João Alexandre - Pluridata/LI
2002-Sep-24 16:56 UTC
[Shorewall-users] Static routes question.
Dear All, This is my first post and I''m kind a new to this mailing list. I searched the archives and didn''t find a suitable solution for my problem or at least I didn''t search for the right keywords. So here it goes: I have a box running shorewall (on MDK 8.2) with 3 nics (lan=eth0, dmz=eth1 and wan=eth2). My wan connection is a cable modem/DHCP and all is running quiet well. This box is the default gateway for all the clients behind this shorewall box. The lan is something like 192.168.11.0/24 where 192.168.11.252 is the shorewall box, the problem arrives when in this same network (lan) I have a router (ISDN dial-up) that I use to connect remotely to a client and do administrative stuff. This remote network is like 192.168.101.0/24 and so I created a "static-routes" file in "/etc/sysconfig/" with "eth0 net 192.168.101.0 netmask 255.255.255.0 gw 192.168.11.254" (192.168.11.254 is the ip of the dial-up router. I tried to create rules, several configurations and so on with no success (always shorewall complaining with the traffic like: Sep 24 17:20:30 192.168.10.252 kern.info kernel: Shorewall:wan2all:REJECT:IN=eth0 OUT=eth0 SRC=192.168.11.65 DST=192.168.101.11 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=3833 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=512). So what I did was to add a permanent static route in my clients and this was my workaround. This remote network (192.168.101.0/24) doesn''t need/shouldn''t use the shorewall box for any purpose. How is the correct way to implement a static route in the shorewall box, just like you add a static route in a common router? Probably some of you may had the same problem or similar or even in the case of several routers and can tip me. Thanks in advance Cheers, Joao
João Alexandre - Pluridata/LI wrote:> Dear All, > > This is my first post and I''m kind a new to this mailing list. I searched > the archives and didn''t find a suitable solution for my problem or at least > I didn''t search for the right keywords. So here it goes: > > I have a box running shorewall (on MDK 8.2) with 3 nics (lan=eth0, dmz=eth1 > and wan=eth2). My wan connection is a cable modem/DHCP and all is running > quiet well. This box is the default gateway for all the clients behind this > shorewall box. The lan is something like 192.168.11.0/24 where > 192.168.11.252 is the shorewall box, the problem arrives when in this same > network (lan) I have a router (ISDN dial-up) that I use to connect remotely > to a client and do administrative stuff. This remote network is like > 192.168.101.0/24 and so I created a "static-routes" file in > "/etc/sysconfig/" with "eth0 net 192.168.101.0 netmask 255.255.255.0 gw > 192.168.11.254" (192.168.11.254 is the ip of the dial-up router. > > I tried to create rules, several configurations and so on with no success > (always shorewall complaining with the traffic like: Sep 24 17:20:30 > 192.168.10.252 kern.info kernel: Shorewall:wan2all:REJECT:IN=eth0 OUT=eth0 > SRC=192.168.11.65 DST=192.168.101.11 LEN=60 TOS=0x00 PREC=0x00 TTL=127 > ID=3833 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=512). So what I did was to add a > permanent static route in my clients and this was my workaround. This remote > network (192.168.101.0/24) doesn''t need/shouldn''t use the shorewall box for > any purpose. >That is actually the best way to do this since as you say, this traffic shouldn''t use the Shorewall box.> How is the correct way to implement a static route in the shorewall box, > just like you add a static route in a common router?Setting up the route itself shouldn''t be done in Shorewall but should be done using your distribution''s perferred method (''static-routes'' file in your case).> Probably some of you > may had the same problem or similar or even in the case of several routers > and can tip me. >It looks like you have defined the 192.168.101.0/24 network as zone ''wan''? If so, you probably want policies such as: wan lan ACCEPT lan wan ACCEPT In addition, if you aren''t running Shorewall 1.3.8 then you need to specify the ''multi'' option for eth0 in /etc/shorewall/interfaces. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
João Alexandre - Pluridata/LI
2002-Sep-25 08:32 UTC
[Shorewall-users] Static routes question.
