Shorewall users - Oct 2004 - 2 external IPs on one nic in addition to the regular DMZ and loc nics

I did some looking on the mailing list archives and can''t seem to find 
exactly what I need, I''m also having troubles figuring this out on my 
own, so if anyone has any advice, tips, whatever, that would be great.

I''ve got a machine with 3 network cards in it, one for a DMZ (with 3 
machines on a switch each with a real IP address), one for the local 
network on a 10.1.x.x and then one for the external connection. Now, if 
I had one internet connection this would be very straight forward in my 
opinion, but here''s the twist.

On my external interface, I have 2 different IP addresses on totally 
different subnets. I''d like to assign eth0 and eth0:1 so that traffic 
from the DMZ (on eth1) goes out of eth0:1 and traffic from the loc(on 
eth2) goes out eth0 proper.

I''m not a fan of the way this works, but this is how our ISP sets
things
up, so I have 5 IP addresses on one subnet using one gateway, and 5 on 
another.

the eth0:1 and all dmz machines use one subnet and that gateway while 
the subnet for eth0 the other external machines that don''t apply use
the
other subnet.

I tried setting up my masq file as
eth0                    10.1.0.0/16
eth0:1                  10.2.1.0/24

and then my nat file as this so that the real IP (which I''ve listed as 
IP.DMZ.blah blah) is mapped to the internal DMZ 10.2 network
IP.DMZ1.blah.blan eth0:1          10.2.1.235      
yes                     yes
IP.DMZ2.blah.blah  eth0:1          10.2.1.236      
yes                     yes
IP.DMZ3.blah.blah  eth0:1          10.2.1.237      
yes                     yes

Here''s what I can and can''t do.
I''ve set up my rules so that I can get to the dmz1 machine, but when
I''m
on that machine, I can''t get anywhere past the firewall. I can ping the
10.2 address(s) I can even ping the eth0 and eth0:1 addresses, but I 
can''t get past that.
I added these to the policy file, hoping to find that I had simply made 
a rule typo but this still didn''t help.
dmz             fw              ACCEPT
dmz             net             ACCEPT

Any advice? Am I on the right track with this setup, or is my design flawed?
thanks in advance,
Brooke

I did some looking on the mailing list archives and can''t seem to find 
exactly what I need, I''m also having troubles figuring this out on my 
own, so if anyone has any advice, tips, whatever, that would be great.

I''ve got a machine with 3 network cards in it, one for a DMZ (with 3 
machines on a switch each with a real IP address), one for the local 
network on a 10.1.x.x and then one for the external connection. Now, if 
I had one internet connection this would be very straight forward in my 
opinion, but here''s the twist.

On my external interface, I have 2 different IP addresses on totally 
different subnets. I''d like to assign eth0 and eth0:1 so that traffic 
from the DMZ (on eth1) goes out of eth0:1 and traffic from the loc(on 
eth2) goes out eth0 proper.

I''m not a fan of the way this works, but this is how our ISP sets
things
up, so I have 5 IP addresses on one subnet using one gateway, and 5 on 
another.

the eth0:1 and all dmz machines use one subnet and that gateway while 
the subnet for eth0 the other external machines that don''t apply use
the
other subnet.

I tried setting up my masq file as
eth0                    10.1.0.0/16
eth0:1                  10.2.1.0/24

and then my nat file as this so that the real IP (which I''ve listed as 
IP.DMZ.blah blah) is mapped to the internal DMZ 10.2 network
IP.DMZ1.blah.blan eth0:1          10.2.1.235      
yes                     yes
IP.DMZ2.blah.blah  eth0:1          10.2.1.236      
yes                     yes
IP.DMZ3.blah.blah  eth0:1          10.2.1.237      
yes                     yes

Here''s what I can and can''t do.
I''ve set up my rules so that I can get to the dmz1 machine from allowed
internet side IPs, but when I''m on the DMZ1 machine, I can''t
get
anywhere past the gateway address that the firewall uses. I can ping the 
10.2 address(s) I can even ping the eth0 and eth0:1 addresses, I can 
ping the gw addresses for eth0 and eth0:1 but I can''t get past that. I 
don''t see anything being rejected in the logs when I attempt this.

I added these to the policy file, hoping to find that I had simply made 
a rule typo but this still didn''t help.
dmz             fw              ACCEPT
dmz             net             ACCEPT

Any advice? Am I on the right track with this setup, or is my design flawed?
thanks in advance,
Brooke

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Brooke Bertling wrote:
> I did some looking on the mailing list archives and can''t seem to
find
> exactly what I need, I''m also having troubles figuring this out on
my
> own, so if anyone has any advice, tips, whatever, that would be great.
>
> I''ve got a machine with 3 network cards in it, one for a DMZ (with
3
> machines on a switch each with a real IP address), one for the local
> network on a 10.1.x.x and then one for the external connection. Now, if
> I had one internet connection this would be very straight forward in my
> opinion, but here''s the twist.
>
> On my external interface, I have 2 different IP addresses on totally
> different subnets. I''d like to assign eth0 and eth0:1 so that
traffic
> from the DMZ (on eth1) goes out of eth0:1 and traffic from the loc(on
> eth2) goes out eth0 proper.
That''s fine but it has almost nothing to do with Shorewall -- that is a
routing problem that is best approached by reading the LARTC HowTo
(http://ds9a.nl/lartc). Shorewall FAQ #32
(http://shorewall.net/FAQ.htm#faq32) may also help but the answer to
that FAQ is largely copied from the LARTC HowTo.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBgWMUO/MAbZfjDLIRAlu9AKCmcn+Xb//ZjdAWNzQz2S/pFe5KogCgpiT7
54xKbYq3INEFHYXS+qGMr18=lys5
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here''s some more input.

