Shorewall users - Aug 2004 - bridging and internet

(I''m not a member of the list at the moment so please answer this
e-mail CC to
my personal address. Thank you all)

I am part of a community network in Buenos Aires and I''m now trying to
set up a bridge between my local net and the community net.
The problem is that appart from the bridge between these I need to share
an internet connection and the cable modem assigns me a public IP, which
of course can''t be part of the bridge.

So I need to route traffic from the bridge to the internet, but I can''t
figure
out how to do it.

One option would be to use two boxes, one for the bridge and another one
for the router, but I''d like to do it all in one box if that''s
possible.

Any ideas of how this could be achieved?



I thank you all in advance.


Nicolás Echániz
BuenosAiresLibre.org
webmaster

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nicolás Echániz wrote:
| (I''m not a member of the list at the moment so please answer this
e-mail
| CC to my personal address. Thank you all)
|
| I am part of a community network in Buenos Aires and I''m now trying
to
| set up a bridge between my local net and the community net.
| The problem is that appart from the bridge between these I need to share
| an internet connection and the cable modem assigns me a public IP, which
| of course can''t be part of the bridge.
|
| So I need to route traffic from the bridge to the internet, but I
can''t
| figure out how to do it.
|
| One option would be to use two boxes, one for the bridge and another one
| for the router, but I''d like to do it all in one box if
that''s possible.
|
| Any ideas of how this could be achieved?
|

Assume br0 bridges eth1 (local) and eth2 (community) and that eth0 goes
to the internet.

Then simply set up the two-interface firewall
(http://shorewall.net/two-interface.htm) with br0 as the local interface
and eth0 as the internet interface.

The only non-standard item required is to set ''routeback'' on
br0 in
/etc/shorewall/interfaces.

If you want to firewall the local and community networks from each
other, you will have to split ''loc'' into two zones but
that''s easy to
do; see http://shorewall.net/bridge.htm.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBJLCIO/MAbZfjDLIRAql0AJ4y/zimvzvzExm3lpYwwe1s+m0hyACguP26
U1Ad5anT3Tt6i3oDOP0INAU=2c9M
-----END PGP SIGNATURE-----

Tom,

Thanks for your prompt reply. Just one more thing.
On the local and community nets can I set the default gateway for the 
machines to the IP of br0? I thought that IP was only useful to control 
the firewall only, but not for routing matters.


My two cents.
Maybe you could add this to the documentation. On document:
http://shorewall.net/bridge.html

Where it says:
"While it is not a requirement to give the bridge an IP address, doing 
so allows the bridge/firewall to access other systems and allows the 
bridge/firewall to be managed remotely. The bridge must also have an IP 
address for REJECT rules and policies to work correctly — otherwise 
REJECT behaves the same as DROP."

You could add something like:
"Giving the bridge an IP address is also required if you are planning to 
route from the bridged network/s to another one, i.e. the Internet. In 
which case you will also need to set ''routeback'' on br0 in 
/etc/shorewall/interfaces."

ore something similar but in better English :)


Anyway, thanks again for your help. I''ll be setting this up today.


Nico.


Tom Eastep wrote:
> Nicolás Echániz wrote:
> | (I''m not a member of the list at the moment so please answer
this e-mail
> | CC to my personal address. Thank you all)
> |
> | I am part of a community network in Buenos Aires and I''m now
trying to
> | set up a bridge between my local net and the community net.
> | The problem is that appart from the bridge between these I need to share
> | an internet connection and the cable modem assigns me a public IP, which
> | of course can''t be part of the bridge.
> |
> | So I need to route traffic from the bridge to the internet, but I
can''t
> | figure out how to do it.
> |
> | One option would be to use two boxes, one for the bridge and another one
> | for the router, but I''d like to do it all in one box if
that''s possible.
> |
> | Any ideas of how this could be achieved?
> |
>
> Assume br0 bridges eth1 (local) and eth2 (community) and that eth0 goes
> to the internet.
>
> Then simply set up the two-interface firewall
> (http://shorewall.net/two-interface.htm) with br0 as the local interface
> and eth0 as the internet interface.
>
> The only non-standard item required is to set ''routeback''
on br0 in
> /etc/shorewall/interfaces.
>
> If you want to firewall the local and community networks from each
> other, you will have to split ''loc'' into two zones but
that''s easy to
> do; see http://shorewall.net/bridge.htm.
>
> -Tom
> --
> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
> Shoreline, \ http://shorewall.net
> Washington USA \ teastep@shorewall.net
>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nicolás Echániz wrote:
| Tom,
|
| Thanks for your prompt reply. Just one more thing.
| On the local and community nets can I set the default gateway for the
| machines to the IP of br0? I thought that IP was only useful to control
| the firewall only, but not for routing matters.

