Shorewall users - Jul 2003 - router in a subnet again :)

Hi,

after migrating to shorewall firewall from my own iptables rule set (to
utilise freeswan vpn tunnels) I have successfully configured a 3 interface
firewall with net2net vpn tunnels, with the help of the shorewall
documentation. However I cannot seem to configure my final step which is to
masq another subnet attached to my LAN (LANB, via Cisco 1603 router) to get
internet access via the firewall.


                                  NET:eth3
                                      ^
                                      |
                                  +---|---+
                                  |       |DMZ:eth1 192.168.1.254
                                  |  FW   +--------------------> DMZ
192.168.1.0/24
                                  |       |
                                  +---+---+
                                      |LOC:eth0:172.16.2.254
						  |LOC: 172.16.2.0/24
                                      |
                                      |   +--------+   +----------+
                                      |   | BRANCH |   | BRANCH 2 |
                                      +---+ OFFICE |-o-| OFFICE   +----LAN B
172.16.1.0/24
                                          | ROUTER |   | ROUTER   |
                                          +--------+   +----------+
                                          172.16.2.1   172.16.1.1

IPSEC VPN Subnets are 172.16.0.0/24 & 172.16.3.0/24

Is there any easy way to allow LAN B access via the shorewall firewall?
I''ve
tried declaring it as its own zone but shorewall but shorewall still rejects
the packets, for example, dns lookup fails with

Jul  8 14:47:18 mail kernel: IN= OUT=eth2 SRC=172.16.2.254 DST=172.16.1.101
LEN90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=137 LEN=70
Jul  8 14:47:55 mail kernel: IN=eth2 OUT=eth2 SRC=212.135.1.36
DST=172.16.1.151
LEN=164 TOS=0x00 PREC=0x00 TTL=57 ID=14965 PROTO=UDP SPT=53 DPT=1359 LEN=144
Jul  8 14:47:56 mail kernel: IN=eth2 OUT=eth2 SRC=212.135.1.36
DST=172.16.1.151
LEN=164 TOS=0x00 PREC=0x00 TTL=57 ID=15154 PROTO=UDP SPT=53 DPT=1359 LEN=144

Sorry can''t find shorewall log, will post tomorrow when back in work :)

I was thinking of changing the subnet mask to encompass one large network
172.16.0.0/22  and VPN internet subnets.

Any thoughts/comments would be appreciated, surely there must an easier way
to allow subnet access via the shorewall config files?

Also is there a way of tunnelling all traffic on remote VPN subnets to main
LAN and then back out into the NET Zone. This (although more bandwidth
intensive) would all internet traffic to be filtered via Squid and
Dansguardian as per company policy


Thanks for your help in advance

Cheers

Les

Shorewall version 1.4.5

Output of ip addr show

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:b0:d0:ea:5c:56 brd ff:ff:ff:ff:ff:ff
    inet 172.16.2.254/24 brd 172.16.2.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:02:b3:a4:47:93 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:02:b3:b9:03:92 brd ff:ff:ff:ff:ff:ff
    inet 217.204.66.19/28 brd 217.204.66.31 scope global eth2

Output of ip route show

217.204.66.16/28 dev eth2  scope link
172.16.2.0/24 dev eth0  scope link
192.168.1.0/24 dev eth1  scope link
172.16.1.0/24 via 172.16.2.1 dev eth0
127.0.0.0/8 dev lo  scope link
default via 217.204.66.17 dev eth2

On Thu, 10 Jul 2003 01:05:37 +0100, Les Piggot 
<les.piggot@greavessports.com> wrote:
> Hi,
>
> after migrating to shorewall firewall from my own iptables rule set (to
> utilise freeswan vpn tunnels) I have successfully configured a 3 
> interface
> firewall with net2net vpn tunnels, with the help of the shorewall
> documentation. However I cannot seem to configure my final step which is 
> to
> masq another subnet attached to my LAN (LANB, via Cisco 1603 router) to 
> get
> internet access via the firewall.
>
 -- Unfathomable ASCII Art Deleted 00
>
> IPSEC VPN Subnets are 172.16.0.0/24 & 172.16.3.0/24
>
> Is there any easy way to allow LAN B access via the shorewall firewall?
>
It should "just work" provided that your entry in /etc/shorewall/masq
looks
like:

eth3	eth0	...

Unless you are doing something silly like using entries in 
/etc/shorewall/hosts or trying to route traffic between your local lan and 
lan B through your firewall.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

On Wed, 09 Jul 2003 17:21:54 -0700, Tom Eastep <teastep@shorewall.net> 
wrote:

>
> It should "just work" provided that your entry in
/etc/shorewall/masq
> looks like:
>
> eth3	eth0	...
>
> Unless you are doing something silly like using entries in 
> /etc/shorewall/hosts or trying to route traffic between your local lan 
> and lan B through your firewall.
And you are running a recent version of Shorewall.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net