Keppner, Christoph
2002-Sep-11 12:43 UTC
[Shorewall-users] Shorewall with 3 interfaces: Routing from DMZ to Internet
Hi, we want to setup Shorewall with 3 interfaces like this : ----------- eth2---------eth1-----------------eth0 ---------- Our Provider''s Router ( 212.XXX.ZZZ.81 ) | | | DMZ Local Net Host Shorty (212.XXX.YYY.120 (192.168.XXX.2) (212.XXX.ZZZ.82) This is our interface configuration of the host Shorty (Debian Linux 3.0) eth0 address 212.XXX.ZZZ.82 netmask 255.255.255.240 network 212.XXX.ZZZ.80 broadcast 212.XXX.ZZZ.95 gateway 212.XXX.ZZZ.82 (provider''s router) eth1 (Interface to local network address 192.168.XXX.2 netmask 255.255.255.0 network 192.168.XXX.0 broadcast 192.168.XXX.255 gateway is not set. What IP makes sense here? The IP of eth0 or the IP of the provider''s router? eth2 (Interface to DMZ) address 212.XXX.YYY.120 netmask 255.255.255.128 network 212.XXX.YYY.0 broadcast 212.XXX.YYY.127 gateway is not set. Same question as in eth1! Without Shorewall, we can ping from "Shorty" to the providers router and to any host in the world (we tried www.heise.de and it worked ). From a host in the DMZ it doesn''t work! There is always the message "No route to host". Do i have to add a route from the 212.XXX.YYY.0 subnet to 212.XXX.ZZZ.80 subnet before i start Shorewall and - if yes - how? Or does Shorewall set the route automatically, if i configure it according to the "three-interfaces-example" in the Shorewall documentation? Best regards Christoph
Tom Eastep
2002-Sep-11 15:21 UTC
[Shorewall-users] Shorewall with 3 interfaces: Routing from DMZ to Internet
On Wednesday 11 September 2002 05:43 am, Keppner, Christoph wrote:> Hi, > > we want to setup Shorewall with 3 interfaces like this : > > > > ----------- eth2---------eth1-----------------eth0 ---------- Our > Provider''s Router ( 212.XXX.ZZZ.81 ) > > DMZ Local Net Host Shorty > (212.XXX.YYY.120 (192.168.XXX.2) (212.XXX.ZZZ.82) > > > This is our interface configuration of the host Shorty (Debian Linux 3.0) > > eth0 > address 212.XXX.ZZZ.82 > netmask 255.255.255.240 > network 212.XXX.ZZZ.80 > broadcast 212.XXX.ZZZ.95 > gateway 212.XXX.ZZZ.82 (provider''s router) > > eth1 (Interface to local network > address 192.168.XXX.2 > netmask 255.255.255.0 > network 192.168.XXX.0 > broadcast 192.168.XXX.255 > gateway is not set. What IP makes sense here? The IP of eth0 or the > IP of the provider''s router? > > eth2 (Interface to DMZ) > address 212.XXX.YYY.120 > netmask 255.255.255.128 > network 212.XXX.YYY.0 > broadcast 212.XXX.YYY.127 > gateway is not set. Same question as in eth1! > > Without Shorewall, we can ping from "Shorty" to the providers router and to > any host in the world (we tried www.heise.de and it worked ). From a host > in the DMZ it doesn''t work! There is always the message "No route to host". > Do i have to add a route from the 212.XXX.YYY.0 subnet to 212.XXX.ZZZ.80 > subnet before i start Shorewall and - if yes - how? Or does Shorewall set > the route automatically, if i configure it according to the > "three-interfaces-example" in the Shorewall documentation?Your setup is different from the one supported by the three-interface example!!!!! The three-interface example assumes that you have exactly 1 public IP address. See the Shorewall setup guide (http://www.shorewall.net/shorewall_setup_guide.htm) for information on how to configure your firewall. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Keppner, Christoph
2002-Sep-16 07:08 UTC
[Shorewall-users] Shorewall with 3 interfaces: Routing from DMZ to Internet