Yes -- you can use the bridge IP address as the default gateway.

|
|
| My two cents.
| Maybe you could add this to the documentation. On document:
| http://shorewall.net/bridge.html
|
| Where it says:
| "While it is not a requirement to give the bridge an IP address, doing
| so allows the bridge/firewall to access other systems and allows the
| bridge/firewall to be managed remotely. The bridge must also have an IP
| address for REJECT rules and policies to work correctly — otherwise
| REJECT behaves the same as DROP."
|
| You could add something like:
| "Giving the bridge an IP address is also required if you are planning to
| route from the bridged network/s to another one, i.e. the Internet. In
| which case you will also need to set ''routeback'' on br0 in
| /etc/shorewall/interfaces."
|

Ok

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBJNq8O/MAbZfjDLIRAj4mAKCLHM5halMJeT9yElSnS/EKvCCw1QCgvsl6
jN33cK66eHlO7yWJh5ctg3Y=MEeV
-----END PGP SIGNATURE-----

Hi Tom and all.

(First, I remind you that I am not a member of the list, so please reply 
with CC to me. Thank you)

I''ve done as you told me and the bridge has worked fine as long as I 
don''t try to split local and community zones.

This is my interfaces file:
#ZONE    INTERFACE      BROADCAST     OPTIONS
-           br0            10.4.10.31        routefilter
net      eth0           detect

And this is my hosts file:
#ZONE    HOSTS                        OPTIONS
loc      br0:eth1
bal      br0:eth2

bal is the community zone (BuenosAiresLibre)

The problem is that when shorewall starts I get this error:
iptables v1.2.8: host/network ''eth1'' not found

which I''ve come to understand has to do with my declaring br0:eth1 and 
br0:eth2 in the hosts file.
If I replace eth1 with the actual subnet (10.4.10.0/27) it stops 
complaining, but of course my rules and policies don''t work because the
firewall doesn''t  know which fisical interface is connected to which
zone.

I tried shorewall debug start and the process stops for a long time 
after this:
+ eval chain=$net2loc_policychain
+ chain=net2all
+ [ -n net2all ]
+ echo net2all
+ return
+ chain=net2all
+ echo net loc net2all
+ [ net = loc ]
+ routeback+ interface=eth0
+ [ -n  ]
+ forward_chain eth0
+ chain_base eth0
+ local c=eth0
+ echo eth0
+ echo eth0_fwd
+ chain1=eth0_fwd
+ interface=br0
+ subnet=eth1    <----- I think this is the problem
+ [ eth0:0.0.0.0/0 != br0:eth1 ]
+ run_iptables -A eh0_fwd -o br0 -d eth1 -j net2all
+ iptables -A eth0_fwd   -o   br0   -d   eth1   -j   net2all


I''ve tried to solve this on my own, but I''m stuck now and
don''t know
what else to try.

I hope you can figure it out.
I''ll be waiting for your reply :)


Thank you once again,

Nicolás Echániz


Ps: I''m using Bering 1.2


Tom Eastep wrote:
> Nicolás Echániz wrote:
> | (I''m not a member of the list at the moment so please answer
this e-mail
> | CC to my personal address. Thank you all)
> |
> | I am part of a community network in Buenos Aires and I''m now
trying to
> | set up a bridge between my local net and the community net.
> | The problem is that appart from the bridge between these I need to share
> | an internet connection and the cable modem assigns me a public IP, which
> | of course can''t be part of the bridge.
> |
> | So I need to route traffic from the bridge to the internet, but I
can''t
> | figure out how to do it.
> |
> | One option would be to use two boxes, one for the bridge and another one
> | for the router, but I''d like to do it all in one box if
that''s possible.
> |
> | Any ideas of how this could be achieved?
> |
>
> Assume br0 bridges eth1 (local) and eth2 (community) and that eth0 goes
> to the internet.
>
> Then simply set up the two-interface firewall
> (http://shorewall.net/two-interface.htm) with br0 as the local interface
> and eth0 as the internet interface.
>
> The only non-standard item required is to set ''routeback''
on br0 in
> /etc/shorewall/interfaces.
>
> If you want to firewall the local and community networks from each
> other, you will have to split ''loc'' into two zones but
that''s easy to
> do; see http://shorewall.net/bridge.htm.
>
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nicolás Echániz wrote:

