Shorewall users - Nov 2004 - ipip setup issues

Hi

I am trying to setup an ipip tunnel to another linux router and am having
serious
problems.

A bit of background first though because we may be going at this from the wrong
angle.

I have a router that runs bering firewall of a CF flash card that is going to
act as
a gteway for the amateur radio amprnet network.  Heres what I need from it-

I have an internal network 192.168.1.1 etc and a cable broadband connection
which I
need to run as a normal setup (this isn''t a problem as it has been
working this way
fine for 2 years). Added to this I have a 3 NIC which has a fixed IP of 
44.131.14.200 and is going to be a gateway for local radio hams to connect. 
This
interface needs an ipip tunnel to another server that is connected to the rest
of
the 44.0.0.0/8 network.

I need anyone connected to eth2 be routed done the tunnel with no web access and
anyone on the 192 net to have access to the web and 44 net.

I have managed to set up the interfaces and can ping from loc to fw, loc to
ampr,
ampr to fw etc.  eth2 has access to the web server on the router but no web
access
and loc can access both net and ampr so the zones seem ok.  What I need is the 
tunnel setup.

I have read the gre & ipip page on the website and it mentions
/etc/shorewall/tunnel
which I don''t have.  Is there an example somewhere that shows its
format?

What extra zones etc do I need?

I know there is a lot of info here and if it doesn''t make sense then
tell me, but
any help with this is greatly appreciated.

Many thanks

Jon Aubrey de Lavenu
mm1cqo

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jon Aubrey de Lavenu wrote:
> 
> I have read the gre & ipip page on the website and it mentions
> /etc/shorewall/tunnel which I don''t have.  Is there an example
somewhere
> that shows its format?
It is available in CVS or you can download the Shorewall tarball.
> 
> What extra zones etc do I need?
I would think you would only need a single new zone to represent the
hosts connected through the 3rd NIC.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBkpk6O/MAbZfjDLIRAleBAKC5KH8V6TQoEfZwaB23GSoR6qOc8gCfdzc3
jzyqJmat/poueTi+xoTb3l4=JJzF
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom Eastep wrote:
> Jon Aubrey de Lavenu wrote:
> 
> 
>>>I have read the gre & ipip page on the website and it mentions
>>>/etc/shorewall/tunnel which I don''t have.  Is there an
example somewhere
>>>that shows its format?
> 
> 
> It is available in CVS or you can download the Shorewall tarball.
> 
> 
>>>What extra zones etc do I need?
> 
> 
> I would think you would only need a single new zone to represent the
> hosts connected through the 3rd NIC.
> 
Oh -- and you will probably need another zone to represent the rest of
the 44.0.0.0/8 network (associate that zone with the tunnel interface).

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBkpmVO/MAbZfjDLIRAs50AKC+/vqB62sdeFreC7iHc4nPvmJkZgCfcT85
5E4FaRvvAKtzJMlriLQ07mE=+s6x
-----END PGP SIGNATURE-----

Tom

Thanks for the reply, I have had a look at the CVS and found the tunnel example
so
will have a play with that.

Here is my zone file:

#ZONE   DISPLAY         COMMENTS
net     Net             Internet
loc     Local           Local Networks
ampr    Ampr            Amprnet
vpn     VPN             Remote Network
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

interfaces:

#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth0            detect          dhcp,routefilter,norfc1918
loc     eth1            detect
ampr    eth2            detect
vpn     gb7imk          44.131.0.0/16
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Tunnels:

# TYPE                  ZONE    GATEWAY         GATEWAY ZONE    PORT
#ipip                   net     212.81.15.17
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

and Policy:

#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
loc             net             ACCEPT
loc             ampr            ACCEPT
# If you want open access to the Internet from your Firewall
# remove the comment from the following line.
#fw             net             ACCEPT
net             all             DROP            ULOG
all             all             REJECT          ULOG
#
# Tunnel access
#
#ampr           vpn             ACCEPT
#vpn            ampr            ACCEPT
#fw             vpn             ACCEPT
#fw             ampr            ACCEPT
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

If I add the ip and routing details to the tunnel script should this work?

