Re: [Shorewall-users] Help with aliased interface/rules

Tue, 15 Dec 2009 07:11:42 -0800 

Stephen Brown wrote:
>> I didn't even add a static route. I've a similar setup (Netgear
>> DM111P) and the only thing I've had to do is add a rule to allow the
>> traffic to that IP address (otherwise it gets blocked by all the
>> RFC1918 rules). The modem knows that to reach my public IP it has to
>> send the traffic to my interface rather than out the WAN I/F - no
>> exceptions to NAT or anything.
> 
> How would I go about setting this up? Can you provide some sample syntax?

I'm having different results on my DSL modem in bridged mode. It's IP
address is 192.168.1.1 and here is what I did:

        ip addr add 192.168.1.254/24 dev eth2
        ip route add 192.168.1.1/32 dev eth2 src 192.168.1.254

(If I wanted this to be permanent, I would add those to my distro's
network configuration). eth2 is, of course, the firewall interface
connected to the modem.

I'm running Shorewall 4.4+ so the RFC1918 rules that Simon mentions
don't apply. I have NULL_ROUTE_RFC1918=Yes but the above route overrides
that setting for 192.168.1.1.

I also found that I had to insert this into /etc/shorewall/masq, just to
be able to ping the modem from the firewall:

        eth2:192.168.1.1        0.0.0.0/0               192.168.1.254

That was necessary because of another masq rule which was altering the
source IP address:

        eth2                    !206.124.146.0/24       206.124.146.179

You may need to add additional rules to handle the specific traffic that
you mention in your post.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Return on Information:
Google Enterprise Search pays you back
Get the facts.
http://p.sf.net/sfu/google-dev2dev

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to