|
| This is my interfaces file:
| #ZONE    INTERFACE      BROADCAST     OPTIONS
| -           br0            10.4.10.31        routefilter
| net      eth0           detect
|
| And this is my hosts file:
| #ZONE    HOSTS                        OPTIONS
| loc      br0:eth1
| bal      br0:eth2
|
| bal is the community zone (BuenosAiresLibre)
|
| The problem is that when shorewall starts I get this error:
| iptables v1.2.8: host/network ''eth1'' not found
|
| which I''ve come to understand has to do with my declaring br0:eth1
and
| br0:eth2 in the hosts file.
| If I replace eth1 with the actual subnet (10.4.10.0/27) it stops
| complaining, but of course my rules and policies don''t work because
the
| firewall doesn''t  know which fisical interface is connected to which
zone.
|
| I tried shorewall debug start and the process stops for a long time
| after this:
| + eval chain=$net2loc_policychain
| + chain=net2all
| + [ -n net2all ]
| + echo net2all
| + return
| + chain=net2all
| + echo net loc net2all
| + [ net = loc ]
| + routeback| + interface=eth0
| + [ -n  ]
| + forward_chain eth0
| + chain_base eth0
| + local c=eth0
| + echo eth0
| + echo eth0_fwd
| + chain1=eth0_fwd
| + interface=br0
| + subnet=eth1    <----- I think this is the problem
| + [ eth0:0.0.0.0/0 != br0:eth1 ]
| + run_iptables -A eh0_fwd -o br0 -d eth1 -j net2all
| + iptables -A eth0_fwd   -o   br0   -d   eth1   -j   net2all
|
|
| I''ve tried to solve this on my own, but I''m stuck now and
don''t know
| what else to try.
|
| I hope you can figure it out.
| I''ll be waiting for your reply :)

What version of Shorewall are you running? Looks like it doesn''t
support
Bridge/Firewall. If you think your version should contain that support,
then send the entire trace because a few lines from the end of the trace
are useless to me.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBOjZGO/MAbZfjDLIRAg5PAKCuwa9VqkjgQABjH9tHw8fSpEbhCgCeNhnZ
5ub+Ms/EQHR8E0efCMUyrNo=4m/E
-----END PGP SIGNATURE-----

Tom and all.

After you asked about what version I was using, I checked the Bering 
distro and found that it was not updated to shorewall 2.x, so I decided 
to move to Bering-uClibc, which seems to be more up to date.

I installed it and configured everything according to your instructions, 
but I was still unable to get shorewall to start in this kind of 
configuration.
It failed with error:
"No chain/target/match by that name"

I kept googling for info till I found this page (in Spanish)
http://www.aconcagua.cl/wordpress/

The guy had been trying to do something similar to what I''m doing for a
while without success, till he found out that Bering and Bering-uClib 
don''t load the ipt_physdev module by default, and don''t have
them on the
boot disk image.
He installed and loaded the module, and it worked.

So I did the same thing, looked for the module inside the modules file 
Bering-uClibc_2.2.0_modules_2.4.26.tar.gz.
Found it at /2.4.26/kernel/net/ipv4/netfilter/

I added to /etc/modules the line ipt_phys, rebooted and it worked like a 
charm.

Well. I hope this helps other guys with the same problem.

Tom, maybe you could add a note to your http://shorewall.net/bridge.html 
document warning Bering and Bering-uclib users about this issue.

I''m writing a howto for other fellows in my community network.  It will
be available at: http://wiki.buenosaireslibre.org/HowTos_2fBridgedFirewall
It''s in spanish but if you think it would be helpful if I wrote an 
english version as well, I will.

Thanks for your help and for developing Shorewall, it''s a great
product.

Best regards,

Nicolás Echániz


Tom Eastep wrote:
> Nicolás Echániz wrote:
>
> |
> | This is my interfaces file:
> | #ZONE    INTERFACE      BROADCAST     OPTIONS
> | -           br0            10.4.10.31        routefilter
> | net      eth0           detect
> |
> | And this is my hosts file:
> | #ZONE    HOSTS                        OPTIONS
> | loc      br0:eth1
> | bal      br0:eth2
> |
> | bal is the community zone (BuenosAiresLibre)
> |
> | The problem is that when shorewall starts I get this error:
> | iptables v1.2.8: host/network ''eth1'' not found
> |
> | which I''ve come to understand has to do with my declaring
br0:eth1 and
> | br0:eth2 in the hosts file.
> | If I replace eth1 with the actual subnet (10.4.10.0/27) it stops
> | complaining, but of course my rules and policies don''t work
because the
> | firewall doesn''t  know which fisical interface is connected to
which
> zone.
> |
> | I tried shorewall debug start and the process stops for a long time
> | after this:
> | + eval chain=$net2loc_policychain
> | + chain=net2all
> | + [ -n net2all ]
> | + echo net2all
> | + return
> | + chain=net2all
> | + echo net loc net2all
> | + [ net = loc ]
> | + routeback> | + interface=eth0
> | + [ -n  ]
> | + forward_chain eth0
> | + chain_base eth0
> | + local c=eth0
> | + echo eth0
> | + echo eth0_fwd
> | + chain1=eth0_fwd
> | + interface=br0
> | + subnet=eth1    <----- I think this is the problem
> | + [ eth0:0.0.0.0/0 != br0:eth1 ]
> | + run_iptables -A eh0_fwd -o br0 -d eth1 -j net2all
> | + iptables -A eth0_fwd   -o   br0   -d   eth1   -j   net2all
> |
> |
> | I''ve tried to solve this on my own, but I''m stuck now
and don''t know
> | what else to try.
> |
> | I hope you can figure it out.
> | I''ll be waiting for your reply :)
>
> What version of Shorewall are you running? Looks like it doesn''t
support
> Bridge/Firewall. If you think your version should contain that support,
> then send the entire trace because a few lines from the end of the trace
> are useless to me.
>
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nicolás Echániz wrote:

