relevant configs. (Some IPs have been altered to protect the
innocent)

IP ROUTE: 

192.168.147.0/24 dev eth1  proto kernel  scope link  src 192.168.147.4 
192.168.146.0/24 via 192.168.147.2 dev eth1 
192.168.145.0/24 via 192.168.147.2 dev eth1 
192.168.2.0/24 via 192.168.147.5 dev eth1 
192.168.1.0/24 via 192.168.147.5 dev eth1 
192.168.148.0/24 via 192.168.147.2 dev eth1 
10.10.26.0/24 via 142.165.207.254 dev ipsec0 
192.168.143.0/24 via 192.168.147.1 dev eth1 
192.168.142.0/24 via 192.168.147.1 dev eth1 
142.165.207.0/24 dev eth0  proto kernel  scope link  src 142.165.207.*
142.165.207.0/24 dev ipsec0  proto kernel  scope link  src 142.165.207.* 
192.168.140.0/24 via 192.168.147.3 dev eth1 
default via 142.165.207.254 dev eth0 


IP ADDR:

3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:01:02:78:13:4d brd ff:ff:ff:ff:ff:ff
    inet 142.165.207.162/24 brd 142.165.207.255 scope global eth0
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:04:75:90:02:b2 brd ff:ff:ff:ff:ff:ff
    inet 192.168.147.4/24 brd 192.168.147.255 scope global eth1
9: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10
    link/ether 00:01:02:78:13:4d brd ff:ff:ff:ff:ff:ff
    inet 142.165.207.162/24 brd 142.165.207.255 scope global ipsec0

/ETC/INTERFACES

auto eth0
iface eth0 inet static  
        address 142.165.207.*
        netmask 255.255.255.0
        broadcast 142.165.207.255
        gateway 142.165.207.254
        
# Step 2: configure  internal interface
# Default: eth1 / fixed IP = 192.168.1.254
auto eth1
iface eth1 inet static
        address 192.168.147.4
        netmask 255.255.255.0
        broadcast 192.168.147.255

up ip route add 192.168.140.0/24 via 192.168.147.3 || true
up ip route add 192.168.142.0/24 via 192.168.147.1 || true
up ip route add 192.168.143.0/24 via 192.168.147.1 || true
up ip route add 192.168.1.0/24 via 192.168.147.5 || true
up ip route add 192.168.2.0/24 via 192.168.147.5 || true
up ip route add 192.168.145.0/24 via 192.168.147.2 || true
up ip route add 192.168.146.0/24 via 192.168.147.2 || true
up ip route add 192.168.148.0/24 via 192.168.147.2 || true


/etc/shorewall/masq

#INTERFACE              SUBNET          ADDRESS
eth0                    192.168.1.0/24                  
eth0                    192.168.2.0/24                  
eth0                    192.168.140.0/24                  
eth0                    192.168.142.0/24                  
eth0                    192.168.143.0/24                  
eth0                    192.168.145.0/24                  
eth0                    192.168.146.0/24                  
eth0                    192.168.147.0/24                  
eth0                    192.168.148.0/24               


Thanks in advance!

Troy 





-----Original Message-----
From: Tom Eastep [mailto:[EMAIL PROTECTED]
Sent: Monday, December 08, 2003 11:58 AM
To: Troy Aden
Cc: Leaf-User (E-mail)
Subject: Re: [leaf-user] Shorewall questions

On Mon, 2003-12-08 at 09:36, Troy Aden wrote:
> I have a quick newbie shorewall question.
> In setup I have several static routes from several internal routers going
to
> the shorewall box.
>
> The external interface (eth0) has the external IP. But the internal
> interface has to be able to recognize 8 separate subnets as internal IPs
and
> treat them as the local zone.
> I suspect that I would have to make changes to the shorewall/interfaces
file
> and add all of these subnets to the eth1 interface. Can anyone confirm
this
> for me? Also I have reviewed the docs and I can't seem to find an example
of
> the appropriate syntax to make entries like this in the
shorewall/interfaces
> file.
>

You might take a look at:

        http://www.shorewall.net/Multiple_Zones.html

Be sure to pay attention to the links in the first numbered list.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Shorewall questions

Reply via email to