Greetings.
I run an Amateur Radio system (ampr.org) that requires 2 public ip''s on
a RH 9.0 box. The primary one is 209.52.173.97 and is used for connections to
the normal linux system and the usual apps such as web, ssh, smtp, etc. The
secondary address is 209.52.173.98 and is routed via a pseudoslip link to the
systems ampr address of 44.135.163.21. This setup takes place in the rc.local
file attached below.
I originally set up Shorewall using the Quickstart guide single public interface
option and it works fantastic except for anything directed to the 209.52.173.98
address.
I am at a loss as to how to set up shorewall to accept connections on
209.52.173.98 and send them through to the ampr.org app.
More info on my unique config below...
Ifconfig *********************
[root@linux root]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:60:08:91:55:8F
inet addr:209.52.173.97 Bcast:209.52.173.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10457145 errors:0 dropped:0 overruns:0 frame:0
TX packets:3771118 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1168344075 (1114.2 Mb) TX bytes:808832206 (771.3 Mb)
Interrupt:10 Base address:0xdc00
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:5110 errors:0 dropped:0 overruns:0 frame:0
TX packets:5110 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:954335 (931.9 Kb) TX bytes:954335 (931.9 Kb)
sl0 Link encap:Serial Line IP
inet addr:44.135.163.254 P-t-P:44.135.163.21 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:576 Metric:1
RX packets:3675390 errors:0 dropped:0 overruns:0 frame:0
TX packets:2875022 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:689663831 (657.7 Mb) TX bytes:462929845 (441.4 Mb)
Route **************************
[root@linux root]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
209.52.173.98 0.0.0.0 255.255.255.255 UH 0 0 0 sl0
44.135.163.21 0.0.0.0 255.255.255.255 UH 0 0 0 sl0
44.135.163.21 0.0.0.0 255.255.255.255 UH 0 0 0 sl0
209.52.173.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 209.52.173.254 0.0.0.0 UG 0 0 0 eth0
Rules **************************
##############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
USER/
# PORT PORT(S) DEST LIMIT
GROUP
ACCEPT net fw icmp 8
ACCEPT fw net icmp
AllowSSH net:208.181.211.253,216.232.104.112 fw
AllowWeb net fw
AllowSMTP net fw
AllowNTP net fw
#IRLP ports
ACCEPT net fw tcp 15425:15427
ACCEPT net fw udp 2074:2093
#TNOS ports
ACCEPT net fw udp 53
ACCEPT net fw udp 93:94
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
zones ***************************
##############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect routefilter,tcpflags
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
interfaces and policy files are both at default
rc.local *************************
# Setup for TNOS/Linux gateway
#
# 44.135.163.21 is the TNOS ampr IP address (gw.ve7tsi.ampr.org)
# 209.52.173.98 is the TNOS internet IP address (gw.ve7tsi.ocis.net)
# 44.135.163.254 is the linux box''s AMPR IP
address(linux.ve7tsi.ampr.org)
# 209.52.173.97 is the linux box''s internet IP address
(linux.ve7tsi.ocis.net)
echo Loading IP-IP module...
modprobe ipip
echo Initiating SLIP connection to TNOS/Linux...
slattach -s 38400 -p slip /dev/ptypf &
sleep 2
ifconfig sl0 44.135.163.254 up
ifconfig sl0 broadcast 44.255.255.255 pointopoint 44.135.163.21\
mtu 576 44.135.163.254
#set up route to gw.ve7tsi.ampr.org
/sbin/route add 44.135.163.21 sl0
#route to linux.ve7tsi.ocis.net
/sbin/route add 209.52.173.98 sl0
arp -s 209.52.173.98 00:60:08:91:55:8f pub
Any suggestions appreciated.
TIA -Rob-
Rob Dover
mailto:rdover''at''bclc.com
"If you listen on a quiet night, you can hear the sound of an NT Server
reboot".
"THIS TRANSMISSION IS INTENDED ONLY FOR THE ADDRESSEE. IT MAY CONTAIN
PRIVILEGED OR CONFIDENTIAL INFORMATION. ANY UNAUTHORIZED DISCLOSURE IS STRICTLY
PROHIBITED. IF YOU HAVE RECEIVED THIS TRANSMISSION IN ERROR, PLEASE NOTIFY US
IMMEDIATELY SO THAT WE MAY CORRECT OUR TRANSMISSION. PLEASE DESTROY THE
ORIGINAL. THANK YOU."
