Hi, first thanks tom for your great work at shorewall, it is great. I´m building a vpn connection between three vpn-routers. 2 offices connect to the head office, where an shorewall 1.4.10e protects the internal net. See below: 192.168.1.0/24 (Office 1) 192.168.2.0/24 (Office 2) | | | | 192.168.10.254 (192.168.10.0/24 VPN-Router, Head Office) | 192.168.10.1 (Shorewall) | 192.168.100.254 (192.168.100.0/24 Internal net) 192.168.1.0/24 and 192.168.2.0/24 connect via VPN to the head office. Now i want to know if it is possible, that 192.168.1.0/24 and 192.168.2.0/24 can access the internal net at the head office (192.168.100.0/24) without problems? Thanks in advance.
Stefan Drees wrote:> Now i want to know if it is possible, that 192.168.1.0/24 and > 192.168.2.0/24 > can access the internal net at the head office (192.168.100.0/24) > without problems?Hi Stefan, Kind of hard to say without knowing how shorewall is setup and what type of access your speaking of specifically. To answer your general question above with a general answer, Yes... Assuming after both 192.168.1.0/24 and 192.168.2.0/24 network packets are unencrypted, at 192.168.10.254.... Shorewall''s external interface will see/encounter traffic coming from those networks just like any other traffic. Adjust Shorewall as you normally would to allow access from Internet networks. The only exception I see here is the fact that your Shorewall external interface might need to account for these two RFC 1918 network addresses. HTH''s, JBanks
Stefan Drees wrote:> Now i want to know if it is possible, that 192.168.1.0/24 and > 192.168.2.0/24 > can access the internal net at the head office (192.168.100.0/24) > without problems?Yes -- if configured properly. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Joshua Banks wrote:> Stefan Drees wrote: > >> Now i want to know if it is possible, that 192.168.1.0/24 and >> 192.168.2.0/24 >> can access the internal net at the head office (192.168.100.0/24) >> without problems? > > > > Hi Stefan, > > Kind of hard to say without knowing how shorewall is setup and what > type of access your speaking of specifically. >There is nothing special about the setup. Firewall has two interfaces, one for net and one for local, masquarading is enabled and only some services are allowed to access the net directly.> To answer your general question above with a general answer, Yes... > Assuming after both 192.168.1.0/24 and 192.168.2.0/24 network packets > are unencrypted, at 192.168.10.254.... Shorewall''s external interface > will see/encounter traffic coming from those networks just like any > other traffic. Adjust Shorewall as you normally would to allow access > from Internet networks. The only exception I see here is the fact that > your Shorewall external interface might need to account for these two > RFC 1918 network addresses. >Thats right, all packages at 192.168.10.254 are unencrypted. So i think, i only need the following to enable 192.168.1.0/24 and 192.168.2.0/24 to access the local network 192.168.100.0/24, right? Example: ACCEPT net:192.168.1.0/24,192.168.2.0/24 loc tcp <service> ACCEPT loc net:192.168.1.0/24,192.168.2.0/24 tcp <service>
Stefan Drees wrote:>> > Thats right, all packages at 192.168.10.254 are unencrypted. So i think, > i only need the following to enable > 192.168.1.0/24 and 192.168.2.0/24 to access the local network > 192.168.100.0/24, right? Example: > ACCEPT net:192.168.1.0/24,192.168.2.0/24 loc > tcp <service> > ACCEPT loc > net:192.168.1.0/24,192.168.2.0/24 tcp <service>The VPN router will of course need to know how to route to your local network (I assume that the Shorewall box isn''t doing NAT). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Helo, I am using Shorewall to get statistic about users. What I need is to discriminate between trafic from and to internal network and from and to internet. Is there some way how to exclude internal network subnet - 192.168.0.0/16 from accounting rules? Something like this: 0001:COUNT - wlan0:192.168.140.64/29 !192.168.0.0/16 - - Thank you for help. Litin
Tom Eastep wrote:> Stefan Drees wrote: > >>> >> Thats right, all packages at 192.168.10.254 are unencrypted. So i >> think, i only need the following to enable >> 192.168.1.0/24 and 192.168.2.0/24 to access the local network >> 192.168.100.0/24, right? Example: >> ACCEPT net:192.168.1.0/24,192.168.2.0/24 >> loc tcp >> <service> >> ACCEPT loc >> net:192.168.1.0/24,192.168.2.0/24 tcp <service> > > > The VPN router will of course need to know how to route to your local > network (I assume that the Shorewall box isn''t doing NAT). > > -TomSure, routing table is already modified and shorewall doesn´t do NAT. Tomorrow the vpn-router are installed and i think it must work. Thanks, for your help.
Dominik Strnad wrote:> Helo, > I am using Shorewall to get statistic about users. What I need is to > discriminate between trafic from and to internal network and from and to > internet. > > Is there some way how to exclude internal network subnet - > 192.168.0.0/16 from accounting rules? > > Something like this: > > 0001:COUNT - wlan0:192.168.140.64/29 !192.168.0.0/16 > - - >Use of ! in accounting rules can be enabled by replacing this code in the firewall script: if iptables -A $chain $rule ; then [ "x$rule2" != x ] && run_iptables -A $jumpchain $rule2 progress_message " Accounting rule" $action $chain $source $dest $proto $port $sport Added else accounting_error fi with if iptables -A $chain $(fix_bang $rule) ; then [ "x$rule2" != x ] && run_iptables -A $jumpchain $(fix_bang $rule2) progress_message " Accounting rule" $action $chain $source $dest $proto $port $sport Added else accounting_error fi I''ll include this change in 2.0.3. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hello Tom, Thanks, you saved my life. :-))) It was very fast and graceful solution. Thank you. Best Regards Litin -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: Tuesday, May 18, 2004 3:09 PM To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Accounting, exclude source or destination subnet Dominik Strnad wrote:> Helo, > I am using Shorewall to get statistic about users. What I need is to > discriminate between trafic from and to internal network and from andto> internet. > > Is there some way how to exclude internal network subnet - > 192.168.0.0/16 from accounting rules? > > Something like this: > > 0001:COUNT - wlan0:192.168.140.64/29 !192.168.0.0/16 > - - >Use of ! in accounting rules can be enabled by replacing this code in the firewall script: if iptables -A $chain $rule ; then [ "x$rule2" != x ] && run_iptables -A $jumpchain $rule2 progress_message " Accounting rule" $action $chain $source $dest $proto $port $sport Added else accounting_error fi with if iptables -A $chain $(fix_bang $rule) ; then [ "x$rule2" != x ] && run_iptables -A $jumpchain $(fix_bang $rule2) progress_message " Accounting rule" $action $chain $source $dest $proto $port $sport Added else accounting_error fi I''ll include this change in 2.0.3. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm