Shorewall users - Oct 2002 - Two local subnets, one local nic?

I browsed the archives, but I just became more confused.... :)

I''ve got a simple firewall, two interfaces; one local private
(172.16.0.0)
and one internet (12.30.xx.xx).  One the local network, I have a cisco
router which connects to Atlanta via frame-relay and they have a subnet of
10.101.0.0.  I have other frame-relay cities but they are in the 172.16.0.0
address range and don''t seem to have any problems that I''ve
heard of.

Since the Atlanta subnet is not directly connected to the firewall local
interface, how do I grant them access?  I have routes setup for them and
can ping them, they are just blocked by the firewall for going out to the
internet.

Do I create a new zone?  Do I attach 10.101.0.0 to my loc zone?

-=-=-=-=-=-
Chris Wood
801-489-2097  -  Wencor  -  Kitco  -  Dixie Aerospace
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

cwood@wencor.com wrote:
> 
> 
> 
> I browsed the archives, but I just became more confused.... :)
> 
> I''ve got a simple firewall, two interfaces; one local private
(172.16.0.0)
> and one internet (12.30.xx.xx).  One the local network, I have a cisco
> router which connects to Atlanta via frame-relay and they have a subnet of
> 10.101.0.0.  I have other frame-relay cities but they are in the 172.16.0.0
> address range and don''t seem to have any problems that
I''ve heard of.
> 
> Since the Atlanta subnet is not directly connected to the firewall local
> interface, how do I grant them access?  I have routes setup for them and
> can ping them, they are just blocked by the firewall for going out to the
> internet.
> 
> Do I create a new zone?  Do I attach 10.101.0.0 to my loc zone?
> 
Assuming that the Cisco handles routing between the 10.101.0.0 and 
172.167.0.0 subnets, you just need an entry in the /etc/shorewall/hosts file:

Assuming that you haven''t done anything with /etc/shorewall/hosts, 
probably all you are missing is an entry for that subnet in 
/etc/shorewall/masq. That also assumes that the Cisco will handle the 
routing between the 172.16.0.0 and the 10.101.0.0 subnets.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Tom Eastep wrote:
> 
> 
> cwood@wencor.com wrote:
> 
>>
>>
>>
>> I browsed the archives, but I just became more confused.... :)
>>
>> I''ve got a simple firewall, two interfaces; one local private 
>> (172.16.0.0)
>> and one internet (12.30.xx.xx).  One the local network, I have a cisco
>> router which connects to Atlanta via frame-relay and they have a 
>> subnet of
>> 10.101.0.0.  I have other frame-relay cities but they are in the 
>> 172.16.0.0
>> address range and don''t seem to have any problems that
I''ve heard of.
>>
>> Since the Atlanta subnet is not directly connected to the firewall
local
>> interface, how do I grant them access?  I have routes setup for them
and
>> can ping them, they are just blocked by the firewall for going out to
the
>> internet.
>>
>> Do I create a new zone?  Do I attach 10.101.0.0 to my loc zone?
>>
> 
> Assuming that the Cisco handles routing between the 10.101.0.0 and 
> 172.167.0.0 subnets, you just need an entry in the /etc/shorewall/hosts 
> file:
Ignore the above!!! I started in one direction then realized that the 
problem was probably the masq file.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

> cwood@wencor.com wrote:
> >
> >
> >
> > I browsed the archives, but I just became more confused.... :)
> >
> > I''ve got a simple firewall, two interfaces; one local private
(172.16.0.0)
> > and one internet (12.30.xx.xx).  One the local network, I have a cisco
> > router which connects to Atlanta via frame-relay and they have a
subnet
of
> > 10.101.0.0.  I have other frame-relay cities but they are in the
172.16.0.0
> > address range and don''t seem to have any problems that
I''ve heard of.
> >
> > Since the Atlanta subnet is not directly connected to the firewall
local
> > interface, how do I grant them access?  I have routes setup for them
and
> > can ping them, they are just blocked by the firewall for going out to
the
> > internet.
> >
> > Do I create a new zone?  Do I attach 10.101.0.0 to my loc zone?
> >
>
> Assuming that you haven''t done anything with /etc/shorewall/hosts,
> probably all you are missing is an entry for that subnet in
> /etc/shorewall/masq. That also assumes that the Cisco will handle the
> routing between the 172.16.0.0 and the 10.101.0.0 subnets.
Yeah, the cisco router handles all of the routing between 172.16.0.0 and
10.101.0.0.  What is the syntax for the masq file?