|
| I kept googling for info till I found this page (in Spanish)
| http://www.aconcagua.cl/wordpress/
|
| The guy had been trying to do something similar to what I''m doing for
a
| while without success, till he found out that Bering and Bering-uClib
| don''t load the ipt_physdev module by default, and don''t have
them on the
| boot disk image.
| He installed and loaded the module, and it worked.
|
| So I did the same thing, looked for the module inside the modules file
| Bering-uClibc_2.2.0_modules_2.4.26.tar.gz.
| Found it at /2.4.26/kernel/net/ipv4/netfilter/
|
| I added to /etc/modules the line ipt_phys, rebooted and it worked like a
| charm.
|
| Well. I hope this helps other guys with the same problem.
|
| Tom, maybe you could add a note to your http://shorewall.net/bridge.html
| document warning Bering and Bering-uclib users about this issue.

I''ve added what I hope is enough to help Bering* users -- see
http://shorewall.net/bridge.html.

|
| I''m writing a howto for other fellows in my community network.  It
will
| be available at: http://wiki.buenosaireslibre.org/HowTos_2fBridgedFirewall
| It''s in spanish but if you think it would be helpful if I wrote an
| english version as well, I will.

I am always happy to link to well-written and accurate articles.

|
| Thanks for your help and for developing Shorewall, it''s a great
product.
|

You are welcome and thank you for offering to contribute.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBOmSlO/MAbZfjDLIRAi4WAJ9Wc6thlxaxmM4GQT1mRrW01falQQCgtnmt
ztP/gBKvj+XGMBUz0VAssSk=w6Yi
-----END PGP SIGNATURE-----

Tom, in case you would like to link to it, the spanish version of the 
howto is already available at:
http://wiki.buenosaireslibre.org/HowTos_2fBridgedFirewall

I''ll let you know when I have the translation ready.


Nico.

Tom Eastep wrote:
> Nicolás Echániz wrote:
>
> |
> | I kept googling for info till I found this page (in Spanish)
> | http://www.aconcagua.cl/wordpress/
> |
> | The guy had been trying to do something similar to what I''m
doing for a
> | while without success, till he found out that Bering and Bering-uClib
> | don''t load the ipt_physdev module by default, and don''t
have them on the
> | boot disk image.
> | He installed and loaded the module, and it worked.
> |
> | So I did the same thing, looked for the module inside the modules file
> | Bering-uClibc_2.2.0_modules_2.4.26.tar.gz.
> | Found it at /2.4.26/kernel/net/ipv4/netfilter/
> |
> | I added to /etc/modules the line ipt_phys, rebooted and it worked like a
> | charm.
> |
> | Well. I hope this helps other guys with the same problem.
> |
> | Tom, maybe you could add a note to your http://shorewall.net/bridge.html
> | document warning Bering and Bering-uclib users about this issue.
>
> I''ve added what I hope is enough to help Bering* users -- see
> http://shorewall.net/bridge.html.
>
> |
> | I''m writing a howto for other fellows in my community network. 
It will
> | be available at: 
> http://wiki.buenosaireslibre.org/HowTos_2fBridgedFirewall
> | It''s in spanish but if you think it would be helpful if I wrote
an
> | english version as well, I will.
>
> I am always happy to link to well-written and accurate articles.
>
> |
> | Thanks for your help and for developing Shorewall, it''s a great
product.
> |
>
> You are welcome and thank you for offering to contribute.
>
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nicolás Echániz wrote:
| Tom, in case you would like to link to it, the spanish version of the
| howto is already available at:
| http://wiki.buenosaireslibre.org/HowTos_2fBridgedFirewall
|

Thanks -- I''ve added a link from the Shorewall Bridging page.


| I''ll let you know when I have the translation ready.
|

Many thanks.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBO7qIO/MAbZfjDLIRAqtoAKCtm4o2OLWwJOCuwrJXWncfP2FtmACgvPjy
syPhcq7DycjwFWQ4fjWXA+c=Wp3o
-----END PGP SIGNATURE-----