Shorewall users - Feb 2003 - local remote netwoks can not access interne t

> -----Original Message-----
> From: Juan Seuc
> Sent: Saturday, February 15, 2003 6:20 PM
> Subject: [Shorewall-users] local remote netwoks can not 
> access internet
> 
> 
> Hi:
> 
> I have three networks:
> 
>     A- 192.168.1.0/24  (local)
> and
>     B- 192.168.2.0/24
>     C- 192.168.3.0/24  (remote networks)
> 
> My firewall running in A has two nics:
> 
>     eth0  64.80.101.nn        public fixed ip connects to the 
> Internet and 
>     eth1 192.168.1.9           internal firewall ip connects 
> to local network A
> 
> Remote networks B and C connects to network A through router 
> R1 which has IP 192.168.1.254 and outgoing internet traffic 
> is routed through the firewall 192.168.1.9.
> 
> In the firewall I configured file zones:
> 
> net    internet
> A      Zone A
> B      Zone B
> C      Zone C        
OK
> 
> In the interfaces file:
> 
> net    eth0    64.80.101.167
> -        eth1   detect
OK
> 
> In the hosts file:
> 
> A    eth1:192.168.1.0/24
> B    eth1:192.168.2.0/24
> C    eth1:192.168.3.0/24
>
OK
 
> In the masq file:
> 
> eth0    192.168.1.0/24    64.80.101.nnn
> eth0    192.168.2.0/24    64.80.101.nnn
> eth0    192.168.3.0/24    64.80.101.nnn
>
OK
 
> In the policy file:
> 
> A    net     ACCEPT
> B    net     ACCEPT
> C    net     ACCEPT
> net  all      DROP
> all    all     DROP
> fw    net    ACCEPT
I "think" the fw->net (if thats what you really want) needs to
placed before
the net->all DROP statement.
> 
> In the rules file I don''t have any restriction on outgoing 
> traffic from A,B or C to the Internet.
> 
> The problem I''m having is that I do not have access to the 
> internet from remote networks B and C. However I have access 
> to network A, even I can ping from B and C to ip 192.168.1.9 
> (firewall). Network A has access to the Internet.
First, does your firewall have a network route to the router that handles
the other networks? i.e. does it know how to route traffic back? Based on my
understanding of your ping''s above... it sounds like you do.

Second, I have a very similar setup to yours. The only difference being I
have one remote network that hangs off a router on the local lan. In order
to get shorewall to properly masq the remote network and allow "all"
traffic
between zones, I had to add the following entries to /etc/shorewall/policy:

Note: my remote lan zone name is known as "lab" to shorewall

loc             loc             ACCEPT

lab             all             CONTINUE

loc             lab             ACCEPT 

Adjust the above to fit your security level, especially if you do NOT want
to give the remote networks full access to the other lans (lab->all).

BTW: The other shorewall files your posted seem to mirror what I have at
this end.

Steve Cowles