thr3ads.net - Shorewall users - [Shorewall-users] Multiple subnets/gateways [May 2003]

If this information is useful, please help other people find it:
Share via:

Jim Serio

2003-May-31 20:01 UTC

[Shorewall-users] Multiple subnets/gateways

I''m fairly new to Shorewall and until recently have only been using a
single
subnet. My setup is as follows:
 
NET <-----> Shorewall box <-------> DMZ
 
I don''t have a local zone... I''m using shorewall just to
protect the
servers. Shorewall has 2 interfaces. eth0 (net) and eth1 (dmz). I''m not
using NAT, but I am using proxyarp (the boxes in the dmz have real IP
addresses... not provate ones).
 
Behind Shorewall are 3 boxes. At my place of employment, we have multiple
subnets and, unfortunately, the IP addresses I have are a mixed bag. One
server behind Shorewall will have about 2 dozen IPs, on different subnets.
As per the docs, I''ve setup the gw for all of these IPs (using the same
interface btw) to the IP for eth1 on the shorewall box. Unfortunately, only
the IP address within the same subnet matching that on eth0 for shorewall
can get out. So, from outside, I am unable to ping any of the other IPs.
 
Here''s what I have so far (Shorewall 1.4.2)
 
-----interfaces-----
net     eth0            detect
tcpflags,blacklist,norfc1918,routefilter
dmz     eth1            detect
-----
 
-----proxyarp-----
#ADDRESS                INTERFACE       EXTERNAL        HAVEROUTE
129.219.90.16           eth1            eth0            no
129.219.90.21           eth1            eth0            no
129.219.92.109          eth1            eth0            no
-----
 
 
Here''s route -n on the Shorewall box:
-----
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
129.219.92.109  0.0.0.0         255.255.255.255 UH    0      0        0 eth1
129.219.90.21   0.0.0.0         255.255.255.255 UH    0      0        0 eth1
129.219.90.16   0.0.0.0         255.255.255.255 UH    0      0        0 eth1
129.219.90.0    0.0.0.0         255.255.255.192 U     0      0        0 eth1
129.219.90.0    0.0.0.0         255.255.255.192 U     0      0        0 eth1
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         129.219.90.1    0.0.0.0         UG    0      0        0 eth0
-----
 
 
Here''s route -n on the web server (in dmz):
-----
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
129.219.90.0    0.0.0.0         255.255.255.192 U     0      0        0 eth0
129.219.92.64   0.0.0.0         255.255.255.192 U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         129.219.90.15   0.0.0.0         UG    0      0        0 eth0
-----
 
I think that''s it. 
 
My question is... how do I set up shorewall (or the shorewall box that is)
to allow multiple subnets on a machine within the dmz? For example:
 
 
 
 Net <--129.219.90.0    |
DMZ
                                  |----- Shorewall (129.219.90.Xa - eth0)
--- (129.219.90.Xb - eth1) <----> Server (129.219.90.18 eth0 /
129.219.92.118 eth0:1)
 Net <--129.219.92.65  |
 
Any help would be greatly appreciated.
 
Jim

Tom Eastep

2003-May-31 20:56 UTC

head link

[Shorewall-users] Multiple subnets/gateways

On Sat, 31 May 2003, Jim Serio wrote:
>                                   |----- Shorewall (129.219.90.Xa - eth0)
> --- (129.219.90.Xb - eth1) <----> Server (129.219.90.18 eth0 /
> 129.219.92.118 eth0:1)
>  Net <--129.219.92.65  |
>
> Any help would be greatly appreciated.
>
I''ve read this post 6 time using three different email clients and I
still
can''t make heads or tails of what you are trying to do.

Needless to say, the ASCII art above does nothing but add to the
confusion...

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Jim Serio

2003-May-31 21:06 UTC

head link

[Shorewall-users] Multiple subnets/gateways

Tom,

Sorry for the confusion. I''ve read the mail archives and
couldn''t find the
answer. I tried to give as much info, but apparently it wasn''t enough.