Cheers

Jon

P.S.  Does the tunnel script run automaticaly when shorewall starts?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jon Aubrey de Lavenu wrote:
> 
> If I add the ip and routing details to the tunnel script should this work
Possibly -- I think you want to un-comment these two lines from the
policy though:

#ampr           vpn             ACCEPT
#vpn            ampr            ACCEPT
> 
> P.S.  Does the tunnel script run automaticaly when shorewall starts?
> 
It is an init script -- goes in /etc/init.d.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBkqDZO/MAbZfjDLIRAlLWAKCis2xsjNcmd387UTEeEZ4IYUacagCffpvZ
5XkEVEGlJXftnSnujD+NtTs=KYvB
-----END PGP SIGNATURE-----

In your policy file:
> and Policy:
>
> #SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
> loc             net             ACCEPT
> loc             ampr            ACCEPT
> # If you want open access to the Internet from your Firewall
> # remove the comment from the following line.
> #fw             net             ACCEPT
> net             all             DROP            ULOG
> all             all             REJECT          ULOG
> #
> # Tunnel access
I''d move these:
> #
> #ampr           vpn             ACCEPT
> #vpn            ampr            ACCEPT
> #fw             vpn             ACCEPT
> #fw             ampr            ACCEPT
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
>
to be before this line:

all             all             REJECT          ULOG

as the policy that has the first match will be applied, and these will not be
used if they''re after all2all.

Jerry Vonau

Jerry

Thanks for spotting that problem with the policy.  I have now changed it and
managed to get a tunnel working.

I still have 2 issues though.

1.  I managed to get the tunnel up by manually entering the commands from the
tunnel script.  I am still not sure how to automate that when shorewall starts.

2. I can shh into my router and connect to hosts throught the tunnel.  I can
also connect through the tunnel from any machine on eth2 (this is what its main
purpose was) but I can access the tunnel from the local network.  I have tried
giving loc access to vpn etc but it don''t work.

Any thoughts?

Many Thanks

Jon

On Thu, 11 Nov 2004, Jon Aubrey de Lavenu wrote:
> I still have 2 issues though.
> 
> 1.  I managed to get the tunnel up by manually entering the commands 
>    from the tunnel script.  I am still not sure how to automate that 
>    when shorewall starts.
>
THE SCRIPT HAS NOTHING TO DO WITH SHOREWALL! It is a script that is 
designed to be run by init during boot. I''m sorry but I can''t
take time
out of my work day to explain to you any more than that. 
 
> 2. I can shh into my router and connect to hosts throught the tunnel.  
>    I can also connect through the tunnel from any machine on eth2 (this 
>    is what its main purpose was) but I can access the tunnel from the 
>    local network.  I have tried giving loc access to vpn etc but it 
>    don''t work.
> 
> Any thoughts?
> 
There is something wrong with the above sentence -- it basically says that 
everything works but doesn''t.

If you have some sort of connection problem, please submit a proper 
problem report and we''ll try to help. See
http://shorewall.net/support.htm
for instructions.

-Tom

PS -- please post in plain text and configure your mailer to fold lines at 
an appropriate length. In your post, each paragraph is one long line.
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented 
fool Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom Eastep wrote:
> On Thu, 11 Nov 2004, Jon Aubrey de Lavenu wrote:
> 
>>2. I can shh into my router and connect to hosts throught the tunnel.  
>>   I can also connect through the tunnel from any machine on eth2 (this 
>>   is what its main purpose was) but I can access the tunnel from the 
>>   local network.  I have tried giving loc access to vpn etc but it 
>>   don''t work.
>
> There is something wrong with the above sentence -- it basically says that 
> everything works but doesn''t.
> 
I just read what you wrote again -- is this what you meant?

