I''m running Shorewall 4.4.0 on a two NIC system. eth0 is facing the internet on a DSL circuit, and eth1 is facing my local LAN. I setup a virtual interface on eth0:0 as 192.168.2.2 to be able to access the modem configuration, the modem''s address is 192.168.2.1 I''m able to get to it ok, but I am having some trouble enabling a few services, specifically NTP and SNMP (the modem supports both) I''ve read over http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html but I''m just not real clear on how to accomplish what I am wanting to do. Basically: - I have ntpd running on the same box as shorewall, I want the aliased interface to be able to reach ntpd on UDP port 123 - I want the aliased interface to be able to reach another box on my LAN for SNMP services - I would also like to enable syslog at some point I have been pecking around but can''t seem to find anything that works, so I must not be doing something right. Don''t think it matters, but I should also note that the modem is in bridge mode. Thanks, Stephen ------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev
Stephen Brown wrote:> I''m running Shorewall 4.4.0 on a two NIC system. eth0 is facing the > internet on a DSL circuit, and eth1 is facing my local LAN. > > I setup a virtual interface on eth0:0 as 192.168.2.2 to be able to > access the modem configuration, the modem''s address is 192.168.2.1 I''m > able to get to it ok, but I am having some trouble enabling a few > services, specifically NTP and SNMP (the modem supports both)Why on earth would you need to use an aliased interface for that? It sounds like you are just complicating things unnecessarily. What happens if you try accessing the modem without the aliased interface? Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev
I can''t, hence the reason I setup an aliased interface. My LAN is setup for 192.168.1.x and the modem is 192.168.2.1, I can''t think of any other way to do it unless I create a static route maybe? Open to suggestions :) Thanks, Stephen On 12/13/09 8:01 PM, Roberto C. Sanchez wrote:> Stephen Brown wrote: >> I''m running Shorewall 4.4.0 on a two NIC system. eth0 is facing the >> internet on a DSL circuit, and eth1 is facing my local LAN. >> >> I setup a virtual interface on eth0:0 as 192.168.2.2 to be able to >> access the modem configuration, the modem''s address is 192.168.2.1 I''m >> able to get to it ok, but I am having some trouble enabling a few >> services, specifically NTP and SNMP (the modem supports both) > > Why on earth would you need to use an aliased interface for that? It > sounds like you are just complicating things unnecessarily. > > What happens if you try accessing the modem without the aliased interface? > > Regards, > > -Roberto > > > > > ------------------------------------------------------------------------------ > Return on Information: > Google Enterprise Search pays you back > Get the facts. > http://p.sf.net/sfu/google-dev2dev > > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev
Stephen Brown wrote:> I can''t, hence the reason I setup an aliased interface. My LAN is setup > for 192.168.1.x and the modem is 192.168.2.1, I can''t think of any other > way to do it unless I create a static route maybe? > > Open to suggestions :) >That''s what I''ve done when I had a DSL modem that I needed to access like you are describing. A single route is far less complex than using aliased interfaces. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev
Roberto C. Sanchez wrote:> > I can''t, hence the reason I setup an aliased interface. My LAN is setup >> for 192.168.1.x and the modem is 192.168.2.1, I can''t think of any other >> way to do it unless I create a static route maybe? >> >> Open to suggestions :) >> > >That''s what I''ve done when I had a DSL modem that I needed to access >like you are describing. A single route is far less complex than using >aliased interfaces.I didn''t even add a static route. I''ve a similar setup (Netgear DM111P) and the only thing I''ve had to do is add a rule to allow the traffic to that IP address (otherwise it gets blocked by all the RFC1918 rules). The modem knows that to reach my public IP it has to send the traffic to my interface rather than out the WAN I/F - no exceptions to NAT or anything. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1> I didn''t even add a static route. I''ve a similar setup (Netgear > DM111P) and the only thing I''ve had to do is add a rule to allow the > traffic to that IP address (otherwise it gets blocked by all the > RFC1918 rules). The modem knows that to reach my public IP it has to > send the traffic to my interface rather than out the WAN I/F - no > exceptions to NAT or anything.How would I go about setting this up? Can you provide some sample syntax? Thanks, Stephen -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAksm7bkACgkQ3sJXNEncx7gLkwCbB6pglOgYtPf/IRiH5l22eps1 Mq4AoIoeRHTaGuVtau/DX4Kgy3LIJaJC =eWsA -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev
