Re: [Shorewall-users] Parallel zones - how to block traffic from one to the other?

Tom Eastep Wed, 29 Oct 2008 16:17:45 -0700

lounds wrote:
> Hello everyone! I am a relatively newbie to Shorewall, but have been
> fruitlessly trying to get two "local zones" that cannot access the
> each other. My Shorewall box is maxed out with 4 NICs, so I cannot
> just add another NIC.
> 
> http://www.shorewall.net/Multiple_Zones.html#Parallel
> 
> I have a wireless router that is connected via it's WAN port to the
> switch that is connected to eth5 on my Shorewall box.
> 
> I have followed the steps precisely, and yet I can ping, access port
> 80 on certain machines in the local zone, access a samba share, etc --
> it is like I am not even behind another router at all!
> 
> # shorewall version
> 4.0.6


-shell or -perl?

> 
> # ip addr show
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 scope host lo
>     inet6 ::1/128 scope host
>        valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
>     link/ether 00:50:8b:30:3b:10 brd ff:ff:ff:ff:ff:ff
>     inet 69.130.0.110/29 brd 69.130.0.111 scope global eth0
>     inet6 fe80::250:8bff:fe30:3b10/64 scope link
>        valid_lft forever preferred_lft forever
> 3: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
>     link/ether 00:02:b3:45:fe:db brd ff:ff:ff:ff:ff:ff
>     inet 192.168.99.1/24 brd 192.168.99.255 scope global eth3
>     inet6 fe80::202:b3ff:fe45:fedb/64 scope link
>        valid_lft forever preferred_lft forever
> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
>     link/ether 00:08:c7:3b:1a:cc brd ff:ff:ff:ff:ff:ff
>     inet 69.41.11.39/27 brd 69.41.11.63 scope global eth2
>     inet 69.41.11.42/27 brd 69.41.11.63 scope global secondary eth2:1
>     inet 69.41.11.45/27 brd 69.41.11.63 scope global secondary eth2:2
>     inet 69.41.11.46/27 brd 69.41.11.63 scope global secondary eth2:3
>     inet 69.41.11.47/27 brd 69.41.11.63 scope global secondary eth2:4
>     inet 69.41.11.48/27 brd 69.41.11.63 scope global secondary eth2:5
>     inet 69.41.11.43/27 brd 69.41.11.63 scope global secondary eth2:6
>     inet 69.41.11.49/27 brd 69.41.11.63 scope global secondary eth2:7
>     inet6 fe80::208:c7ff:fe3b:1acc/64 scope link
>        valid_lft forever preferred_lft forever
> 5: eth5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
>     link/ether 00:50:8b:5c:f5:a1 brd ff:ff:ff:ff:ff:ff
>     inet 192.168.168.1/24 brd 192.168.168.255 scope global eth5
>     inet6 fe80::250:8bff:fe5c:f5a1/64 scope link
>        valid_lft forever preferred_lft forever
> 
> eth0 and eth2 are the uplinks -- eth3 is the DMZ -- eth5 is the local
> network, of which the wireless router (via the WAN port) is plugged
> in. I gave it a static IP (192.168.168.13) and it is handing out IPs
> via DHCP 192.168.2.0/24
> 

Okay -- I assume then that this wireless router is doing
SNAT/Masquerade; so your Shorewall box *will never pass packets with
addresses in the 192.168.2.0/24 range.


> # ip route show
> 69.130.0.104/29 dev eth0  proto kernel  scope link  src 69.130.0.110
> 69.41.11.32/27 dev eth2  proto kernel  scope link  src 69.41.11.39
> 192.168.99.0/24 dev eth3  proto kernel  scope link  src 192.168.99.1
> 192.168.168.0/24 dev eth5  proto kernel  scope link  src 192.168.168.1
> 169.254.0.0/16 dev eth3  scope link  metric 1000
> default
>         nexthop via 69.130.0.105  dev eth0 weight 1
>         nexthop via 69.41.11.33  dev eth2 weight 1
> 
>

See? You don't even have a route to 192.168.2.0/24!


> 
> # cat /etc/shorewall/hosts (comments removed)
> loc     eth5:192.168.168.0/24
> loc2    eth5:192.168.2.0/24

So the definition of loc2 is completely silly. It should be
eth5:192.168.168.13.

Now, loc2 will be a sub-zone of loc and you will need to follow the
Nested example rather than the Parallel one.

-Tom
-- 
Tom Eastep        \ The ultimate result of shielding men from the
Shoreline,         \ effects of folly is to fill the world with fools.
Washington, USA     \                                 -Herbert Spencer
http://shorewall.net \________________________________________________

signature.asc
Description: OpenPGP digital signature

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Parallel zones - how to block traffic from one to the other?

Reply via email to