java guru
2007-Mar-30 22:05 UTC
got stuck with two interface config and locked myself out of the machine (ssh)
Hi - I am tring to get the following configuration to work. But locked myself out of the machine(remote) multiple times. I know, I read the comment about not trying this remotely from the docs. Here is my setup. a) I have cable modem coming into the house and going into a HW router. b) A linux box conncted to the router. (192.168.1.*) - eth0 c) Two (or more) dialup modems in the linux box (lets call this just box). d) I need the box to be firewall/proxy with shorewall and squid. e) I should be able to ssh into the box coming in from the cablenetwork (via router to the box) - port portward on router is setup and works just fine. f) I also need to have all http (https) requests coming in to via cablemodem to router to box and go out via one of the modems on the box (ppp stuff). Before worring about squid stuff, I thought I will get the shorewall working so that a) it will allow ssh coming into the box via eth0 b) any http traffic generated in the box (fw) or coming into the box (from eth0) should go out via ppp0 I started off with two interface example.. I have more questions but before I waste anyones energy a) Is it right to start with the two interface example from docs ? b) Is there a place this is already described ? Thanks __________________________________________________________ Yahoo! India Answers: Share what you know. Learn something new http://in.answers.yahoo.com/ ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
java guru
2007-Mar-31 01:53 UTC
Re: got stuck with two interface config and locked myself out of the machine (ssh)
To add, I found the following link about multi zones http://www.shorewall.net/Multiple_Zones.html except, in my situation, the 192.168.2.* is really the internet cloud and I am expecting traffic to enter from internet(ssh,http,https)->router(traditional hw)->LAN(192.168.1*)->(eth0)Shorewall(ppp0,ppp1)->Internet (only http and https traffic out) Hope I explained this correct. thx --- java guru <javacocoon@yahoo.co.in> wrote:> Hi - > I am tring to get the following configuration to > work. But locked myself out of the machine(remote) > multiple times. I know, I read the comment about not > trying this remotely from the docs. > > Here is my setup. > > a) I have cable modem coming into the house and > going > into a HW router. > b) A linux box conncted to the router. (192.168.1.*) > > - eth0 > c) Two (or more) dialup modems in the linux box > (lets > call this just box). > d) I need the box to be firewall/proxy with > shorewall > and squid. > e) I should be able to ssh into the box coming in > from > the cablenetwork (via router to the box) - port > portward on router is setup and works just fine. > f) I also need to have all http (https) requests > coming in to via cablemodem to router to box and go > out via one of the modems on the box (ppp stuff). > > Before worring about squid stuff, I thought I will > get > the shorewall working so that > > a) it will allow ssh coming into the box via eth0 > b) any http traffic generated in the box (fw) or > coming into the box (from eth0) should go out via > ppp0 > > I started off with two interface example.. > > I have more questions but before I waste anyones > energy > > a) Is it right to start with the two interface > example > from docs ? > b) Is there a place this is already described ? > > Thanks > > > >__________________________________________________________> Yahoo! India Answers: Share what you know. Learn > something new > http://in.answers.yahoo.com/ > >-------------------------------------------------------------------------> Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get > the chance to share your > opinions on IT & business topics through brief > surveys-and earn cash >http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV> _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users>__________________________________________________________ Yahoo! India Answers: Share what you know. Learn something new http://in.answers.yahoo.com/ ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Simon Hobson
2007-Mar-31 08:15 UTC
Re: got stuck with two interface config and locked myself out of the machine (ssh)
java guru wrote:>internet(ssh,http,https)->router(traditional >hw)->LAN(192.168.1*)->(eth0)Shorewall(ppp0,ppp1)->Internet >(only http and https traffic out)I''ll give you one simple question to think about ... supposing your cablemodem is 1.2.3.4 and someone wants to send a request to a server at 5.6.7.8. That request will have a destination address of 5.6.7.8, how do you think it is ever going to get routed to your box at 1.2.3.4 ? That is what I think you are trying to do. Of course, you CAN make it work by using a proxy on 1.2.3.4 so that the requests all come to your box, but then you have no need to route ANY packet from the cablemodem to the dial-ups - it is all traffic from Internet to proxy, and from proxy to internet : internet(http,https) -> router(traditional hw) -> LAN(192.168.1*) -> (eth0)Shorewall -> Squid plus Squid -> (ppp0,ppp1)Shorewall -> Internet(http,https) ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
java guru
2007-Mar-31 12:18 UTC
Re: got stuck with two interface config and locked myself out of the machine (ssh)
Thanks. Yes, I will be running squid on the same machine as shorewall. Are you saying that if I install squid, I wouldnt need shorewall anymore ? If yes, couple of things a) I want to block all incoming ports from ppp(0,1,2..) to secure it b) I am trying to achieve a way to distribute the out going http, https traffic onto ppp interfaces. And from what read, squid isnt very good at that type of routing . So I thought I would use shorewall + squid. Any thoughts ? --- Simon Hobson <linux@thehobsons.co.uk> wrote:> java guru wrote: > > >internet(ssh,http,https)->router(traditional > >hw)->LAN(192.168.1*)->(eth0)Shorewall(ppp0,ppp1)->Internet > >(only http and https traffic out) > > I''ll give you one simple question to think about ... > > supposing your cablemodem is 1.2.3.4 and someone > wants to send a > request to a server at 5.6.7.8. That request will > have a destination > address of 5.6.7.8, how do you think it is ever > going to get routed > to your box at 1.2.3.4 ? > > That is what I think you are trying to do. > > > Of course, you CAN make it work by using a proxy on > 1.2.3.4 so that > the requests all come to your box, but then you have > no need to route > ANY packet from the cablemodem to the dial-ups - it > is all traffic > from Internet to proxy, and from proxy to internet : > > internet(http,https) -> router(traditional hw) -> > LAN(192.168.1*) -> > (eth0)Shorewall -> Squid > > plus > > Squid -> (ppp0,ppp1)Shorewall -> > Internet(http,https) > >-------------------------------------------------------------------------> Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get > the chance to share your > opinions on IT & business topics through brief > surveys-and earn cash >http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV> _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users>__________________________________________________________ Yahoo! India Answers: Share what you know. Learn something new http://in.answers.yahoo.com/ ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Simon Hobson
2007-Mar-31 13:17 UTC
Re: got stuck with two interface config and locked myself out of the machine (ssh)
java guru wrote:>Thanks. Yes, I will be running squid on the same >machine as shorewall. > >Are you saying that if I install squid, I wouldnt need >shorewall anymore ?No I didn''t say that. What I said is that you do not need to route packets from cablemodem to dial-up modems - because you will simply never have them delivered to you anyway. You WILL probably still want to use Shorewall (or any other firewall setup that you wish) in order to secure your setup.>a) I want to block all incoming ports from >ppp(0,1,2..) to secure itSet the policy from the zone containing the dialups to internal zones (and firewall) to drop.>b) I am trying to achieve a way to distribute the out >going http, https traffic onto ppp interfaces. And >from what read, squid isnt very good at that type of >routing . So I thought I would use shorewall + squid.Read the bit in teh docs about multi ISP setup ?>Any thoughts ?Yes, apart from the above, please learn to properly quote & trim messages, and post your new material below that to which it refers. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
java guru
2007-Mar-31 14:38 UTC
Re: got stuck with two interface config and locked myself out of the machine (ssh)
--- Simon Hobson <linux@thehobsons.co.uk> wrote:> java guru wrote: > >Thanks. Yes, I will be running squid on the same > >machine as shorewall. > > > >Are you saying that if I install squid, I wouldnt > need > >shorewall anymore ? > > No I didn''t say that. What I said is that you do not > need to route > packets from cablemodem to dial-up modems - because > you will simply > never have them delivered to you anyway. > > You WILL probably still want to use Shorewall (or > any other firewall > setup that you wish) in order to secure your setup. > > >a) I want to block all incoming ports from > >ppp(0,1,2..) to secure it > > Set the policy from the zone containing the dialups > to internal zones > (and firewall) to drop. >This is do`> >b) I am trying to achieve a way to distribute the > out > >going http, https traffic onto ppp interfaces. And > >from what read, squid isnt very good at that type > of > >routing . So I thought I would use shorewall + > squid. > > Read the bit in teh docs about multi ISP setup ? > > >Any thoughts ? > > Yes, apart from the above, please learn to properly > quote & trim > messages, and post your new material below that to > which it refers. > > >-------------------------------------------------------------------------> Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get > the chance to share your > opinions on IT & business topics through brief > surveys-and earn cash >http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV> _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users>__________________________________________________________ Yahoo! India Answers: Share what you know. Learn something new http://in.answers.yahoo.com/ ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
java guru
2007-Mar-31 14:47 UTC
Re: got stuck with two interface config and locked myself out of the machine (ssh)
--- Simon Hobson <linux@thehobsons.co.uk> wrote:> java guru wrote: > >Thanks. Yes, I will be running squid on the same > >machine as shorewall. > > > >Are you saying that if I install squid, I wouldnt > need > >shorewall anymore ? > > No I didn''t say that. What I said is that you do not > need to route > packets from cablemodem to dial-up modems - because > you will simply > never have them delivered to you anyway. > > You WILL probably still want to use Shorewall (or > any other firewall > setup that you wish) in order to secure your setup. > > >a) I want to block all incoming ports from > >ppp(0,1,2..) to secure it > > Set the policy from the zone containing the dialups > to internal zones > (and firewall) to drop. >This is done and working fine.> >b) I am trying to achieve a way to distribute the > out > >going http, https traffic onto ppp interfaces. And > >from what read, squid isnt very good at that type > of > >routing . So I thought I would use shorewall + > squid. > > Read the bit in teh docs about multi ISP setup ? >Yes, I did read the tech docs and not trying to waste folks time. I read the two interface setup. I didnt even reach the point to bring multi-isp thing into picture. My original question has to do with fw box having two interfaces eth0 and ppp0. eth0 connected to internal LAN thats connected on other end to hardware modem thats connected to cable modem (another ISP). I read the two interface docs and setup with three zones. loc - eth0 fw - net - ppp0 I changed policy to allow traffic between various zones accordingly. The rules have ssh accept from loc to fw - thought this should take care of ssh from outside world to fw via cable modem. But it didnt work. In the logs, I see something to the effect of SRC:1.2.3.4 DST:192.168.1.104 REJECT. 1.2.3.4 being outside ip trying to reach 192.168.1.104 (fw) for ssh and being rejected. Connection from 1.2.3.4 is coming to fw via cable modem and NOT PPP0.> >Any thoughts ? > > Yes, apart from the above, please learn to properly > quote & trim > messages, and post your new material below that to > which it refers. > > >-------------------------------------------------------------------------> Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get > the chance to share your > opinions on IT & business topics through brief > surveys-and earn cash >http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV> _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users>__________________________________________________________ Yahoo! India Answers: Share what you know. Learn something new http://in.answers.yahoo.com/ ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
java guru
2007-Apr-01 13:12 UTC
Two Interface config example, my ssh connection is being dropped..
Hi - I am trying out two interface example. I defined loc (for eth0) and ppp0 (outgoing dialup modem) and rest of the setup per the document. But my ssh connection to fw box gets dropped as soon as I start shorewall. Below is what I see from the log. See how the SRC is not loc network (192.168.1.*), thats ''coz I am reaching fw box eth0 via a cable modem. I am new to shorewall, so tell me if there is a separate forum where i can get appropriate help. ------------- kernel: [63010.560985] Shorewall:INPUT:REJECT:IN=eth0 OUT= MAC=xx.xx.xx.xx.xx SRC=70.170.80.123 DST=192.168.1.104 LEN=48 TOS=0x00 PREC=0x00 TTL=106 ID=63933 DF PROTO=TCP SPT=3556 DPT=22 WINDOW=16384 RES=0x00 SYN URGP=0 ------------------------- thx __________________________________________________________ Yahoo! India Answers: Share what you know. Learn something new http://in.answers.yahoo.com/ ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep
2007-Apr-01 14:46 UTC
Re: Two Interface config example, my ssh connection is being dropped..
java guru wrote:> Hi - > I am trying out two interface example. I defined loc > (for eth0) and ppp0 (outgoing dialup modem) and rest > of the setup per the document. > > But my ssh connection to fw box gets dropped as soon > as I start shorewall. Below is what I see from the > log. See how the SRC is not loc network (192.168.1.*), > thats ''coz I am reaching fw box eth0 via a cable > modem. > > I am new to shorewall, so tell me if there is a > separate forum where i can get appropriate help. > > ------------- > kernel: [63010.560985] Shorewall:INPUT:REJECT:IN=eth0 > OUT= MAC=xx.xx.xx.xx.xx SRC=70.170.80.123 > DST=192.168.1.104 LEN=48 TOS=0x00 PREC=0x00 TTL=106 > ID=63933 DF PROTO=TCP SPT=3556 DPT=22 WINDOW=16384 > RES=0x00 SYN URGP=0 > -------------------------Please check the instructions at http://www.shorewall.net/two-interface.htm again. You have set up Shorewall incorrectly because eth0 is not associated with any zone. If you want SSH access to your Shorewall system from the net, you need to add a rule. This is also explained in the document. The rule you need is similar to the one in the Guide except that you need to replace ''loc'' with ''net'' to allow SSH access to the ''net'' zone. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
java guru
2007-Apr-01 20:24 UTC
Re: Two Interface config example, my ssh connection is being dropped..
--- Tom Eastep <teastep@shorewall.net> wrote:> java guru wrote: > > Hi - > > I am trying out two interface example. I defined > loc > > (for eth0) and ppp0 (outgoing dialup modem) and > rest > > of the setup per the document. > > > > But my ssh connection to fw box gets dropped as > soon > > as I start shorewall. Below is what I see from the > > log. See how the SRC is not loc network > (192.168.1.*), > > thats ''coz I am reaching fw box eth0 via a cable > > modem. > > > > I am new to shorewall, so tell me if there is a > > separate forum where i can get appropriate help. > > > > ------------- > > kernel: [63010.560985] > Shorewall:INPUT:REJECT:IN=eth0 > > OUT= MAC=xx.xx.xx.xx.xx SRC=70.170.80.123 > > DST=192.168.1.104 LEN=48 TOS=0x00 PREC=0x00 > TTL=106 > > ID=63933 DF PROTO=TCP SPT=3556 DPT=22 WINDOW=16384 > > RES=0x00 SYN URGP=0 > > ------------------------- > > Please check the instructions at > http://www.shorewall.net/two-interface.htm > again. You have set up Shorewall incorrectly because > eth0 is not associated > with any zone. >Thanks Tom. Below is the line from my interfaces config. net ppp0 - tcpflags,norfc1918,routefilter,nosmurfs,logmartians loc eth0 detect routeback,tcpflags,detectnets,nosmurfs loc is associated with eth0 and net is associated with ppp0.> If you want SSH access to your Shorewall system from > the net, you need to > add a rule. This is also explained in the document. > The rule you need is > similar to the one in the Guide except that you need > to replace ''loc'' with > ''net'' to allow SSH access to the ''net'' zone.I am accessing the machine where shorewall is installed via cablemodem to local lan to eth0. mysshclient -> Internet -> cablemodem (linksys router) -> local lan(192.168.1.*)->eth0->shorewall machine. ppp0 is on shorewall machine with a dialup modem. Eventually I want to have all http traffic generated on the shorewall machine to be routed out via ppp0. But thats a separate discussion. In the log, I also see other machines on local lan (192.168.1.*) communicating with fw just fine. I guess that means eth0 is indeed associated with a zone .. correct ? Here is how policy looks like --------------------- loc net ACCEPT info loc $FW ACCEPT info loc all REJECT info # # Policies for traffic originating from the firewall ($FW) # # If you want open access to the Internet from your firewall, change the # $FW to net policy to ACCEPT and remove the ''info'' LOG LEVEL. # This may be useful if you run a proxy server on the firewall. $FW net ACCEPT info $FW loc ACCEPT info $FW all REJECT info ----------------------------- I also read another document http://www.shorewall.net/Multiple_Zones.html. Does my situation require multizone setup ? thx> > -Tom > -- > Tom Eastep \ Nothing is foolproof to a > sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ > https://lists.shorewall.net/teastep.pgp.key > > >-------------------------------------------------------------------------> Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get > the chance to share your > opinions on IT & business topics through brief > surveys-and earn cash >http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV> _______________________________________________> Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users>__________________________________________________________ Yahoo! India Answers: Share what you know. Learn something new http://in.answers.yahoo.com/ ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Prasanna Krishnamoorthy
2007-Apr-02 01:58 UTC
Re: Two Interface config example, my ssh connection is being dropped..
