Hi,
I''m trying to use Shorewall (3.0.6) to accomplish what I thought was
going
to be fairly simple. Unfortunately, I can''t get the dmz to work
correctly,
and I''m getting martians logged against the interface at issue.
Any help I could get would be greatly appreciated!
A picture of my physical setup is attached. I have also attached a shorewall
dump.
To make a long story short, I have three external interfaces, each connected
to an ADSL modem via Ethernet. I want to use one of the interfaces (ADSL0)
to provide traffic to/from our lan, one of the interfaces to provide vpn
access to our lan, and one of the interfaces to support a small dmz with a
handful of servers.
I have set Shorewall up with the following interfaces:
net eth0 detect
tcpflags,routefilter,nosmurfs,logmartians,blacklist
vpn eth1 detect
tcpflags,routefilter,norfc1918,nosmurfs,logmartians,blacklist
dmzo eth2 detect
tcpflags,routefilter,norfc1918,nosmurfs,logmartians,blacklist
vpnre tun0 detect
lan eth3 detect tcpflags,detectnets,nosmurfs
dmz eth4
And with the following zones:
fw firewall
net ipv4 # adsl0 to the internet
lan ipv4 # our lan 10.161.101.0
dmz ipv4 # internal dmz 10.10.10.0
dmzo ipv4 # adsl2 to the internet
vpn ipv4 # adsl1 to the internet to support vpn
vpnre ipv4 # tunnel interface for openvpn
I''m using the following routing:
67.40.108.40 dev eth2 scope link src 67.40.108.41
192.168.0.0 dev eth0 scope link src 192.168.0.2
67.40.108.64 dev eth1 scope link src 67.40.108.65
67.40.108.40/29 dev eth2 proto kernel scope link src 67.40.108.41
67.40.108.64/29 dev eth1 proto kernel scope link src 67.40.108.65
10.161.101.0/24 dev eth3 proto kernel scope link src 10.161.101.1
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.2
10.10.10.0/24 dev eth4 proto kernel scope link src 10.10.10.1
169.254.0.0/16 dev eth4 scope link
default via 192.168.0.1 dev eth0
I''m using the following special routing tables & rules to make sure
that
traffic originating from an adsl interface is responded to using that
interface:
adsl0
192.168.0.0 dev eth0 scope link src 192.168.0.2
default via 192.168.0.1 dev eth0
adsl1
67.40.108.64 dev eth1 scope link src 67.40.108.65
default via 67.40.108.70 dev eth1
adsl2
67.40.108.40 dev eth2 scope link src 67.40.108.41
default via 67.40.108.46 dev eth2
I have the dmz set up to use proxyarp from eth4 to eth2. A proxy arp rule
that I''m trying to test is as follows:
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
67.40.108.44 eth4 eth2 no yes
When trying to test the dmz using an external computer, the log shows:
May 15 12:06:32 gateway kernel: martian source 67.40.108.44 from
216.83.137.157, on dev eth2
May 15 12:06:32 gateway kernel: ll header:
00:0f:b5:8a:e5:bc:00:15:05:36:ba:2a:08:00
216.83.137.157 is the ip address of the machine that I''m using for
testing.
I''ve seen martians before but involving unroutable RFC1918 addresses.
Regards,
Rob Hicks