Here''s what I am trying to do:

Let''s say I have 6 IP addresses on 3 subnets:

129.219.90.15/16/17
129.219.92.108
129.219.94.200

The Shorewall box has 129.219.90.15 on eth0 (net) and 129.219.90.16 on eth1
(dmz). 129.219.90.17 is on a server in the dmz. Now, I need at add the other
IP addresses (129.219.92.108 & 129.219.94.200) to the server in the dmz. I
had added them to the server in the dmz as eth0:1 and eth0:2 setting their
gw as 129.219.90.16 as per the Shorewall docs. From the shorewall box and/or
the net, I am unable to ping or connect to the 2 ip addresses. I can
ping/www/etc to 129.219.90.17 since that has the proper gw set up on the
Shorewall box. So, within the shorewall box, how can I stipulate additional
gateways?

Jim

-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net] 
Sent: Saturday, May 31, 2003 8:56 PM
To: Jim Serio
Cc: ''shorewall-users@lists.shorewall.net''
Subject: Re: [Shorewall-users] Multiple subnets/gateways

On Sat, 31 May 2003, Jim Serio wrote:
>                                   |----- Shorewall (129.219.90.Xa - 
> eth0)
> --- (129.219.90.Xb - eth1) <----> Server (129.219.90.18 eth0 /
> 129.219.92.118 eth0:1)
>  Net <--129.219.92.65  |
>
> Any help would be greatly appreciated.
>
I''ve read this post 6 time using three different email clients and I
still
can''t make heads or tails of what you are trying to do.

Needless to say, the ASCII art above does nothing but add to the
confusion...

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep

2003-Jun-01 08:17 UTC

head link

[Shorewall-users] Multiple subnets/gateways

On Sat, 31 May 2003 21:06:29 -0700, Jim Serio <Jim.Serio@asu.edu> wrote:
>
> Here''s what I am trying to do:
>
> Let''s say I have 6 IP addresses on 3 subnets:
Let''s not concern ourselves with the hypothetical but rather
let''s deal
with what you actually have.
>
> 129.219.90.15/16/17
> 129.219.92.108
> 129.219.94.200
This is somewhat at odds with your first post. To wit:
> -----proxyarp-----
> #ADDRESS                INTERFACE       EXTERNAL        HAVEROUTE
> 129.219.90.16           eth1            eth0            no
> 129.219.90.21           eth1            eth0            no
> 129.219.92.109          eth1            eth0            no
> -----
The last two addresses that you have listed in the proxyarp file aren''t
mentioned in your list of *5* IP addresses. And while we are talking about 
the first post, the following routing table doesn''t make complete
sense:
> Here''s route -n on the Shorewall box:
> -----
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface
> 129.219.92.109  0.0.0.0         255.255.255.255 UH    0      0        0 
> eth1
> 129.219.90.21   0.0.0.0         255.255.255.255 UH    0      0        0 
> eth1
> 129.219.90.16   0.0.0.0         255.255.255.255 UH    0      0        0 
> eth1
> 129.219.90.0    0.0.0.0         255.255.255.192 U     0      0        0 
> eth1
> 129.219.90.0    0.0.0.0         255.255.255.192 U     0      0        0 
> eth1
> 127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 
> lo
> 0.0.0.0         129.219.90.1    0.0.0.0         UG    0      0        0 
> eth0
> ----- What doesn''t make any sense is that there are *no* routes through eth0
except the default route and there are *two* net routes to 129.219.90.0/26 
through eth1. I''m surprised that the system allowed you to add the
default
route under these circumstances.
> The Shorewall box has 129.219.90.15 on eth0 (net) and 129.219.90.16 on 
> eth1 (dmz). 129.219.90.17 is on a server in the dmz.
Note that my recommendation for Proxy ARP is to always use an RFC 1918 
firewall internal address when doing Proxy ARP -- using a public IP:

a) Wastes a public IP address.
b) Makes the routing more difficult (if you restart one of the interfaces, 
routing can suddenly stop working).
> Now, I need at add the other
> IP addresses (129.219.92.108 & 129.219.94.200) to the server in the
dmz.
> I had added them to the server in the dmz as eth0:1 and eth0:2
what is eth0:0 (just curious)?
> setting their gw as 129.219.90.16 as per the Shorewall doc.
According to your first post, it is 192.219.90.15 (which would be one of 
the two alternatives that I recommend, the other being to use the IP 
address of the upstream router).
> From the shorewall box and/or
> the net, I am unable to ping or connect to the 2 ip addresses. I can
> ping/www/etc to 129.219.90.17 since that has the proper gw set up on the
> Shorewall box.
I have no idea what you mean by that.
> So, within the shorewall box, how can I stipulate additional gateways?
I just conducted an experiment between two of my systems:

Server (eth0 - 206.124.147.177/24)
              |
              |
Firewall (eth1 - 192.168.2.1/24)

See http://www.shorewall.net/myfiles.htm for details.