I tried this but it TERMINATED when I restarted shorewall (something about
an NTFILTER file in use):
#INTERFACE              SUBNET          ADDRESS
eth0                    eth1
eth0                    10.101.0.0/16   12.30.196.34

I also tried this but the syntax was wrong:
#INTERFACE              SUBNET          ADDRESS
eth0                    172.16.0.0/16,10.101.0.0/16   12.30.196.34

cwood@wencor.com wrote:
> 
> Yeah, the cisco router handles all of the routing between 172.16.0.0 and
> 10.101.0.0.  What is the syntax for the masq file?
> 
> I tried this but it TERMINATED when I restarted shorewall (something about
> an NTFILTER file in use):
> #INTERFACE              SUBNET          ADDRESS
> eth0                    eth1
> eth0                    10.101.0.0/16   12.30.196.34
I can''t troubleshoot the problem based on that skimpy information.
Please
try the following though:

eth0	172.16.0.0/16	12.30.196.34
eth0	10.101.0.0/16	12.30.196.34

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

> > Yeah, the cisco router handles all of the routing between 172.16.0.0
and
> > 10.101.0.0.  What is the syntax for the masq file?
> >
> > I tried this but it TERMINATED when I restarted shorewall (something
about
> > an NTFILTER file in use):
> > #INTERFACE              SUBNET          ADDRESS
> > eth0                    eth1
> > eth0                    10.101.0.0/16   12.30.196.34
>
> I can''t troubleshoot the problem based on that skimpy information.
Please
> try the following though:
>
> eth0   172.16.0.0/16   12.30.196.34
> eth0   10.101.0.0/16   12.30.196.34
Masqueraded Subnets and Hosts:
   To 0.0.0.0/0 from 172.16.0.0/16 through eth0 using 12.30.196.34
   To 0.0.0.0/0 from 10.101.0.0/16 through eth0 using 12.30.196.34
Processing /etc/shorewall/tos...
   Rule "all all tcp - ssh 16" added.
   Rule "all all tcp ssh - 16" added.
   Rule "all all tcp - ftp 16" added.
   Rule "all all tcp ftp - 16" added.
   Rule "all all tcp ftp-data - 8" added.
   Rule "all all tcp - ftp-data 8" added.
Activating Rules...
Adding IP Addresses...
RTNETLINK answers: File exists
Terminated

It turns out if I have 12.30.196.34 there it gives me this error. I removed
the 12.30.196.34 and it loaded without the error and is working fine now
(Thanks!).  12.30.196.34 is the IP of the eth0 interface -- maybe I really
don''t need that there?  I just wanted the faster performance the docs
talk
about.  :)

cwood@wencor.com wrote:
> 
> 
> 
> 
>>>Yeah, the cisco router handles all of the routing between 172.16.0.0
>>
> and
> 
>>>10.101.0.0.  What is the syntax for the masq file?
>>>
>>>I tried this but it TERMINATED when I restarted shorewall (something
>>
> about
> 
>>>an NTFILTER file in use):
>>>#INTERFACE              SUBNET          ADDRESS
>>>eth0                    eth1
>>>eth0                    10.101.0.0/16   12.30.196.34
>>
>>I can''t troubleshoot the problem based on that skimpy
information. Please
> 
> 
>>try the following though:
>>
>>eth0   172.16.0.0/16   12.30.196.34
>>eth0   10.101.0.0/16   12.30.196.34
> 
> 
> Masqueraded Subnets and Hosts:
>    To 0.0.0.0/0 from 172.16.0.0/16 through eth0 using 12.30.196.34
>    To 0.0.0.0/0 from 10.101.0.0/16 through eth0 using 12.30.196.34
> Processing /etc/shorewall/tos...
>    Rule "all all tcp - ssh 16" added.
>    Rule "all all tcp ssh - 16" added.
>    Rule "all all tcp - ftp 16" added.
>    Rule "all all tcp ftp - 16" added.
>    Rule "all all tcp ftp-data - 8" added.
>    Rule "all all tcp - ftp-data 8" added.
> Activating Rules...
> Adding IP Addresses...
> RTNETLINK answers: File exists
> Terminated
> 
Turn off ADD_SNAT_ALIASES in /etc/shorewall/shorewall.conf.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

cwood@wencor.com wrote:
> Activating Rules...
> Adding IP Addresses...
> RTNETLINK answers: File exists
> Terminated
> 
> It turns out if I have 12.30.196.34 there it gives me this error. I removed
> the 12.30.196.34 and it loaded without the error and is working fine now
> (Thanks!).  12.30.196.34 is the IP of the eth0 interface -- maybe I really
> don''t need that there?  I just wanted the faster performance the
docs talk
> about.  :)
> 
Again, set ADD_SNAT_ALIASES=No in shorewall.conf.

In Shorewall 1.3.10, even with ADD_SNAT_ALIASES=Yes if the address in the 
third column of an entry in /etc/shorewall/masq is the primary IP of the 
interface named in column 1, no error will result.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

> > Masqueraded Subnets and Hosts:
> >    To 0.0.0.0/0 from 172.16.0.0/16 through eth0 using 12.30.196.34
> >    To 0.0.0.0/0 from 10.101.0.0/16 through eth0 using 12.30.196.34
> > Processing /etc/shorewall/tos...
> >    Rule "all all tcp - ssh 16" added.
> >    Rule "all all tcp ssh - 16" added.
> >    Rule "all all tcp - ftp 16" added.
> >    Rule "all all tcp ftp - 16" added.
> >    Rule "all all tcp ftp-data - 8" added.
> >    Rule "all all tcp - ftp-data 8" added.
> > Activating Rules...
> > Adding IP Addresses...
> > RTNETLINK answers: File exists
> > Terminated
> >
>
> Turn off ADD_SNAT_ALIASES in /etc/shorewall/shorewall.conf.
That did it! Thanks Tom!