thr3ads.net - Shorewall users - [Shorewall-users] Forwarding traffic on the same interface (loc -> loc) [Nov 2003]

If this information is useful, please help other people find it:
Share via:

Luca Maranzano

2003-Nov-21 03:12 UTC

[Shorewall-users] Forwarding traffic on the same interface (loc -> loc)

Hello all,

I''ve a Debian Box with Shorewall 1.4.6c.

The network layout is the following:
               +-------+
 --TheNet------| Linux |-----------+
           eth0+-------+eth1       |
	                    [--+---+-----------------------] Priv LAN
			       |                          192.168.2.0/24
			       |
			    +------+
			    |Cisco |------- ISDN LINE
			    |Router|        - Internet Backup
			    +------+        - To 192.168.1.0/24

- eth0 is the public interface
- eth1 is the private interface
- Clients on the private LAN have the Linux Box as their default gateway

Since the Internet connection is having a lot of trouble we have setup
a simple script on the Linux box which monitors the status of the
internet connection and in the case the line is not working changes the
default gateway of the Linux Box to be the Cisco Router who is
responsible of establishing the Internet Backup Connection via ISDN line.
Via the Cisco Router the clients need also to connect via ISDN to a
remote LAN 192.168.1.0/24.

The problem we are having is that Shorewall drops packet coming from
clients, entering eth1 and then going out from the same eth1.
For example if a clients try to ping the remote IP 192.168.2.11 (which
must be routed to the Cisco via ISDN) with the following message:

Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.2.11 DST=192.168.1.100
LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=14848 DF PROTO=TCP SPT=1031 DPT=449
WINDOW=8192 RES=0x00 SYN URGP=0
Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.2.11 DST=192.168.1.100
LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=15104 DF PROTO=TCP SPT=1031 DPT=449
WINDOW=8192 RES=0x00 SYN URGP=0
Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.2.11 DST=192.168.1.100
LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=15360 DF PROTO=TCP SPT=1031 DPT=449
WINDOW=8192 RES=0x00 SYN URGP=0
Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.2.11 DST=192.168.1.100
LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=15616 DF PROTO=TCP SPT=1031 DPT=449
WINDOW=8192 RES=0x00 SYN URGP=0

Besides when Internet line goes down, internet traffic flows to the
Linux Box on eth1, then is redirected to the Cisco Box, so we''ll have
lot of packets with source IP=192.168.2.* and destination IP=any, and I
suppose shorewall will REJECT them similarly (I''ve no example logging
about
this till now).

How can I configure shorewall to permit this kind of traffic?

I know that the perfect solutions should be to not have the Linux Box as
the default gateway, but we cannot do in other ways :-) for some other
constrains.

Let me know if you need more config details.

Thank you very much for your help. 

Regards,
Luca

Sascha Knific

2003-Nov-21 04:42 UTC

head link

AW: [Shorewall-users] Forwarding traffic on the same interface (loc ->loc)

http://www.shorewall.net/Documentation.htm#Hosts

See 2.

Regards
Sascha

-------------------------------------------------------
Sascha Knific           K Systems & Design
Tel. +49-8151-773260    Wittelsbacherstr. 6a
Fax. +49-8151-773262    82319 Starnberg, Germany
Leo  +49-8151-773261    WGS84: N57?59,875'' E011?20,568''
knific@k-sysdes.net     http://www.k-sysdes.net


-----Urspr?ngliche Nachricht-----
Von: shorewall-users-bounces@lists.shorewall.net
[mailto:shorewall-users-bounces@lists.shorewall.net] Im Auftrag von Luca
Maranzano
Gesendet: Freitag, 21. November 2003 12:12
An: shorewall-users@lists.shorewall.net
Cc: Stefano e Alberto
Betreff: [Shorewall-users] Forwarding traffic on the same interface (loc
->loc)


Hello all,

I''ve a Debian Box with Shorewall 1.4.6c.

The network layout is the following:
               +-------+
 --TheNet------| Linux |-----------+
           eth0+-------+eth1       |
	                    [--+---+-----------------------] Priv LAN
			       |                          192.168.2.0/24
			       |
			    +------+
			    |Cisco |------- ISDN LINE
			    |Router|        - Internet Backup
			    +------+        - To 192.168.1.0/24

- eth0 is the public interface
- eth1 is the private interface
- Clients on the private LAN have the Linux Box as their default gateway

Since the Internet connection is having a lot of trouble we have setup a
simple script on the Linux box which monitors the status of the internet
connection and in the case the line is not working changes the default
gateway of the Linux Box to be the Cisco Router who is responsible of
establishing the Internet Backup Connection via ISDN line. Via the Cisco
Router the clients need also to connect via ISDN to a remote LAN
192.168.1.0/24.

The problem we are having is that Shorewall drops packet coming from
clients, entering eth1 and then going out from the same eth1. For
example if a clients try to ping the remote IP 192.168.2.11 (which must
be routed to the Cisco via ISDN) with the following message:

Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.2.11
DST=192.168.1.100 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=14848 DF
PROTO=TCP SPT=1031 DPT=449 WINDOW=8192 RES=0x00 SYN URGP=0 
Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.2.11
DST=192.168.1.100 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=15104 DF
PROTO=TCP SPT=1031 DPT=449 WINDOW=8192 RES=0x00 SYN URGP=0 
Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.2.11
DST=192.168.1.100 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=15360 DF
PROTO=TCP SPT=1031 DPT=449 WINDOW=8192 RES=0x00 SYN URGP=0 
Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.2.11
DST=192.168.1.100 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=15616 DF
PROTO=TCP SPT=1031 DPT=449 WINDOW=8192 RES=0x00 SYN URGP=0 

Besides when Internet line goes down, internet traffic flows to the
Linux Box on eth1, then is redirected to the Cisco Box, so we''ll have
lot of packets with source IP=192.168.2.* and destination IP=any, and I
suppose shorewall will REJECT them similarly (I''ve no example logging
about 
this till now).

How can I configure shorewall to permit this kind of traffic?

I know that the perfect solutions should be to not have the Linux Box as
the default gateway, but we cannot do in other ways :-) for some other
constrains.

Let me know if you need more config details.

Thank you very much for your help. 

Regards,
Luca


_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

Tom Eastep

2003-Nov-21 07:24 UTC

head link

[Shorewall-users] Forwarding traffic on the same interface (loc -> loc)

On Fri, 2003-11-21 at 03:11, Luca Maranzano wrote:> .11 DST=192.168.1.100 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=15616 DF
PROTO=TCP SPT=1031 DPT=449 WINDOW=8192 RES=0x00 SYN URGP=0
> 
> Besides when Internet line goes down, internet traffic flows to the
> Linux Box on eth1, then is redirected to the Cisco Box, so we''ll
have
> lot of packets with source IP=192.168.2.* and destination IP=any, and I
> suppose shorewall will REJECT them similarly (I''ve no example
logging about
> this till now).
> 
> How can I configure shorewall to permit this kind of traffic?
> 
See http://www.shorewall.net/Multiple_Zones.html.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Shorewall users - Nov 2003 - Forwarding traffic on the same interface (loc -> loc)

[Shorewall-users] Forwarding traffic on the same interface (loc -> loc)

AW: [Shorewall-users] Forwarding traffic on the same interface (loc ->loc)

[Shorewall-users] Forwarding traffic on the same interface (loc -> loc)