Luca Maranzano
2003-Nov-21 03:12 UTC
[Shorewall-users] Forwarding traffic on the same interface (loc -> loc)
Hello all, I''ve a Debian Box with Shorewall 1.4.6c. The network layout is the following: +-------+ --TheNet------| Linux |-----------+ eth0+-------+eth1 | [--+---+-----------------------] Priv LAN | 192.168.2.0/24 | +------+ |Cisco |------- ISDN LINE |Router| - Internet Backup +------+ - To 192.168.1.0/24 - eth0 is the public interface - eth1 is the private interface - Clients on the private LAN have the Linux Box as their default gateway Since the Internet connection is having a lot of trouble we have setup a simple script on the Linux box which monitors the status of the internet connection and in the case the line is not working changes the default gateway of the Linux Box to be the Cisco Router who is responsible of establishing the Internet Backup Connection via ISDN line. Via the Cisco Router the clients need also to connect via ISDN to a remote LAN 192.168.1.0/24. The problem we are having is that Shorewall drops packet coming from clients, entering eth1 and then going out from the same eth1. For example if a clients try to ping the remote IP 192.168.2.11 (which must be routed to the Cisco via ISDN) with the following message: Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.2.11 DST=192.168.1.100 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=14848 DF PROTO=TCP SPT=1031 DPT=449 WINDOW=8192 RES=0x00 SYN URGP=0 Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.2.11 DST=192.168.1.100 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=15104 DF PROTO=TCP SPT=1031 DPT=449 WINDOW=8192 RES=0x00 SYN URGP=0 Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.2.11 DST=192.168.1.100 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=15360 DF PROTO=TCP SPT=1031 DPT=449 WINDOW=8192 RES=0x00 SYN URGP=0 Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.2.11 DST=192.168.1.100 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=15616 DF PROTO=TCP SPT=1031 DPT=449 WINDOW=8192 RES=0x00 SYN URGP=0 Besides when Internet line goes down, internet traffic flows to the Linux Box on eth1, then is redirected to the Cisco Box, so we''ll have lot of packets with source IP=192.168.2.* and destination IP=any, and I suppose shorewall will REJECT them similarly (I''ve no example logging about this till now). How can I configure shorewall to permit this kind of traffic? I know that the perfect solutions should be to not have the Linux Box as the default gateway, but we cannot do in other ways :-) for some other constrains. Let me know if you need more config details. Thank you very much for your help. Regards, Luca
Sascha Knific
2003-Nov-21 04:42 UTC
AW: [Shorewall-users] Forwarding traffic on the same interface (loc ->loc)
http://www.shorewall.net/Documentation.htm#Hosts See 2. Regards Sascha ------------------------------------------------------- Sascha Knific K Systems & Design Tel. +49-8151-773260 Wittelsbacherstr. 6a Fax. +49-8151-773262 82319 Starnberg, Germany Leo +49-8151-773261 WGS84: N57?59,875'' E011?20,568'' knific@k-sysdes.net http://www.k-sysdes.net -----Urspr?ngliche Nachricht----- Von: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] Im Auftrag von Luca Maranzano Gesendet: Freitag, 21. November 2003 12:12 An: shorewall-users@lists.shorewall.net Cc: Stefano e Alberto Betreff: [Shorewall-users] Forwarding traffic on the same interface (loc ->loc) Hello all, I''ve a Debian Box with Shorewall 1.4.6c. The network layout is the following: +-------+ --TheNet------| Linux |-----------+ eth0+-------+eth1 | [--+---+-----------------------] Priv LAN | 192.168.2.0/24 | +------+ |Cisco |------- ISDN LINE |Router| - Internet Backup +------+ - To 192.168.1.0/24 - eth0 is the public interface - eth1 is the private interface - Clients on the private LAN have the Linux Box as their default gateway Since the Internet connection is having a lot of trouble we have setup a simple script on the Linux box which monitors the status of the internet connection and in the case the line is not working changes the default gateway of the Linux Box to be the Cisco Router who is responsible of establishing the Internet Backup Connection via ISDN line. Via the Cisco Router the clients need also to connect via ISDN to a remote LAN 192.168.1.0/24. The problem we are having is that Shorewall drops packet coming from clients, entering eth1 and then going out from the same eth1. For example if a clients try to ping the remote IP 192.168.2.11 (which must be routed to the Cisco via ISDN) with the following message: Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.2.11 DST=192.168.1.100 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=14848 DF PROTO=TCP SPT=1031 DPT=449 WINDOW=8192 RES=0x00 SYN URGP=0 Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.2.11 DST=192.168.1.100 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=15104 DF PROTO=TCP SPT=1031 DPT=449 WINDOW=8192 RES=0x00 SYN URGP=0 Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.2.11 DST=192.168.1.100 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=15360 DF PROTO=TCP SPT=1031 DPT=449 WINDOW=8192 RES=0x00 SYN URGP=0 Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.2.11 DST=192.168.1.100 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=15616 DF PROTO=TCP SPT=1031 DPT=449 WINDOW=8192 RES=0x00 SYN URGP=0 Besides when Internet line goes down, internet traffic flows to the Linux Box on eth1, then is redirected to the Cisco Box, so we''ll have lot of packets with source IP=192.168.2.* and destination IP=any, and I suppose shorewall will REJECT them similarly (I''ve no example logging about this till now). How can I configure shorewall to permit this kind of traffic? I know that the perfect solutions should be to not have the Linux Box as the default gateway, but we cannot do in other ways :-) for some other constrains. Let me know if you need more config details. Thank you very much for your help. Regards, Luca _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Tom Eastep
2003-Nov-21 07:24 UTC
[Shorewall-users] Forwarding traffic on the same interface (loc -> loc)
On Fri, 2003-11-21 at 03:11, Luca Maranzano wrote:> .11 DST=192.168.1.100 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=15616 DF PROTO=TCP SPT=1031 DPT=449 WINDOW=8192 RES=0x00 SYN URGP=0 > > Besides when Internet line goes down, internet traffic flows to the > Linux Box on eth1, then is redirected to the Cisco Box, so we''ll have > lot of packets with source IP=192.168.2.* and destination IP=any, and I > suppose shorewall will REJECT them similarly (I''ve no example logging about > this till now). > > How can I configure shorewall to permit this kind of traffic? >See http://www.shorewall.net/Multiple_Zones.html. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net