The server is handled by proxy arp. I follow my own advice and use a 
private IP address (192.168.2.124) for the internal firewall interface.

On the server, I did:

[root@lists postfix]# ip addr add 192.0.2.1/26 label eth0:0 dev eth0
[root@lists postfix]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:A0:C9:15:39:78
          inet addr:206.124.146.177  Bcast:206.124.146.255  
Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:8918972 errors:2 dropped:0 overruns:0 frame:2
          TX packets:12486063 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:1057106160 (1008.1 Mb)  TX bytes:3049598293 (2908.3 Mb)
          Interrupt:11 Base address:0x20c0 Memory:41400000-41400038
 eth0:0    Link encap:Ethernet  HWaddr 00:A0:C9:15:39:78
          inet addr:192.0.2.1  Bcast:0.0.0.0  Mask:255.255.255.192
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:37 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:11 Base address:0x20c0 Memory:41400000-41400038

<snip>

[root@lists postfix]#

On the firewall:

[root@gateway root]# ip route add 192.0.2.1/32 dev eth1
[root@gateway root]# ping 192.0.2.1
PING 192.0.2.1 (192.0.2.1) 56(84) bytes of data.
64 bytes from 192.0.2.1: icmp_seq=1 ttl=64 time=0.699 ms
64 bytes from 192.0.2.1: icmp_seq=2 ttl=64 time=0.479 ms
64 bytes from 192.0.2.1: icmp_seq=3 ttl=64 time=0.428 ms
--- 192.0.2.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2021ms
rtt min/avg/max/mdev = 0.428/0.535/0.699/0.119 ms
[root@gateway root]#

The routing table on the server is:

[root@lists postfix]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use 
Iface
192.0.2.0       0.0.0.0         255.255.255.192 U     0      0        0 
eth0
206.124.146.0   0.0.0.0         255.255.255.0   U     0      0        0 
eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 
eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         206.124.146.254 0.0.0.0         UG    0      0        0 
eth0

The relevant parts of the routing table on the firewall are:

[root@gateway root]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use 
Iface
192.0.2.1       0.0.0.0         255.255.255.255 UH    0      0        0 
eth1
206.124.146.177 0.0.0.0         255.255.255.255 UH    0      0        0 
eth1
206.124.146.0   0.0.0.0         255.255.255.0   U     0      0        0 
eth0
0.0.0.0         206.124.146.254 0.0.0.0         UG    0      0        0 
eth0
[root@gateway root]#

Note that on the server, I use the IP address of my ISP''s router 
(206.124.146.254) rather than that of one of my firewall interfaces. Either 
should work however.

Also note that last network route on the firewall -- I would expect to see 
an analagous route on your firewall.

In short, I see no reason why what you have shouldn''t work between your
firewall and server unless you''ve done something silly like placing
entries
in /etc/shorewall/hosts. Are you seeing any Shorewall messages when you try 
to ping?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep

2003-Jun-01 08:20 UTC

head link

[Shorewall-users] Multiple subnets/gateways

On Sun, 01 Jun 2003 08:17:11 -0700, Tom Eastep <teastep@shorewall.net> 
wrote:

>
> The server is handled by proxy arp. I follow my own advice and use a 
> private IP address (192.168.2.124) for the internal firewall interface.
>
That should be 192.168.2.1/24.
                          -
-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Shorewall users - May 2003 - Multiple subnets/gateways

[Shorewall-users] Multiple subnets/gateways

[Shorewall-users] Multiple subnets/gateways

[Shorewall-users] Multiple subnets/gateways

[Shorewall-users] Multiple subnets/gateways

[Shorewall-users] Multiple subnets/gateways