Stephen Brown wrote:> > I didn''t even add a static route. I''ve a similar setup (Netgear >> DM111P) and the only thing I''ve had to do is add a rule to allow the >> traffic to that IP address (otherwise it gets blocked by all the >> RFC1918 rules). The modem knows that to reach my public IP it has to >> send the traffic to my interface rather than out the WAN I/F - no >> exceptions to NAT or anything. > >How would I go about setting this up? Can you provide some sample syntax?Little really to set up ! In shorewall.conf I have "RFC1918_STRICT=No" In rules I have # RFC1918 ACCEPT net:192.168.x.0/24 $FW ACCEPT net:192.168.x.0/24 loc ACCEPT loc net:192.168.x.0/24 DROP net:10.0.0.0/8 $FW DROP net:172.16.0.0/12 $FW DROP net:192.168.0.0/16 $FW DROP net:10.0.0.0/8 loc DROP net:172.16.0.0/12 loc DROP net:192.168.0.0/16 loc DROP all net:10.0.0.0/8 DROP all net:172.16.0.0/12 DROP all net:192.168.0.0/16 These rules are simply the rules for dropping RFC1918 traffic that should never either come from or go out to the internet. The only addition are rules to allow traffic to/from the router - they could do with being a bit more specific since I only really need HTTP, Telnet, and Ping access to the router''s address (1923.168.x.1). They could probably be narrowed down to : # RFC1918 ACCEPT net:192.168.x.1 $FW udp 67-68 HTTP(ACCEPT) loc net:192.168.x.1 Telnet(ACCEPT) loc net:192.168.x.1 Ping(ACCEPT) loc net:192.168.x.1 DROP net:10.0.0.0/8 all DROP net:172.16.0.0/12 all DROP net:192.168.0.0/16 all DROP all net:10.0.0.0/8 DROP all net:172.16.0.0/12 DROP all net:192.168.0.0/16 -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev
I wrote:>They could probably be narrowed down to : ># RFC1918 >ACCEPT net:192.168.x.1 $FW udp 67-68 >HTTP(ACCEPT) loc net:192.168.x.1 >Telnet(ACCEPT) loc net:192.168.x.1 >Ping(ACCEPT) loc net:192.168.x.1 >DROP net:10.0.0.0/8 all >DROP net:172.16.0.0/12 all >DROP net:192.168.0.0/16 all >DROP all net:10.0.0.0/8 >DROP all net:172.16.0.0/12 >DROP all net:192.168.0.0/16Oops, there''s a line missing there : ACCEPT net:192.168.x.1 $FW udp 67-68 ACCEPT $FW net:192.168.x.1 udp 67-68 That''s for DHCP between firewall and modem. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev
Stephen Brown wrote:>> I didn''t even add a static route. I''ve a similar setup (Netgear >> DM111P) and the only thing I''ve had to do is add a rule to allow the >> traffic to that IP address (otherwise it gets blocked by all the >> RFC1918 rules). The modem knows that to reach my public IP it has to >> send the traffic to my interface rather than out the WAN I/F - no >> exceptions to NAT or anything. > > How would I go about setting this up? Can you provide some sample syntax?I''m having different results on my DSL modem in bridged mode. It''s IP address is 192.168.1.1 and here is what I did: ip addr add 192.168.1.254/24 dev eth2 ip route add 192.168.1.1/32 dev eth2 src 192.168.1.254 (If I wanted this to be permanent, I would add those to my distro''s network configuration). eth2 is, of course, the firewall interface connected to the modem. I''m running Shorewall 4.4+ so the RFC1918 rules that Simon mentions don''t apply. I have NULL_ROUTE_RFC1918=Yes but the above route overrides that setting for 192.168.1.1. I also found that I had to insert this into /etc/shorewall/masq, just to be able to ping the modem from the firewall: eth2:192.168.1.1 0.0.0.0/0 192.168.1.254 That was necessary because of another masq rule which was altering the source IP address: eth2 !206.124.146.0/24 206.124.146.179 You may need to add additional rules to handle the specific traffic that you mention in your post. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I''m using 4.4.0, so that would make RFC1918_STRICT deprecated? I''m just a little confused now on the network settings for the port that is attached to the DSL modem, it''s on eth0. I currently have this setup in /etc/network/interfaces (I''m running Debian 5.0 "Lenny"): # eth0 interface facing internet auto eth0 iface eth0 inet static address 76.5.159.xxx (last octet masked) netmask 255.255.255.224 gateway 76.5.159.161 The DSL modem is in bridged mode, and I can''t get to it unless I add an alias, this is how it is configured presently: # virtual interface to DSL modem auto eth0:0 iface eth0:0 inet static address 192.168.2.2 netmask 255.255.255.0 For this to work correctly like you mention below, would I need to replace the static settings for eth0? I think if I do that the modem may not be aware of it''s static IP configuration, but I could be wrong.... Or am I completely off base alltogether? :) Thanks, Stephen On Tue, Dec 15, 2009 at 10:05, Tom Eastep <teastep@shorewall.net> wrote:> Stephen