thr3ads.net - Shorewall users - [Shorewall-users] Same input/output interface traffic [May 2003]

If this information is useful, please help other people find it:
Share via:

Simon Huet

2003-May-14 09:13 UTC

[Shorewall-users] Same input/output interface traffic

Hi everyone,

I am setting up a new firewall being not the only one router on my LAN.
In order to have only one default gateway on each of my LAN clients, I
need to be able to autorise from one zone to the same one.


When I was using version 1.3.7 adding one rule like

	ACCEPT lan lan:0.0.0.0/0 all - -
and I would obtain something like:


Chain eth0_fwd (1 references)
 pkts bytes target     prot opt in     out     source        destination
 2034  292K dynamic    all  --  *      *       0.0.0.0/0     0.0.0.0/0
 2032  292K lan2net    all  --  *      ppp0    0.0.0.0/0     0.0.0.0/0
    2   168 lan2lan    all  --  *      eth0    0.0.0.0/0     0.0.0.0/0

Chain lan2net (1 references)
 pkts bytes target     prot opt in     out     source               destination
 1767  274K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
   75  6699 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:110
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:143
  190 10951 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain lan2lan (1 references)
 pkts bytes target     prot opt in     out     source           destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0        0.0.0.0/0       
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0        0.0.0.0/0       
state NEW tcp flags:!0x16/0x02
    2   168 ACCEPT     all  --  *      *       0.0.0.0/0        0.0.0.0/0       
state NEW
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0        0.0.0.0/0




On one another firewall and using Shorewall 1.4.1c using the same trick I get
something like



Chain eth0_fwd (1 references)
 pkts bytes target     prot opt in     out     source        destination
 2034  292K dynamic    all  --  *      *       0.0.0.0/0     0.0.0.0/0
 2034  292K lan2net    all  --  *      ppp0    0.0.0.0/0     0.0.0.0/0


Chain lan2net (1 references)
 pkts bytes target     prot opt in     out     source               destination
(...)

Chain lan2lan (1 references)
 pkts bytes target     prot opt in     out     source           destination
(...)


I would like to know if there is a normal way to get this done.
Otherwise I did get this done by hacking the ''firewall'' script
:


-------------------------------------------------
....
activate_rules()
{
       ...
    addnatjump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments
    {
        ...
    }

    addrulejump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments
    {
        ...
    }

    ...

    for zone in $zones; do
    ...

	for host in $source_hosts; do
            ...

	done

	for zone1 in $zones; do

            ...
 	   
	    for host in $source_hosts; do
                ...

		for host1 in $dest_hosts; do
		    interface1=${host1%:*}
		    subnet1=${host1#*:}

		    if [ "$host" != "$host1" ]; then
			run_iptables -A $chain1 -s $subnet -o $interface1 -d $subnet1 -j $chain
		    elif [ "$chain" != "ACCEPT" ]; then
			run_iptables -A $chain1 -s $subnet -o $interface1 -d $subnet1 -j $chain
		    fi
		done
	    done
	done
    done
    ...
  
}
....
-------------------------------------------------


When I logged which rules where called with [ "$host" == "$host1
] $chain is either ACCEPT or lan2lan.


Thanks you for your help.

---------------------
Simon Huet
sh@numlog.fr
NUMLOG
23, rue des Poiriers
78370 Plaisir, FRANCE
+33 (0)1 30 79 16 16
http://www.numlog.fr/
---------------------

Tom Eastep

2003-May-14 09:19 UTC

head link

[Shorewall-users] Same input/output interface traffic

On 14 May 2003 18:13:10 +0200, Simon Huet <sh@numlog.fr> wrote:
>
> I would like to know if there is a normal way to get this done.
> Otherwise I did get this done by hacking the ''firewall''
script :
>
a) Upgrade to 1.4.2
b) Specify ''routeback'' as an option on your lan interface in 
/etc/shorewall/interfaces

In the future, please read the release notes and check the upgrade issues 
page (www.shorewall.net/upgrade_issues.htm) when you upgrade; you will then 
know about these changes when they occur.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Simon Huet

2003-May-15 01:42 UTC

head link

[Shorewall-users] Same input/output interface traffic

Le mer 14/05/2003 ? 18:19, Tom Eastep a ?crit :> On 14 May 2003 18:13:10 +0200, Simon Huet <sh@numlog.fr> wrote:
> 
> >
> > I would like to know if there is a normal way to get this done.
> > Otherwise I did get this done by hacking the
''firewall'' script :
> >
> 
> a) Upgrade to 1.4.2
> b) Specify ''routeback'' as an option on your lan interface
in
> /etc/shorewall/interfaces
> 
> In the future, please read the release notes and check the upgrade issues 
> page (www.shorewall.net/upgrade_issues.htm) when you upgrade; you will then
> know about these changes when they occur.
> 
> -TomThanks for your help !!!

I just checked the documentation, search the mailing list and almost the
entire website and spend my entire day analysing the firewall script,
thinking I was using the latest version.

Thanks again.

Shorewall users - May 2003 - Same input/output interface traffic

[Shorewall-users] Same input/output interface traffic

[Shorewall-users] Same input/output interface traffic

[Shorewall-users] Same input/output interface traffic