Shorewall users - Apr 2006 - 'traditional' IP routing between two networks?

Hello,

I''m looking at implementing a direct IP routing system, between clients
on
one interface, and my upstream on another.

I have eth0 - which has the IPs 192.168.0.143 to 192.168.0.157 (client IPs)
routed to it, and tun0, which has clients with matching IP addresses. I want
to route connections to (and from) these IPs to my upstream, using the
following:

interfaces file:
# ZONE   INTERFACE   BROADCAST  OPTIONS
net    eth0    detect
routefilter,norfc1918,logmartians,nosmurfs,tcpflags,blacklist
vpn    tun0   detect

proxyarp file:
# ADDRESS  INTERFACE  EXTERNAL
# client1
192.168.0.143   tun0   eth0
# client2
192.168.0.144   tun0  eth0
---etc---

rules file:
# client1
ACCEPT   net   vpn:192.168.0.143   all
ACCEPT   vpn:192.168.0.143   net   all
# client2
ACCEPT   net  vpn:192.168.0.144   all
ACCEPT   vpn:192.168.0.144   net  all
---etc---

The IP addresses set up at the moment are: (please note, these are actually
public internet-accessable IPs, so these are ''imaginary'')

eth0      Link encap:Ethernet  HWaddr ---removed---
          inet addr:192.168.0.233  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: -----------removed---------- Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:628147 errors:0 dropped:0 overruns:0 frame:0
          TX packets:437483 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:84702001 (80.7 MiB)  TX bytes:482568636 (460.2 MiB)
          Interrupt:12 Base address:0xdc00

eth0:0    Link encap:Ethernet  HWaddr 00:0A:E6:A6:84:9B
          inet addr:192.168.0.143 Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:12 Base address:0xdc00
---etc---
eth0:15   Link encap:Ethernet  HWaddr 00:0A:E6:A6:84:9B
          inet addr:192.168.0.157  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:12 Base address:0xdc00

tun0      Link encap:UNSPEC  HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:192.168.0.233  P-t-P:192.168.0..233  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)




Now - my question is this: is this the correct way of setting up a plain IP
router?

From what I understand, clients need to have their ''default
gateway'' set as
the IP address of the router - 192.168.0.233, correct? Then, when the
Shorewall machine recieves a new connection destined for the Internet from
192.168.0.143, it sees it matches it''s ACCEPT rule in the rules file,
and
forwards it on. Then, for packets/connections/etc coming back in, it sees
it''s destined for 192.168.0.143, so forwards it on (proxyarp rule) as
it
matches the entry in the rules file (ACCEPT net fw:192.168.0.143)... Is this
correct so far?

Long story short, I want to be able to comment out the lines corresponding
to each client in the rules file, to ''block'' new connections
from that user.


Will this work?

Thank you :)

Jan

On Sunday 09 April 2006 16:18, Jan Mulders wrote:
> Hello,
>
> I''m looking at implementing a direct IP routing system, between
clients on
> one interface, and my upstream on another.
Jan,

You need to read http://www.shorewall.net/Shorewall_and_Routing.html. From 
that, you need to take away one concept:

	SHOREWALL HAS NOTHING TO DO WITH ROUTING EXCEPT IN TWO CASES:

	a) entries in /etc/shorewall/proxyarp with HAVEROUTE No.
	b) entries in /etc/shorewall/providers

I truely wish that I had not added ANY routing to Shorewall -- it is the wrong 
place to do routing.

Except in those two cases, you must set up routing yourself AND you must then 
configure Shorewall to allow only the traffic you wish to forward. In 
general, you will only use ACCEPT and DROP/REJECT policies and rules in a 
routed environment. I recommend disabling Shorewall ("shorewall
clear") and
getting the traffic forwarding the way you want it. Then and only then do you 
worry about firewall rules. 

If you want your Shorewall box to be the internet gateway for other hosts, 
then the default gateway for those hosts will generally be set to the IP 
address of the interface on the Shorewall box through to which the hosts 
connect. Remember that you need routes in the opposite direction too -- 
response packets are not like spawning salmon; they don''t have a
genetic code
that allows them to magically return home by themselves.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

I''ve read through the routing doc, and now I understand this a little
better!

so Shorewall has no effect if no rules match the recieved packet - and my
box will do the specified routing action to the packet according to
it''s
routing tables. That makes much more sense.

I can cheat and make Shorewall add the routes in by setting haveroute to no,
but otherwise it doesn''t touch the routing tables.

I''ve got my system working now, and filtering packets - I set haveroute
to
no, and had a REJECT policy for net-vpn traffic, then kept the ACCEPT
net--vpn:192.168.0.143 rule, and now removing the ACCEPT rule turns on and
off new connections to that IP.

Thanks for your explanation. I now understand why IPTables works like it
does.

Regards,

Jan

On 10/04/06, Tom Eastep <teastep@shorewall.net>
wrote:
>
> On Sunday 09 April 2006 16:18, Jan Mulders wrote:
> > Hello,
> >
> > I''m looking at implementing a direct IP routing system,
between clients
> on
> > one interface, and my upstream on another.
>
> Jan,
>
> You need to read http://www.shorewall.net/Shorewall_and_Routing.html. From
> that, you need to take away one concept:
>
>         SHOREWALL HAS NOTHING TO DO WITH ROUTING EXCEPT IN TWO CASES:
>
>         a) entries in /etc/shorewall/proxyarp with HAVEROUTE No.
>         b) entries in /etc/shorewall/providers
>
> I truely wish that I had not added ANY routing to Shorewall -- it is the
> wrong
> place to do routing.
>
> Except in those two cases, you must set up routing yourself AND you must
> then
> configure Shorewall to allow only the traffic you wish to forward. In
> general, you will only use ACCEPT and DROP/REJECT policies and rules in a
> routed environment. I recommend disabling Shorewall ("shorewall
clear")
> and
> getting the traffic forwarding the way you want it. Then and only then do
> you
> worry about firewall rules.
>
> If you want your Shorewall box to be the internet gateway for other hosts,
> then the default gateway for those hosts will generally be set to the IP
> address of the interface on the Shorewall box through to which the hosts
> connect. Remember that you need routes in the opposite direction too --
> response packets are not like spawning salmon; they don''t have a
genetic
> code
> that allows them to magically return home by themselves.
>
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>
>
>