Hi Tom, Thanks very much for your quick reply. In fact I didn''t have the "multi" option in eth0 (lan). Also, I didn''t have 192.168.101.0/24 associated with a "wan" zone. Applying this change, multi, and trying to connect to the remote network brought another new message from shorewall: _______________________ Sep 25 09:21:45 192.168.11.252 kern.info kernel: Shorewall:lan2all:REJECT:IN=3Deth0 OUT=3Deth0 SRC=3D192.168.11.65 DST=3D192.168.101.11 LEN=3D48 TOS=3D0x00 PREC=3D0x00 TTL=3D127 ID=3D18609 DF PROTO=3DTCP SPT=3D1159 DPT=3D5900 WINDOW=3D64240 RES=3D0x00 SYN URGP=3D0=20 _______________________ Now it''s probably a rule in fault? Some other thing? Do I have to create a zone for this remote network? How? Sorry, perhaps this is basic things but I''m struggling for become a Linux "geek", but all my long and different background is not helping allot, so please be patient. Have you now a nice day, Cheers Joao> -----Original Message----- > From: Tom Eastep [mailto:teastep@shorewall.net]=20 > Sent: ter=E7a-feira, 24 de Setembro de 2002 18:10 > To: Jo=E3o Alexandre - Pluridata/LI > Cc: shorewall-users@shorewall.net > Subject: Re: [Shorewall-users] Static routes question. >=20 >=20 > Jo=E3o Alexandre - Pluridata/LI wrote: > > Dear All, > >=20 > > This is my first post and I''m kind a new to this mailing list. I=20 > > searched the archives and didn''t find a suitable solution for my=20 > > problem or at least I didn''t search for the right keywords.=20 > So here it=20 > > goes: > >=20 > > I have a box running shorewall (on MDK 8.2) with 3 nics (lan=3Deth0,=20 > > dmz=3Deth1 and wan=3Deth2). My wan connection is a cable modem/DHCP and=20 > > all is running quiet well. This box is the default gateway=20 > for all the=20 > > clients behind this shorewall box. The lan is something like=20 > > 192.168.11.0/24 where 192.168.11.252 is the shorewall box,=20 > the problem=20 > > arrives when in this same network (lan) I have a router=20 > (ISDN dial-up)=20 > > that I use to connect remotely to a client and do administrative=20 > > stuff. This remote network is like 192.168.101.0/24 and so=20 > I created a=20 > > "static-routes" file in "/etc/sysconfig/" with "eth0 net=20 > 192.168.101.0=20 > > netmask 255.255.255.0 gw 192.168.11.254" (192.168.11.254 is=20 > the ip of=20 > > the dial-up router. > >=20 > > I tried to create rules, several configurations and so on with no=20 > > success (always shorewall complaining with the traffic like: Sep 24 > > 17:20:30 192.168.10.252 kern.info kernel:=20 > > Shorewall:wan2all:REJECT:IN=3Deth0 OUT=3Deth0 SRC=3D192.168.11.65=20 > > DST=3D192.168.101.11 LEN=3D60 TOS=3D0x00 PREC=3D0x00 TTL=3D127 ID=3D3833=20 > > PROTO=3DICMP TYPE=3D8 CODE=3D0 ID=3D512 SEQ=3D512). So what I did was=20 > to add a=20 > > permanent static route in my clients and this was my=20 > workaround. This=20 > > remote network (192.168.101.0/24) doesn''t need/shouldn''t use the=20 > > shorewall box for any purpose. > >=20 >=20 > That is actually the best way to do this since as you say,=20 > this traffic=20 > shouldn''t use the Shorewall box. >=20 > > How is the correct way to implement a static route in the shorewall > > box, just like you add a static route in a common router? >=20 > Setting up the route itself shouldn''t be done in Shorewall=20 > but should be=20 > done using your distribution''s perferred method=20 > (''static-routes'' file in=20 > your case). >=20 > > Probably some of you > > may had the same problem or similar or even in the case of several=20 > > routers and can tip me. > >=20 >=20 > It looks like you have defined the 192.168.101.0/24 network=20 > as zone ''wan''?=20 > If so, you probably want policies such as: >=20 > wan lan ACCEPT > lan wan ACCEPT >=20 > In addition, if you aren''t running Shorewall 1.3.8 then you need to=20 > specify the ''multi'' option for eth0 in /etc/shorewall/interfaces. >=20 > -Tom > --=20 > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://www.shorewall.net > ICQ: #60745924 \ teastep@shorewall.net >=20 >=20
João Alexandre - Pluridata/LI wrote:> Hi Tom, > > Thanks very much for your quick reply. > > In fact I didn''t have the "multi" option in eth0 (lan). Also, I didn''t have > 192.168.101.0/24 associated with a "wan" zone. Applying this change, multi, > and trying to connect to the remote network brought another new message from > shorewall: > > _______________________ > Sep 25 09:21:45 192.168.11.252 kern.info kernel: > Shorewall:lan2all:REJECT:IN=eth0 OUT=eth0 SRC=192.168.11.65 > DST=192.168.101.11 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=18609 DF PROTO=TCP > SPT=1159 DPT=5900 WINDOW=64240 RES=0x00 SYN URGP=0 > _______________________ > > Now it''s probably a rule in fault? Some other thing? Do I have to create a > zone for this remote network? How?Tar up your config and send it to me and I''ll try to find time to look at it.... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net