2. I can *ssh* into my router and connect to hosts throught the tunnel.
   I can also connect through the tunnel from any machine on eth2 (this
   is what its main purpose was) but I *can''t* access the tunnel from
   the local network.  I have tried giving loc access to vpn etc but it
   don''t work.

If that is the case, you need to masquerade traffic from your local
network to the tunnel -- there''s no way the hosts out on the 41.0.0.0/8
are going to be able to route replies back to your RFC 1918 local network.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBk94RO/MAbZfjDLIRAgfzAKCqU5My4H44ItRybA1/Jyc6ju/BxQCffHAX
xtIPHgHpQYdQUaeQmZj4TGM=S0KU
-----END PGP SIGNATURE-----

> On Thu, 11 Nov 2004, Jon Aubrey de Lavenu wrote:
>
> > I still have 2 issues though.
> >
> > 1.  I managed to get the tunnel up by manually entering the commands
> >    from the tunnel script.  I am still not sure how to automate that
> >    when shorewall starts.
> >
>
How about I re-word the question for Jon. If I wanted shorewall to start
the tunnel for me, which would be the correct files to place the commands?
In init, to bring up the interface before the config files are read, and the
stop vpn commands would go in stop? I can use my scripts as they are,
I just call them from init and stop? Or do I have to place the commands 
in these files?

Jerry

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jerry Vonau wrote:
>>On Thu, 11 Nov 2004, Jon Aubrey de Lavenu wrote:
>>
>>
>>>I still have 2 issues though.
>>>
>>>1.  I managed to get the tunnel up by manually entering the commands
>>>   from the tunnel script.  I am still not sure how to automate that
>>>   when shorewall starts.
>>>
>>
> 
> How about I re-word the question for Jon. If I wanted shorewall to start
> the tunnel for me,
I believe that having Shorewall start and stop network interfaces is the
wrong thing to do and I will not publish instructions for doing wrong
things.

People who run Unix systems need to understand init as it is implemented
on their flavor of Unix. Shorewall should not become the standard crutch
that people use to hobble through their ignorance of that area of their
system.

In Jon Aubrey''s case, I believe that the platform is one of the
LEAF/Bering distributions and the script already contains the proper
magic to work in that environment -- he simply needs to place the script
in /etc/init.d/tunnel (with root execute permission) then he can use
''svi tunnel start" to start the tunnel and ''svi tunnel
stop'' to stop it.
And it will start automatically at boot. The only tricky thing is to be
sure that /etc/init.d/tunnel is backed up properly (always a concern
with LEAF).

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBk+UPO/MAbZfjDLIRAlYfAJkBHbECTh/Dd48J6lOARZais+P/pgCfVeVh
iWdHe04e6+nlqZ+nEdjRdDs=1FJD
-----END PGP SIGNATURE-----

Tom Eastep wrote:
> I believe that having Shorewall start and stop network interfaces is the
> wrong thing to do and I will not publish instructions for doing wrong
> things.
> 
> People who run Unix systems need to understand init as it is implemented
> on their flavor of Unix. Shorewall should not become the standard crutch
> that people use to hobble through their ignorance of that area of their
> system.
I agree, Tom, it''s by doing it the other way around that one gets to
know how Shorewall really works along with the specific system that one
has running. By understanding how the system initializes on startup it
makes it much easier to troubleshoot Shorewall issues when something
goes wrong. Otherwise it can become a jungle of issues to weed through,
without correct knowledge of the basic system components.


-- 
Patrick Benson
Stockholm, Sweden

Sorry to cause any upset.  Thanks for re wording the question Jerry it helped me
understand what I wanted and as soon as Tom mentioned masquerading I realised
what
needed doing.

I am very new to unix and linux.  I am trying to move away from
"other" OS''s and
find the sometimes steep learning curve of linux a rewarding challenge.

Anyway you have pointed me in the right direction and have now worked out what
is
needed.  Everything is working as I want and have found shorewall to be very
usefull.

I will go away now and play with my new toy.

Thanks

Jon