Brooke Bertling wrote:
> another.
>
> the eth0:1 and all dmz machines use one subnet and that gateway while
> the subnet for eth0 the other external machines that don''t apply
use the
> other subnet.
And I assume that there is a second gateway involved there -- that is
why I wrote that this is a routing problem more than a Shorewall
problem. Nevertheless, there are problems with your Shorewall setup
also:
>
> I tried setting up my masq file as
> eth0                    10.1.0.0/16
> eth0:1                  10.2.1.0/24
Please read the comments at the top of the ''masq'' file AND
http://shorewall.net/Shorewall_and_Aliased_Interfaces.html. The above
isn''t doing what you think it is doing. If you have already added
eth0:1
then what you want is:

eth0	10.1.0.0/16	<external IP 1>
eth0	10.2.1.0/24	<external IP 2>
>
> and then my nat file as this so that the real IP (which I''ve
listed as
> IP.DMZ.blah blah) is mapped to the internal DMZ 10.2 network
> IP.DMZ1.blah.blan eth0:1          10.2.1.235
> yes                     yes
> IP.DMZ2.blah.blah  eth0:1          10.2.1.236
> yes                     yes
> IP.DMZ3.blah.blah  eth0:1          10.2.1.237
> yes                     yes
Unless there are hosts in the DMZ that are not mentioned in the nat file
then you don''t want both nat and snat. Again, use eth0 rather than
eth0:1 (the above reading will have told you why).

Again, you need to get the routing right first before any of this will
have any effect.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBgldAO/MAbZfjDLIRAiVKAJ42y5lvYZErG+I7MvjRNFJaAKzyagCeNTvX
o3JIyz4LnBWOy5mbldaZ8mY=84um
-----END PGP SIGNATURE-----

Hey guys i was wondering if it is possible or if you guys now of a howto
that would allow me to do the following.

I have 2 dsl connections with different same provider i was wondering if
it would be possible somehow which at the moment seems over my head to
have these connection work as 1 connection which in theory would double
your Upload /Download has anybody come up with a technique to do this?

I know this involves some dns tricks for what im looking to do but im
more concerned with the physical aspect at the moment assuming this is
even possible.

FAQ would be helpfull if you guys can point me to one.

check out
http://lists.shorewall.net/pipermail/shorewall-users/2002-September/002717.html

Nick Sklav wrote:
> Hey guys i was wondering if it is possible or if you guys now of a howto
> that would allow me to do the following.
> 
> I have 2 dsl connections with different same provider i was wondering if
> it would be possible somehow which at the moment seems over my head to
> have these connection work as 1 connection which in theory would double
> your Upload /Download has anybody come up with a technique to do this?
> 
> I know this involves some dns tricks for what im looking to do but im
> more concerned with the physical aspect at the moment assuming this is
> even possible.
> 
> FAQ would be helpfull if you guys can point me to one.
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

On Fri, 2004-10-29 at 14:35, Todd Johnson wrote:
> check out
http://lists.shorewall.net/pipermail/shorewall-users/2002-September/002717.html
> 
> Nick Sklav wrote:
> > Hey guys i was wondering if it is possible or if you guys now of a
howto
> > that would allow me to do the following.
> > 
> > I have 2 dsl connections with different same provider i was wondering
if
> > it would be possible somehow which at the moment seems over my head to
> > have these connection work as 1 connection which in theory would
double
> > your Upload /Download has anybody come up with a technique to do this?
> > 
> > I know this involves some dns tricks for what im looking to do but im
> > more concerned with the physical aspect at the moment assuming this is
> > even possible.
> > 
> > FAQ would be helpfull if you guys can point me to one.
The URL seems to be exactly what i was looking for.
Thank you.

If a firewall has two outgoing routes , how do I do masq. for local net users ?



On Fri, 29 Oct 2004 13:35:07 -0500, Todd Johnson <todd@toddejohnson.net>
wrote:
> check out
http://lists.shorewall.net/pipermail/shorewall-users/2002-September/002717.html
> 
> 
> 
> Nick Sklav wrote:
> > Hey guys i was wondering if it is possible or if you guys now of a
howto
> > that would allow me to do the following.
> >
> > I have 2 dsl connections with different same provider i was wondering
if
> > it would be possible somehow which at the moment seems over my head to
> > have these connection work as 1 connection which in theory would
double
> > your Upload /Download has anybody come up with a technique to do this?
> >
> > I know this involves some dns tricks for what im looking to do but im
> > more concerned with the physical aspect at the moment assuming this is
> > even possible.
> >
> > FAQ would be helpfull if you guys can point me to one.
> >
> > _______________________________________________
> > Shorewall-users mailing list
> > Post: Shorewall-users@lists.shorewall.net
> > Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> > Support: http://www.shorewall.net/support.htm
> > FAQ: http://www.shorewall.net/FAQ.htm
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Adrian Mak wrote:
> If a firewall has two outgoing routes , how do I do masq. for local net
users ?
If you want to use the second route for backup or want to load-balance,
see FAQ 32. The original poster on this thread had two routes out the
same interface and wanted to split the traffic -- please see my second
response in which I gave the two masq entries required.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBhlVVO/MAbZfjDLIRAqtpAKCXPy0rNBZuG7HPtIZJ6TbiPmd9bQCgrhVg
giZQAZlmGhGhKMB1d84f0yQ=PZDL
-----END PGP SIGNATURE-----