Hello all, We are looking to retire our ancient PIX box at the colo and replace it with Shorewall, which we''ve been successfully using (along with OpenVPN) at the headquarters for quite a while. However, I''m missing something basic in the config. I have the base configuration set up, but cannot seem to get our routed IPs to be picked up. Here is the basic config: We have a block of addresses, 66.x.x.128/28, which are routed through 64.x.x.150/29. I set up eth0 to be the 64.x.x.150 address, with the gateway of 64.x.x.145 I set up eth1 to be 192.168.x.1 In /etc/shorewall/zones, I set up three zones: loc net net1 in /etc/shorewall/interfaces, I defined: loc eth1 net eth0 in /etc/shorewall/hosts, I defined: net1 eth0:66.x.x.128/28 in /etc/shorewall/masq, I defined: eth1 eth0 With this setup, I can get out to the internet from the 192.168.x.x network. However, I''m missing something with the routed IPs. I can''t seem to figure out how to define them on the server so that Shorewall can use them and then later set up DNAT definitions from the 66.x.x.128 network to the 192.168.x.x network. I apologize if I left anything out, or if this doesn''t make much sense. I''ve been working on this for a while, and just got done poring over the documentation. Any tips or info is much appreciated. Thanks! Greg Gowins ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
Greg Gowins wrote:>However, I''m missing something basic in the config. I have the base >configuration set up, but cannot seem to get our routed IPs to be >picked up. > >Here is the basic config: > >We have a block of addresses, 66.x.x.128/28, which are routed >through 64.x.x.150/29. > >I set up eth0 to be the 64.x.x.150 address, with the gateway of 64.x.x.145 >I set up eth1 to be 192.168.x.1The usual way would be to set eth1 to be an IP in the 66.x.x.128/28 block (eg 66.x.x.129). You then give your servers IPs in the public block and don''t use NAT at all. I know some will disagree, but personally if I have the opportunity to use real addresses and avoid NAT then I''ll do so - it saves a lot of problems that NAT causes. -- Simon Hobson WANTED: "Software CD ROM Kit" for Canon CLBP 360-PS printer (Canon part no RH6-3612, or possibly RH6-3810, or RH6-3610 might do). I''ve a dead HD and need this CD so I can replace the disk and re-install the printer OS on it. This is NOT the same thing as the printer drivers to load on the computer - there''s no problem there. If anyone knows where I might get hold of one I''d be grateful - requests to Canon drew a blank, it''s been out of support for years. Alternatively, if anyone has one of these and would let me image their hard disk ... Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
On Thu, Mar 11, 2010 at 6:30 AM, Greg Gowins <eric.t.cartman@gmail.com>wrote:> in /etc/shorewall/interfaces, I defined: > loc eth1 > net eth0 > >Shouldn''t you set something like this: - eth0 http://shorewall.net/4.0/manpages/shorewall-interfaces.html If the interface serves multiple zones that will be defined in the shorewall-hosts(5) file, you should place "-" in this column. Regards, Vlado ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
Yep, I didn''t make much sense. Shouldn''t have tried to do this at the end of a long day. Found the answers I was looking for in the Aliased Interfaces section. Greg On Wed, Mar 10, 2010 at 11:30 PM, Greg Gowins <eric.t.cartman@gmail.com>wrote:> Hello all, > > We are looking to retire our ancient PIX box at the colo and replace it > with Shorewall, which we''ve been successfully using (along with OpenVPN) at > the headquarters for quite a while. > > However, I''m missing something basic in the config. I have the base > configuration set up, but cannot seem to get our routed IPs to be picked up. > > Here is the basic config: > > We have a block of addresses, 66.x.x.128/28, which are routed through > 64.x.x.150/29. > > I set up eth0 to be the 64.x.x.150 address, with the gateway of 64.x.x.145 > I set up eth1 to be 192.168.x.1 > > In /etc/shorewall/zones, I set up three zones: > loc > net > net1 > > in /etc/shorewall/interfaces, I defined: > loc eth1 > net eth0 > > in /etc/shorewall/hosts, I defined: > net1 eth0:66.x.x.128/28 > > in /etc/shorewall/masq, I defined: > eth1 eth0 > > With this setup, I can get out to the internet from the 192.168.x.x > network. However, I''m missing something with the routed IPs. I can''t seem > to figure out how to define them on the server so that Shorewall can use > them and then later set up DNAT definitions from the 66.x.x.128 network to > the 192.168.x.x network. > > I apologize if I left anything out, or if this doesn''t make much sense. > I''ve been working on this for a while, and just got done poring over the > documentation. Any tips or info is much appreciated. Thanks! > > Greg Gowins > > > > > > > >------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
Greg Gowins wrote:> Hello all, > > We are looking to retire our ancient PIX box at the colo and replace it > with Shorewall, which we''ve been successfully using (along with OpenVPN) > at the headquarters for quite a while. > > However, I''m missing something basic in the config. I have the base > configuration set up, but cannot seem to get our routed IPs to be picked up. > > Here is the basic config: > > We have a block of addresses, 66.x.x.128/28, which are routed through > 64.x.x.150/29. > > I set up eth0 to be the 64.x.x.150 address, with the gateway of 64.x.x.145 > I set up eth1 to be 192.168.x.1 > > In /etc/shorewall/zones, I set up three zones: > loc > net > net1 > > in /etc/shorewall/interfaces, I defined: > loc eth1 > net eth0 > > in /etc/shorewall/hosts, I defined: > net1 eth0:66.x.x.128/28 > > in /etc/shorewall/masq, I defined: > eth1 eth0 > > With this setup, I can get out to the internet from the 192.168.x.x > network. However, I''m missing something with the routed IPs. I can''t > seem to figure out how to define them on the server so that Shorewall > can use them and then later set up DNAT definitions from the 66.x.x.128 > network to the 192.168.x.x network.a) Get rid of the net1 zone. b) Replace your masq entry with: eth1 192.168.x.0/y #whatever your internal net is. You''re done. There is no need to define the /28 addresses on the firewall at all given that the /28 is routed via the 66.x.x.150 address. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
Simon Hobson wrote:> Greg Gowins wrote: > >> However, I''m missing something basic in the config. I have the base >> configuration set up, but cannot seem to get our routed IPs to be >> picked up. >> >> Here is the basic config: >> >> We have a block of addresses, 66.x.x.128/28, which are routed >> through 64.x.x.150/29. >> >> I set up eth0 to be the 64.x.x.150 address, with the gateway of 64.x.x.145 >> I set up eth1 to be 192.168.x.1 > > The usual way would be to set eth1 to be an IP in the 66.x.x.128/28 > block (eg 66.x.x.129). You then give your servers IPs in the public > block and don''t use NAT at all. > > I know some will disagree, but personally if I have the opportunity > to use real addresses and avoid NAT then I''ll do so - it saves a lot > of problems that NAT causes. >I was also going to make that suggestion but suspected that Greg was planning to use NAT because that''s what the PIX is doing. If not, then I certainly second Simon''s suggestion. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev