Barry, Christopher
2003-Jan-17 13:41 UTC
[Shorewall-users] Special config needed to add other internal private class C nets?
Hi everyone, I have shorewall up and running fine, and have for well over a year now. Internally, we have a LAB and they need multiple separate private class C networks to do testing, etc. I built a router, so all of the private LANs can communicate - This seems to work fine. I''m confused about what do I need to modify on my FW to get everyone to communicate out, masq''ed to the Internet. Here''s what I''ve done: created new a router that has 3 interfaces: eth0 = 192.168.0.0/24 single class C, and the same net as the fw. eth1 = 192.168.128.0/24 eth2 = 192.168.96.0/24 - 192.168.127.0/24 (32 class C networks aliased on this card) The fw is 192.168.0.254. I set a net route on the fw to point to the new router for all traffic bound for the 192.168.128.0 network for testing. I set the default route for the .128 net to be the new router. I can ping the firewall ok, but nothing outside it. Do I need a zone for every net inside? Is there a doc that describes this? I''ve searched my list archive, but can''t seem to find the right answer. Thanks for your help. -- Christopher Barry Manager of Information Systems InfiniCon Systems http://www.infiniconsys.com office:610.233.ISIS (4747) direct:610.233.4870 cell:267.879.8321
Tom Eastep
2003-Jan-17 13:55 UTC
[Shorewall-users] Special config needed to add other internal private class C nets?
--On Friday, January 17, 2003 04:40:37 PM -0500 "Barry, Christopher" <cbarry@infiniconsys.com> wrote:> Hi everyone, > I have shorewall up and running fine, and have for well over a year now. > Internally, we have a LAB and they need multiple separate private class C > networks to do testing, etc. I built a router, so all of the private LANs > can communicate - This seems to work fine. I''m confused about what do I > need to modify on my FW to get everyone to communicate out, masq''ed to > the Internet. > > Here''s what I''ve done: > > created new a router that has 3 interfaces: > eth0 = 192.168.0.0/24 single class C, and the same net as the fw. > eth1 = 192.168.128.0/24 > eth2 = 192.168.96.0/24 - 192.168.127.0/24 (32 class C networks aliased on > this card) > > > The fw is 192.168.0.254. I set a net route on the fw to point to the new > router for all traffic bound for the 192.168.128.0 network for testing. I > set the default route for the .128 net to be the new router. I can ping > the firewall ok, but nothing outside it. Do I need a zone for every net > inside? Is there a doc that describes this? I''ve searched my list > archive, but can''t seem to find the right answer. >You probably just need to add entries to the /etc/shorewall/masq file for the other subnets. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net