Hi, i know, i asked this already, but i changed the network description a little bit because i don''t know if the problem was understood correctly. We want to setup Shorewall with 3 interfaces like this : ----------- eth2---------eth1-----------------eth0 ---------- Our Provider''s Router ( 212.XXX.ZZZ.81 ) | | | DMZ Local Net Host Shorty (423.XXX.YYY.120 (192.168.XXX.2) (212.XXX.ZZZ.82) This assumes that we have a set of public IP''s ( 423.XXX.YYY.0/25, exactly 128 ) and our DMZ is built from this IP''s. Our private Network has 192.168.XXX.YYY IP''s. This is our interface configuration of the host Shorty (Debian Linux 3.0) eth0 address 212.XXX.ZZZ.82 netmask 255.255.255.240 network 212.XXX.ZZZ.80 broadcast 212.XXX.ZZZ.95 gateway 212.XXX.ZZZ.82 (provider''s router) eth1 (Interface to local network address 192.168.XXX.2 netmask 255.255.255.0 network 192.168.XXX.0 broadcast 192.168.XXX.255 gateway is not set. What IP makes sense here? The IP of eth0 or the IP of the provider''s router? eth2 (Interface to DMZ) address 423.XXX.YYY.120 netmask 255.255.255.128 network 423.XXX.YYY.0 broadcast 423.XXX.YYY.127 gateway is not set. Same question as in eth1! Without Shorewall, we can ping from "Shorty" to the providers router and to any host in the world (we tried www.heise.de and it worked ). From a host in the DMZ it doesn''t work! There is always the message "No route to host". Do i have to add a route from the 423.XXX.YYY.0 subnet to 212.XXX.ZZZ.80 subnet before i start Shorewall and - if yes - how? Or does Shorewall set the route automatically, if i configure it according to the "three-interfaces-example" in the Shorewall documentation? Best regards Christoph
Tom Eastep
2002-Sep-16 14:30 UTC
[Shorewall-users] Shorewall with 3 interfaces: Routing from DMZ to Internet
Keppner, Christoph wrote:> Hi, > > i know, i asked this already, but i changed the network description a little > bit because i don''t know if the problem was understood correctly. We want to > setup Shorewall with 3 interfaces like this : > > > > ----------- eth2---------eth1-----------------eth0 ---------- Our > Provider''s Router ( 212.XXX.ZZZ.81 ) > | | | > DMZ Local Net Host Shorty > (423.XXX.YYY.120 (192.168.XXX.2) (212.XXX.ZZZ.82) > > This assumes that we have a set of public IP''s ( 423.XXX.YYY.0/25, exactly > 128 ) and our DMZ is built from this IP''s. Our private Network has > 192.168.XXX.YYY IP''s. > > This is our interface configuration of the host Shorty (Debian Linux 3.0) > > eth0 > address 212.XXX.ZZZ.82 > netmask 255.255.255.240 > network 212.XXX.ZZZ.80 > broadcast 212.XXX.ZZZ.95 > gateway 212.XXX.ZZZ.82 (provider''s router) > > eth1 (Interface to local network > address 192.168.XXX.2 > netmask 255.255.255.0 > network 192.168.XXX.0 > broadcast 192.168.XXX.255 > gateway is not set. What IP makes sense here? The IP of eth0 or the > IP of the provider''s router? > > eth2 (Interface to DMZ) > address 423.XXX.YYY.120 > netmask 255.255.255.128 > network 423.XXX.YYY.0 > broadcast 423.XXX.YYY.127 > gateway is not set. Same question as in eth1! > > Without Shorewall, we can ping from "Shorty" to the providers router and to > any host in the world (we tried www.heise.de and it worked ). From a host in > the DMZ it doesn''t work! There is always the message "No route to host". Do > i have to add a route from the 423.XXX.YYY.0 subnet to 212.XXX.ZZZ.80 subnet > before i start Shorewall and - if yes - how? Or does Shorewall set the route > automatically, if i configure it according to the "three-interfaces-example" > in the Shorewall documentation?Your configuration is NOT LIKE THE THREE-INTERFACE EXAMPLE! The three-interface example is for people who have exactly one public IP -- you have 128!!!! You should be setting up your network as described in the Shorewall Setup Guide (http://www.shorewall.net/shorewall_setup_guide.htm). Without seeing how you have configured your DMZ, it''s hard to tell what you have done wrong... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net