Rob Dover wrote:> Greetings. > I run an Amateur Radio system (ampr.org) that requires 2 public ip''s on a RH 9.0 box. The primary one is 209.52.173.97 and is used for connections to the normal linux system and the usual apps such as web, ssh, smtp, etc. The secondary address is 209.52.173.98 and is routed via a pseudoslip link to the systems ampr address of 44.135.163.21. This setup takes place in the rc.local file attached below. > I originally set up Shorewall using the Quickstart guide single public interface option and it works fantastic except for anything directed to the 209.52.173.98 address. > I am at a loss as to how to set up shorewall to accept connections on 209.52.173.98 and send them through to the ampr.org app.We are too until you tell us what your requirements are: a) What are the firewalling requirements between your firewall and ampr.org? b) What are the firewalling requirements between your local network and ampr.org? c) What are the firewalling requirements between the internet and ampr.org d) What do you mean by "accept connections on 209.52.193.98 and send them through to ampr.org"? Are you talking about port forwarding? f) What routes if any does ampr.org have back to your network? Back through your network? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:>Rob Dover wrote: >> Greetings. >>I run an Amateur Radio system (ampr.org) that requires 2 public ip''son a RH 9.0 box. The primary one is 209.52.173.97 and is used for connections to the normal linux system and the usual apps such as web, ssh, smtp, etc. The secondary address is 209.52.173.98 and is routed via a pseudoslip link to the systems ampr address of 44.135.163.21. This setup takes place in the rc.local file attached below.>>I originally set up Shorewall using the Quickstart guide single publicinterface option and it works fantastic except for anything directed to the 209.52.173.98 address.>>I am at a loss as to how to set up shorewall to accept connections on209.52.173.98 and send them through to the ampr.org app. Sorry, I probably should have defined ampr.org better. My system is one of many AMateur Packet Radio systems that collectively make up the ampr.org domain (the A class network; 44.). As the 44. network is not always routed on the internet we use encapsulation to get from one ampr.org machine to another. My systems ampr.org name is ve7tsi.ampr.org and its ampr IP 44.135.163.21. It uses the 209.52.173.98 address for this encapsulation. The actual app that is using 44.135.163.21 is called TNOS. This is all in parallel with its normal identilty of linux.ve7tsi.ocis.net 209.52.173.97. All the same box :-)>We are too until you tell us what your requirements are:>a) What are the firewalling requirements between your firewall andampr.org? If you are referring to the ampr.org network, none. If your are referring to the TNOS app, none yet.>b) What are the firewalling requirements between your local network andampr.org? There really isn''t a local network except the virtual link between 209.52.173.98 and 44.135.163.21>c) What are the firewalling requirements between the internet andampr.org I need to have all incoming packets to 209.52.173.98 passed through to the TNOS application. Any source IP, any port. Don''t really need any firewalling here, at least not yet. Likewise any outgoing packets following the reverse path.>d) What do you mean by "accept connections on 209.52.193.98 and sendthem through to ampr.org"? Are you talking about port forwarding? See above f>) What routes if any does ampr.org have back to your network? Back through your network? Not sure what you mean here. I am not totally sure how it all works myself except there seems to be a route set up in the rc.local file to forward packets back and forth between 209.52.173.98 and 44.135.163.21 via a pseudo slip link. I have used RedHats Lokkit (ugh!) utility to give me some protection and it does work, but I don''t get nearly the control I need. HTH Thanks for your time. -Rob- "THIS TRANSMISSION IS INTENDED ONLY FOR THE ADDRESSEE. IT MAY CONTAIN PRIVILEGED OR CONFIDENTIAL INFORMATION. ANY UNAUTHORIZED DISCLOSURE IS STRICTLY PROHIBITED. IF YOU HAVE RECEIVED THIS TRANSMISSION IN ERROR, PLEASE NOTIFY US IMMEDIATELY SO THAT WE MAY CORRECT OUR TRANSMISSION. PLEASE DESTROY THE ORIGINAL. THANK YOU."