Brown wrote: > >> I didn''t even add a static route. I''ve a similar setup (Netgear > >> DM111P) and the only thing I''ve had to do is add a rule to allow the > >> traffic to that IP address (otherwise it gets blocked by all the > >> RFC1918 rules). The modem knows that to reach my public IP it has to > >> send the traffic to my interface rather than out the WAN I/F - no > >> exceptions to NAT or anything. > > > > How would I go about setting this up? Can you provide some sample syntax? > > I''m having different results on my DSL modem in bridged mode. It''s IP > address is 192.168.1.1 and here is what I did: > > ip addr add 192.168.1.254/24 dev eth2 > ip route add 192.168.1.1/32 dev eth2 src 192.168.1.254 > > (If I wanted this to be permanent, I would add those to my distro''s > network configuration). eth2 is, of course, the firewall interface > connected to the modem. > > I''m running Shorewall 4.4+ so the RFC1918 rules that Simon mentions > don''t apply. I have NULL_ROUTE_RFC1918=Yes but the above route overrides > that setting for 192.168.1.1. > > I also found that I had to insert this into /etc/shorewall/masq, just to > be able to ping the modem from the firewall: > > eth2:192.168.1.1 0.0.0.0/0 192.168.1.254 > > That was necessary because of another masq rule which was altering the > source IP address: > > eth2 !206.124.146.0/24 206.124.146.179 > > You may need to add additional rules to handle the specific traffic that > you mention in your post. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > ------------------------------------------------------------------------------ > Return on Information: > Google Enterprise Search pays you back > Get the facts. > http://p.sf.net/sfu/google-dev2dev > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAksnrF0ACgkQ3sJXNEncx7ghhACfdXJ7vPy9pmzsJ/1Bfo59FDMF ukIAoO9XhgHdDHUqhVLxkLiR9UOs26MW =0o0b -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev
Stephen Brown wrote:> I''m using 4.4.0, so that would make RFC1918_STRICT deprecated? > > I''m just a little confused now on the network settings for the port that > is attached to the DSL modem, it''s on eth0. > > I currently have this setup in /etc/network/interfaces (I''m running > Debian 5.0 "Lenny"): > > # eth0 interface facing internet > auto eth0 > iface eth0 inet static > address 76.5.159.xxx (last octet masked) > netmask 255.255.255.224 > gateway 76.5.159.161 > > The DSL modem is in bridged mode, and I can''t get to it unless I add an > alias, this is how it is configured presently: > > # virtual interface to DSL modem > auto eth0:0 > iface eth0:0 inet static > address 192.168.2.2 > netmask 255.255.255.0 > > For this to work correctly like you mention below, would I need to > replace the static settings for eth0? I think if I do that the modem may > not be aware of it''s static IP configuration, but I could be wrong.... > Or am I completely off base alltogether? :)Your modem has a different address from mine so you will have to adjust my suggestions to match your setup. The eth0:0 stanza above does the same thing as my ''ip addr add'' command (except that the addresses are different). Now you need to add: post-up ip route add 192.168.2.1 dev eth0 Where I have 192.168.1.1, you want 192.168.2.1; where I have 192.168.1.254, you want 192.168.2.2. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev
Tom Eastep wrote:> Stephen Brown wrote: >> I''m using 4.4.0, so that would make RFC1918_STRICT deprecated? >> >> I''m just a little confused now on the network settings for the port that >> is attached to the DSL modem, it''s on eth0. >> >> I currently have this setup in /etc/network/interfaces (I''m running >> Debian 5.0 "Lenny"): >> >> # eth0 interface facing internet >> auto eth0 >> iface eth0 inet static >> address 76.5.159.xxx (last octet masked) >> netmask 255.255.255.224 >> gateway 76.5.159.161 >> >> The DSL modem is in bridged mode, and I can''t get to it unless I add an >> alias, this is how it is configured presently: >> >> # virtual interface to DSL modem >> auto eth0:0 >> iface eth0:0 inet static >> address 192.168.2.2 >> netmask 255.255.255.0 >> >> For this to work correctly like you mention below, would I need to >> replace the static settings for eth0? I think if I do that the modem may >> not be aware of it''s static IP configuration, but I could be wrong.... >> Or am I completely off base alltogether? :) > > Your modem has a different address from mine so you will have to adjust > my suggestions to match your setup. The eth0:0 stanza above does the > same thing as my ''ip addr add'' command (except that the addresses are > different). Now you need to add: > > post-up ip route add 192.168.2.1 dev eth0Actually, you don''t need that; your eth0:0 stanza will add a net route for 192.168.2.0/24. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev