Re: [Shorewall-users] Parallel zones - how to block traffic from one to the other?

Wed, 29 Oct 2008 17:36:58 -0700 

Tom Eastep wrote:
> lounds wrote:
>> Hello everyone! I am a relatively newbie to Shorewall, but have been
>> fruitlessly trying to get two "local zones" that cannot access the
>> each other. My Shorewall box is maxed out with 4 NICs, so I cannot
>> just add another NIC.
>>
>> http://www.shorewall.net/Multiple_Zones.html#Parallel
>>
>> I have a wireless router that is connected via it's WAN port to the
>> switch that is connected to eth5 on my Shorewall box.
>>
>> I have followed the steps precisely, and yet I can ping, access port
>> 80 on certain machines in the local zone, access a samba share, etc --
>> it is like I am not even behind another router at all!
>>
>> # shorewall version
>> 4.0.6
> 
> -shell or -perl?
> 
>> # ip addr show
>> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
>>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>>     inet 127.0.0.1/8 scope host lo
>>     inet6 ::1/128 scope host
>>        valid_lft forever preferred_lft forever
>> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 
>> 1000
>>     link/ether 00:50:8b:30:3b:10 brd ff:ff:ff:ff:ff:ff
>>     inet 69.130.0.110/29 brd 69.130.0.111 scope global eth0
>>     inet6 fe80::250:8bff:fe30:3b10/64 scope link
>>        valid_lft forever preferred_lft forever
>> 3: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 
>> 1000
>>     link/ether 00:02:b3:45:fe:db brd ff:ff:ff:ff:ff:ff
>>     inet 192.168.99.1/24 brd 192.168.99.255 scope global eth3
>>     inet6 fe80::202:b3ff:fe45:fedb/64 scope link
>>        valid_lft forever preferred_lft forever
>> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 
>> 1000
>>     link/ether 00:08:c7:3b:1a:cc brd ff:ff:ff:ff:ff:ff
>>     inet 69.41.11.39/27 brd 69.41.11.63 scope global eth2
>>     inet 69.41.11.42/27 brd 69.41.11.63 scope global secondary eth2:1
>>     inet 69.41.11.45/27 brd 69.41.11.63 scope global secondary eth2:2
>>     inet 69.41.11.46/27 brd 69.41.11.63 scope global secondary eth2:3
>>     inet 69.41.11.47/27 brd 69.41.11.63 scope global secondary eth2:4
>>     inet 69.41.11.48/27 brd 69.41.11.63 scope global secondary eth2:5
>>     inet 69.41.11.43/27 brd 69.41.11.63 scope global secondary eth2:6
>>     inet 69.41.11.49/27 brd 69.41.11.63 scope global secondary eth2:7
>>     inet6 fe80::208:c7ff:fe3b:1acc/64 scope link
>>        valid_lft forever preferred_lft forever
>> 5: eth5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 
>> 1000
>>     link/ether 00:50:8b:5c:f5:a1 brd ff:ff:ff:ff:ff:ff
>>     inet 192.168.168.1/24 brd 192.168.168.255 scope global eth5
>>     inet6 fe80::250:8bff:fe5c:f5a1/64 scope link
>>        valid_lft forever preferred_lft forever
>>
>> eth0 and eth2 are the uplinks -- eth3 is the DMZ -- eth5 is the local
>> network, of which the wireless router (via the WAN port) is plugged
>> in. I gave it a static IP (192.168.168.13) and it is handing out IPs
>> via DHCP 192.168.2.0/24
>>
> 
> Okay -- I assume then that this wireless router is doing
> SNAT/Masquerade; so your Shorewall box *will never pass packets with
> addresses in the 192.168.2.0/24 range.
> 
> 
>> # ip route show
>> 69.130.0.104/29 dev eth0  proto kernel  scope link  src 69.130.0.110
>> 69.41.11.32/27 dev eth2  proto kernel  scope link  src 69.41.11.39
>> 192.168.99.0/24 dev eth3  proto kernel  scope link  src 192.168.99.1
>> 192.168.168.0/24 dev eth5  proto kernel  scope link  src 192.168.168.1
>> 169.254.0.0/16 dev eth3  scope link  metric 1000
>> default
>>         nexthop via 69.130.0.105  dev eth0 weight 1
>>         nexthop via 69.41.11.33  dev eth2 weight 1
>>
>>
> 
> See? You don't even have a route to 192.168.2.0/24!
> 
> 
>> # cat /etc/shorewall/hosts (comments removed)
>> loc     eth5:192.168.168.0/24
>> loc2    eth5:192.168.2.0/24
> 
> So the definition of loc2 is completely silly. It should be
> eth5:192.168.168.13.
> 
> Now, loc2 will be a sub-zone of loc and you will need to follow the
> Nested example rather than the Parallel one.

Or, you can turn of NAT in your wireless router. But if you do, you need
to update your routing on the firewall.

-Tom
-- 
Tom Eastep        \ The ultimate result of shielding men from the
Shoreline,         \ effects of folly is to fill the world with fools.
Washington, USA     \                                 -Herbert Spencer
http://shorewall.net \________________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to