Hi everybody, Fisrt apologize if an earlier email has been sent unfinished from me, it seems that my mailer has done something wrong :-( Anyway, I''m looking how I could implement a forward rule in the shorewall conf file way of netfilter-ing. I have a firewall, with only one public IP A that implement ipsec tunneling with a remote peer, having address B. This tunnel transport ip packets that are destined to another server with public ip address C. Both A and C public address are on the same subnet. . C is strongly secured and can only communicate with the shorewall server, and A is it''s default gateway. So the rules I need to implement on A is : iptables -A FORWARD -s B -d C -j ACCEPT iptables -A FORWARD -s C -d B -j ACCEPT As I don''t want to do DNAT, masquerade or portforwardinf but just forwarding, a deep search into the conf, doc and mailing lists doesn''t help me on how to implement these simple rules in shorewall. Do you have any idea? Thanks, Jean-Michel. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Pompon wrote:> > So the rules I need to implement on A is : > > iptables -A FORWARD -s B -d C -j ACCEPT > iptables -A FORWARD -s C -d B -j ACCEPT > > As I don''t want to do DNAT, masquerade or portforwardinf but just > forwarding, a deep search into the conf, doc and mailing lists doesn''t help > me on how to implement these simple rules in shorewall. > > Do you have any idea?Use ACCEPT rules. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep wrote:> Pompon wrote: > >> So the rules I need to implement on A is : >> >> iptables -A FORWARD -s B -d C -j ACCEPT >> iptables -A FORWARD -s C -d B -j ACCEPT >> >> As I don''t want to do DNAT, masquerade or portforwardinf but just >> forwarding, a deep search into the conf, doc and mailing lists doesn''t help >> me on how to implement these simple rules in shorewall. >> >> Do you have any idea? > > Use ACCEPT rules.e.g., ACCEPT z1:B z2:C ACCEPT z2:C z1:B Where z1 is the zone containing address B and z2 is the zone containing address C. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Thank you Tom for you help, however I can''t reach to make it work. I defined a new zone ''rad'' for defining rules for C address. and I try to open this traffic for any address on the net : so in rules file I have : ACCEPT rad:C net all - - - - - ACCEPT net rad:C all - - - - - This create 2 new chains named net2rad and rad2net, which seems to be correctly defined but these 2 chains are never defined as a target in the forward or a sub-forward chains and consequently, these rules are never applied. Any ideas? btw, I use the standard debian stable delivered shorewall which is 2.2.3. Perhaps is there bugs around that and upgrading to the last version 3.2 will solve this problem? Jean-Michel. 2006/10/12, Tom Eastep <teastep@shorewall.net>:> > Tom Eastep wrote: > > Pompon wrote: > > > >> So the rules I need to implement on A is : > >> > >> iptables -A FORWARD -s B -d C -j ACCEPT > >> iptables -A FORWARD -s C -d B -j ACCEPT > >> > >> As I don''t want to do DNAT, masquerade or portforwardinf but just > >> forwarding, a deep search into the conf, doc and mailing lists doesn''t > help > >> me on how to implement these simple rules in shorewall. > >> > >> Do you have any idea? > > > > Use ACCEPT rules. > > e.g., > > ACCEPT z1:B z2:C > ACCEPT z2:C z1:B > > Where z1 is the zone containing address B and z2 is the zone containing > address C. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job > easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > >------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Pompon wrote:> > Thank you Tom for you help, however I can''t reach to make it work. > > I defined a new zone ''rad'' for defining rules for C address. and I try > to open this traffic for any address on the net : > > so in rules file I have : > ACCEPT rad:C net all - - - - - > ACCEPT net rad:C all - - - - - > > This create 2 new chains named net2rad and rad2net, which seems to be > correctly defined but these 2 chains are never defined as a target in > the forward or a sub-forward chains and consequently, these rules are > never applied. > > Any ideas?Sounds like you didn''t define the contents of C in /etc/shorewall/interfaces or /etc/shorewall/hosts. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep wrote:> Pompon wrote: >> Thank you Tom for you help, however I can''t reach to make it work. >> >> I defined a new zone ''rad'' for defining rules for C address. and I try >> to open this traffic for any address on the net : >> >> so in rules file I have : >> ACCEPT rad:C net all - - - - - >> ACCEPT net rad:C all - - - - - >> >> This create 2 new chains named net2rad and rad2net, which seems to be >> correctly defined but these 2 chains are never defined as a target in >> the forward or a sub-forward chains and consequently, these rules are >> never applied. >> >> Any ideas? > > Sounds like you didn''t define the contents of C in /etc/shorewall/interfaces or > /etc/shorewall/hosts. >Make that "...the contents of rad..." -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642