Shorewall users - May 2003 - routing thru shorewall

Hi,

On my network, I use real IP numbers for all of my
hosts.  They all get nat''d at the gateway.  I use
real IPs because sometimes someone needs to connect
directly to a host behind the firewall.  With my old
firewall, I had a trusted-hosts file with trusted host
IP numbers in it.  My hosts talking to external trusted
hosts would not have their IPs nat''d  instead they were
routed and the external host was allowed thru the firewall.

How would I do this with shorewall?  I''ve looked at tunnels
but I don''t know what the tunnel type IP is?  but it isn''t
a real tunnel, I really want to route everything between
a host behind the firewall to a host outside the firewall
with no security between them... it''s not like they are transmitting
any info of any use to anyone.

Also I am setting up VPNs... using freeswan and plain freeswan
does not like nat''d packets, so I also use the same technique
of poking a whole in the firewall and then running a vpn thru it.
I haven''t fully tested the shorewall tunnel set up to do this,
but I really need to know how to make a hole in the firewall
first as I have to do this to some hosts... certainly at least
until they are ready to run ipsec on their endpoint anyway.

Thanks

Bill

On Wed, 28 May 2003 13:47:51 +0100, Bill Dossett <billd@emtex.com> wrote:
> Hi,
>
> On my network, I use real IP numbers for all of my
> hosts.  They all get nat''d at the gateway.  I use
> real IPs because sometimes someone needs to connect
> directly to a host behind the firewall.  With my old
> firewall, I had a trusted-hosts file with trusted host
> IP numbers in it.  My hosts talking to external trusted
> hosts would not have their IPs nat''d  instead they were
> routed and the external host was allowed thru the firewall.
>
> How would I do this with shorewall?  I''ve looked at tunnels
> but I don''t know what the tunnel type IP is?  but it
isn''t
> a real tunnel, I really want to route everything between
> a host behind the firewall to a host outside the firewall
> with no security between them... it''s not like they are
transmitting
> any info of any use to anyone.
>
> Also I am setting up VPNs... using freeswan and plain freeswan
> does not like nat''d packets, so I also use the same technique
> of poking a whole in the firewall and then running a vpn thru it.
> I haven''t fully tested the shorewall tunnel set up to do this,
> but I really need to know how to make a hole in the firewall
> first as I have to do this to some hosts... certainly at least
> until they are ready to run ipsec on their endpoint anyway.
>
Bill -- from the above description, I couldn''t describe what problem
you
are trying to solve if my life depended on it.
>From what I understand though, I think you started with the wrong 
QuickStart Guide -- in your other posts concerning FTP, you mention that 
you used the standard two-interface sample yet you are talking about using 
"real IP numbers". In that case, you should be using the Shorewall
Setup
Guide (http://www.shorewall.net/shorewall_setup_guide.htm). Go through that 
and see if things don''t become clearer for you; if they don''t
then give us
the details of your network.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

hmmm, the doc you point to below has a dmz, I don''t have a dmz,
I have two interfaces... it looks like this.


   my network
193.243.232.0/26 -- 193.243.232.1[linux box]193.243.232.68 
--router--Internet

normally 193.243.232.0 gets nat''d to 193.243.232.68... but
to selected hosts, I''d like to route it rather than nat.

so say there is a host, 213.253.143.253  and I need 193.243.232.5
to talk directly with it as 193.243.232.5... then I want to route
around the nat... normally, the last script I used, had to jump
to acccept in the PREROUTING chain.    So 213.253.143.253 can see
193.243.232.5 and ping it etc.... Is there a way to do this
with shorewall?

Thanks for your help.

Bill


Tom Eastep wrote:
> On Wed, 28 May 2003 13:47:51 +0100, Bill Dossett <billd@emtex.com>
wrote:
> 
>> Hi,
>>
>> On my network, I use real IP numbers for all of my
>> hosts.  They all get nat''d at the gateway.  I use
>> real IPs because sometimes someone needs to connect
>> directly to a host behind the firewall.  With my old
>> firewall, I had a trusted-hosts file with trusted host
>> IP numbers in it.  My hosts talking to external trusted
>> hosts would not have their IPs nat''d  instead they were
>> routed and the external host was allowed thru the firewall.
>>
>> How would I do this with shorewall?  I''ve looked at tunnels
>> but I don''t know what the tunnel type IP is?  but it
isn''t
>> a real tunnel, I really want to route everything between
>> a host behind the firewall to a host outside the firewall
>> with no security between them... it''s not like they are
transmitting
>> any info of any use to anyone.
>>
>> Also I am setting up VPNs... using freeswan and plain freeswan
>> does not like nat''d packets, so I also use the same technique
>> of poking a whole in the firewall and then running a vpn thru it.
>> I haven''t fully tested the shorewall tunnel set up to do this,
>> but I really need to know how to make a hole in the firewall
>> first as I have to do this to some hosts... certainly at least
>> until they are ready to run ipsec on their endpoint anyway.
>>
> 
> Bill -- from the above description, I couldn''t describe what
problem you
> are trying to solve if my life depended on it.
> 
>> From what I understand though, I think you started with the wrong 
> 
> QuickStart Guide -- in your other posts concerning FTP, you mention that 
> you used the standard two-interface sample yet you are talking about 
> using "real IP numbers". In that case, you should be using the
Shorewall
> Setup Guide (http://www.shorewall.net/shorewall_setup_guide.htm). Go 
> through that and see if things don''t become clearer for you; if
they
> don''t then give us the details of your network.
> 
> -Tom

On Wed, 28 May 2003 16:46:08 +0100, Bill Dossett <billd@emtex.com> wrote:
> hmmm, the doc you point to below has a dmz, I don''t have a dmz,
> I have two interfaces... it looks like this.
>
>
Bill - Please do more than just look at the pictures. The Setup Guide 
explains the concepts involved in setting up Shorewall in an environment 
with more than one external IP address. The example it uses has three 
interfaces but I think you''ll find it worth reading anyway

-Tom

-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

On Wed, 28 May 2003 16:46:08 +0100, Bill Dossett <billd@emtex.com> wrote:
> hmmm, the doc you point to below has a dmz, I don''t have a dmz,
> I have two interfaces... it looks like this.
>
>
> my network
> 193.243.232.0/26 -- 193.243.232.1[linux box]193.243.232.68 --router-- 
> Internet
>
> normally 193.243.232.0 gets nat''d to 193.243.232.68... but
> to selected hosts, I''d like to route it rather than nat.
>
> so say there is a host, 213.253.143.253  and I need 193.243.232.5
> to talk directly with it as 193.243.232.5... then I want to route
> around the nat... normally, the last script I used, had to jump
> to acccept in the PREROUTING chain.    So 213.253.143.253 can see
> 193.243.232.5 and ping it etc.... Is there a way to do this
> with shorewall?
>
Sure -- just remove the entry from the /etc/shorewall/masq file.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net