RE: [leaf-user] Shorewall questions

Tom Eastep Mon, 08 Dec 2003 14:00:54 -0800

On Mon, 2003-12-08 at 12:36, Troy Aden wrote:
> I made these changes to shorewall and rebooted.


WHY REBOOT?

>  The result was all hosts
> lost Internet access.

That's not a problem description that can be done much with.

> 
> /ETC/shorewall/hosts 
> 
> #ZONE         HOST(S)                         OPTIONS
> loc           eth1:192.168.1.0/24
> loc           eth1:192.168.2.0/24
> loc           eth1:192.168.140.0/24
> loc           eth1:192.168.142.0/24
> loc           eth1:192.168.143.0/24
> loc           eth1:192.168.145.0/24
> loc           eth1:192.168.146.0/24
> loc           eth1:192.168.147.0/24
> loc           eth1:192.168.148.0/24

And you are defining each subnet individually because?

> 
> And then this:
> 
> /ETC/shorewall/Interfaces
> 
> #ZONE  INTERFACE      BROADCAST       OPTIONS
> net     eth0        142.165.207.162
> routefilter,norfc1918,tcpflags         
> loc     eth1
> 192.168.1.255,192.168.2.255,192.168.140.255,192.168.142.255,192.168.143.255,
> 192.168.145.255,192.168.146.255,192.168.147.255,192.168.148.255

With the above mess in the hosts file, you don't want "loc" in the zone
column there -- you want "-" since you are defining the zone entirely
through use of the hosts file.

> vpn   ipsec0                          
> 
> I watched shorewall load and it did show all of these networks as defining
> the "loc" zone as I would expect. I am just not sure why we lost Internet
> access after that point. Do I need to define these subnets as for example
> "192.168.1.0/24,192.168.2.0/24...)
> 
> I think I may not have given all the information in my previous post. Here
> are the relevant configs. (Some IPs have been altered to protect the
> innocent)
> 
> IP ROUTE: 
> 
> 192.168.147.0/24 dev eth1  proto kernel  scope link  src 192.168.147.4 
> 192.168.146.0/24 via 192.168.147.2 dev eth1 
> 192.168.145.0/24 via 192.168.147.2 dev eth1 
> 192.168.2.0/24 via 192.168.147.5 dev eth1 
> 192.168.1.0/24 via 192.168.147.5 dev eth1 
> 192.168.148.0/24 via 192.168.147.2 dev eth1 
> 10.10.26.0/24 via 142.165.207.254 dev ipsec0 
> 192.168.143.0/24 via 192.168.147.1 dev eth1 
> 192.168.142.0/24 via 192.168.147.1 dev eth1 
> 142.165.207.0/24 dev eth0  proto kernel  scope link  src 142.165.207.*
> 142.165.207.0/24 dev ipsec0  proto kernel  scope link  src 142.165.207.* 
> 192.168.140.0/24 via 192.168.147.3 dev eth1 
> default via 142.165.207.254 dev eth0 
> 
> 
> IP ADDR:
> 
> 3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether 00:01:02:78:13:4d brd ff:ff:ff:ff:ff:ff
>     inet 142.165.207.162/24 brd 142.165.207.255 scope global eth0
> 4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether 00:04:75:90:02:b2 brd ff:ff:ff:ff:ff:ff
>     inet 192.168.147.4/24 brd 192.168.147.255 scope global eth1
> 9: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10
>     link/ether 00:01:02:78:13:4d brd ff:ff:ff:ff:ff:ff
>     inet 142.165.207.162/24 brd 142.165.207.255 scope global ipsec0
> 
> /ETC/INTERFACES
> 
> auto eth0
> iface eth0 inet static  
>       address 142.165.207.*
>       netmask 255.255.255.0
>       broadcast 142.165.207.255
>       gateway 142.165.207.254
>       
> # Step 2: configure  internal interface
> # Default: eth1 / fixed IP = 192.168.1.254
> auto eth1
> iface eth1 inet static
>       address 192.168.147.4
>       netmask 255.255.255.0
>       broadcast 192.168.147.255
> 
> up ip route add 192.168.140.0/24 via 192.168.147.3 || true
> up ip route add 192.168.142.0/24 via 192.168.147.1 || true
> up ip route add 192.168.143.0/24 via 192.168.147.1 || true
> up ip route add 192.168.1.0/24 via 192.168.147.5 || true
> up ip route add 192.168.2.0/24 via 192.168.147.5 || true
> up ip route add 192.168.145.0/24 via 192.168.147.2 || true
> up ip route add 192.168.146.0/24 via 192.168.147.2 || true
> up ip route add 192.168.148.0/24 via 192.168.147.2 || true
> 
> 
> /etc/shorewall/masq
> 
> #INTERFACE            SUBNET          ADDRESS
> eth0                          192.168.1.0/24                  
> eth0                          192.168.2.0/24                  
> eth0                          192.168.140.0/24                  
> eth0                          192.168.142.0/24                  
> eth0                          192.168.143.0/24                  
> eth0                          192.168.145.0/24                  
> eth0                          192.168.146.0/24                  
> eth0                          192.168.147.0/24                  
> eth0                          192.168.148.0/24  

Assuming that eth1 is up when shorewall [re]starts, all you needed was:

eth0                    eth1

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]




-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Shorewall questions

Reply via email to