Martinez, Mike (MHS-ACS)
2002-Oct-09 18:50 UTC
[Shorewall-users] Need Help with Multiple Class C Networks
Hi Everyone,
Sorry for the long e-mail message......
I have a problem that I hope someone with multiple networks\network guru can
help me solve.
We have a class c network 207.207.19.0/24 that has been running with
Tom''s
great firewall for about 6 months now. It has three interfaces.
We are adding another class c network 216.166.26.0/24
Here''s some line art:
Internet 207.207.19.0/24 - Cisco Router 207.207.19.1 (Default Gateway)
|
|
RH 7.1 Firewalll 207.207.19.7 External Nic (eth0) ----- 192.168.1.1 Internal
Nic (eth1) --> 192.168.2.1 DMZ Nic (eth2)
|
|
207.207.19.10 Cisco
Switch
|
|
207.207.19.11 Cisco
Switch
|
|
207.207.19.254
Cisco Router 4000 Interface
|
216.166.26.254
Cisco Router 4000 Interface
|
|
216.166.26.2 Cisco
Switch
Here''s the problem:
Shorewall currently is working great for the 207.207.19.0/24 network and
does not have anything on the firewall with the 216.166.26.0/24 network.
I can ping from a 207.207.19 windoz workstation to a 216.166.26 windoz
workstation, I can also ping the 4000 router intefaces from 207.207.19
workstation. I cannot ping from a 216.166.26 windoz workstation to anything
on the 207.207.19 network when the firewall is in place. When the firewall
is shutdown and removed from the network both networks can ping and map
drives without any problems.
If I ping from the firewall this is what I get:>From 207.207.19.1: Redirect Host(New nexthop: 207.207.19.254)
So what do I need to do to get shorewall to recognize the 216.166.26.0/24
network and pass the traffic without any problems?
This is what I have tried for adding the 216.166.26.0/24 network:
added a ifcfg-etho:1 with the following on the friewall box: (External
Interface)
DEVICE=eth0:1
BOOTPROTO=static
IPADDR=216.166.26.7
NETMASK=255.255.255.0
ONBOOT=yes
If I do a ip addr show eth0
it shows both the 207.207.19.7 and the 216.166.19.7
So I did this for shorewall: Version is 1.3.7
init file:
route add -host 207.207.19.1 dev eth0
route add -host 207.207.19.124 dev eth1
route add -host 207.207.19.125 dev eth1
route add -host 207.207.19.126 dev eth1
route add -host 216.166.26.254 dev eth1
Interfaces file:
############################################################################
##
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 207.207.19.255,216.166.26.255
multi,routefilter,norfc1918,blacklist,noping,routestopped
loc eth1 192.168.1.255 routestopped
dmz eth2 192.168.2.255 routestopped
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Proxyarp file: All of the 207.207.19.0/24 ip''s are in this file
############################################################################
##
#ADDRESS INTERFACE EXTERNAL HAVEROUTE
207.207.19.2 eth1 eth0 no
207.207.19.3 eth1 eth0 no
207.207.19.4 eth1 eth0 no
207.207.19.5 eth1 eth0 no.....
207.207.19.255 eth1 eth0 no
#added for testing
216.166.26.2 eth1 eth0 no
216.166.26.254 eth1 eth1 yes
216.166.26.240 eth1 eth0 no
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Policy file:
############################################################################
###
#CLIENT SERVER POLICY LOG LEVEL
loc all ACCEPT
net all DROP info
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
Zones File:
#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Local networks
dmz DMZ Demilitarized zone
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
What am I doing wrong or will this even work? Maybe add another nic card for
the 216.166.26.0 network?
Any suggestions would be greatly appreciated.
Thanx in Advance
Mike