Hello!
I have a problem using shorewall on an aliased interface. Let me give
you a short description of the setup:
eth0 uses DHCP and will be assigned a 10.38.0.0/16 address by my ISP;
I use a host-route to access their PPTP on 10.0.0.138 with "pptp
10.0.0.138"
ppp0 is the Internetconnection then (duh)
At the same time I want to connect the box to my LAN using 10.1.0.0/16
or any other private addresses but I have only 1 NIC in there - that''s
why I added an alias to eth0 with:
ifconfig eth0:0 10.1.0.29 netmask 255.255.0.0 broadcast 10.1.255.255
(or ip a a 10.1.0.29/16 dev eth0 label eth0:0)
The other machine has one NIC with 10.1.0.62/16.
When shorewall is disabled I can ping and connect between those two
fine, however when shorewall is on every connection or ping is REJECTEed
in the "all2all". (please see detailed output below)
What I was trying to do is have two zones on eth0 - "modem" and
"loc"
depending on the subnet
(modem is for the tunnel and "loc" is, well, the local zone.)
I have read the aliased-interfaces HOWTO, checked the "hosts"
configuration documentation and I simply cannot find my mistake!
Why are the packets being rejected in all2all and not match and loc2loc
or loc2foo rule??
I would be very happy if someone could point me to a useful link or tell
me what I did wrong...
* kernel version:
Linux quake 2.4.22-grsec #2 Tue Sep 30 01:44:07 CEST 2003 i686 unknown
unknown GNU/Linux
Slackware 9.1
* Shorewall version: 1.4.6c
* Interfaces
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500 qdisc pfifo_fast
qlen 100
link/ether 00:02:e3:12:37:a1 brd ff:ff:ff:ff:ff:ff
inet 10.38.6.254/16 brd 10.38.255.255 scope global eth0
inet 10.1.0.29/16 brd 10.1.255.255 scope global eth0:0
5: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1500 qdisc pfifo_fast qlen 3
link/ppp
inet 62.99.150.186 peer 62.99.171.186/32 scope global ppp0
* route
62.99.171.186 dev ppp0 proto kernel scope link src 62.99.150.186
10.0.0.138 via 10.38.0.1 dev eth0
10.1.0.0/16 dev eth0 proto kernel scope link src 10.1.0.29
10.38.0.0/16 dev eth0 proto kernel scope link src 10.38.6.254
127.0.0.0/8 dev lo scope link
default via 62.99.171.186 dev ppp0
* see shorewall status output attached please
* ping failed with "Destination Host Unreachable"
* ping or telnet to port 22 is being REJECTEed in all2all:
Oct 10 23:43:34 all2all:REJECT:IN=eth0 OUT= SRC=10.1.0.62 DST=10.1.0.29
LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=48002 DF PROTO=TCP SPT=1027 DPT=22
WINDOW=5840 RES=0x00 SYN URGP=0
Oct 10 23:43:36 all2all:REJECT:IN=eth0 OUT= SRC=10.1.0.62 DST=10.1.0.29
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=257
SEQ=0
Oct 10 23:43:49 all2all:REJECT:IN= OUT=eth0 SRC=10.1.0.29 DST=10.1.0.62
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=45903 DF PROTO=ICMP TYPE=8 CODE=0
ID=8707 SEQ=1
* configurations
- zones
#ZONE DISPLAY COMMENTS
net Net Internet
loc local local net
modem Modem xDSL Modem
- hosts
#ZONE HOST(S) OPTIONS
loc eth0:10.1.0.0/16
modem eth0:10.38.0.0/16,10.0.0.138
- interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net ppp0 detect norfc1918,routefilter,dropunclean,blacklist,tcpflags
- eth0 10.38.255.255,10.1.255.255 dhcp,dropunclean,tcpflags
- policy
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
fw net ACCEPT
loc loc ACCEPT
net all DROP info
all all REJECT info
- rules
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
ACCEPT loc loc icmp 8
ACCEPT net fw icmp 8
ACCEPT fw modem icmp 8
- tunnel
# TYPE ZONE GATEWAY GATEWAY ZONE PORT
pptpclient modem 10.0.0.138 -
Thanks a lot!
Kind regards,
Thomas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: status.txt.gz
Type: application/x-tar
Size: 2697 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20031011/8c2a65b8/status.txt-0001.tar