What is the routing on your shorewall box? I don''t think your is a classic two-interface setup. In the two-interface setup, the default route would be pointing out of the ppp0, and connection tracking to determine the outgoing interface (ala multi-isp setup) is not required. However, in your case packets coming in via cable modem hit the shorewall system on loc. But when they go out, they may be going out via ppp0 (because of your default route). I think you need to fix this via a route_rule - ssh always goes out of cable modem kind of thing. Hope that helps. Prasanna. On 4/2/07, java guru <javacocoon@yahoo.co.in> wrote:> > --- Tom Eastep <teastep@shorewall.net> wrote: > > > java guru wrote: > > > Hi - > > > I am trying out two interface example. I defined > > loc > > > (for eth0) and ppp0 (outgoing dialup modem) and > > rest > > > of the setup per the document. > > > > > > But my ssh connection to fw box gets dropped as > > soon > > > as I start shorewall. Below is what I see from the > > > log. See how the SRC is not loc network > > (192.168.1.*), > > > thats ''coz I am reaching fw box eth0 via a cable > > > modem. > > > > > > I am new to shorewall, so tell me if there is a > > > separate forum where i can get appropriate help. > > > > > > ------------- > > > kernel: [63010.560985] > > Shorewall:INPUT:REJECT:IN=eth0 > > > OUT= MAC=xx.xx.xx.xx.xx SRC=70.170.80.123 > > > DST=192.168.1.104 LEN=48 TOS=0x00 PREC=0x00 > > TTL=106 > > > ID=63933 DF PROTO=TCP SPT=3556 DPT=22 WINDOW=16384 > > > RES=0x00 SYN URGP=0 > > > ------------------------- > > > > Please check the instructions at > > http://www.shorewall.net/two-interface.htm > > again. You have set up Shorewall incorrectly because > > eth0 is not associated > > with any zone. > > > Thanks Tom. Below is the line from my interfaces > config. > > net ppp0 - > tcpflags,norfc1918,routefilter,nosmurfs,logmartians > loc eth0 detect > routeback,tcpflags,detectnets,nosmurfs > > > loc is associated with eth0 and net is associated with > ppp0. > > > If you want SSH access to your Shorewall system from > > the net, you need to > > add a rule. This is also explained in the document. > > The rule you need is > > similar to the one in the Guide except that you need > > to replace ''loc'' with > > ''net'' to allow SSH access to the ''net'' zone. > > I am accessing the machine where shorewall is > installed via cablemodem to local lan to eth0. > > mysshclient -> Internet -> cablemodem (linksys router) > -> local lan(192.168.1.*)->eth0->shorewall machine. > > ppp0 is on shorewall machine with a dialup modem. > Eventually I want to have all http traffic generated > on the shorewall machine to be routed out via ppp0. > But thats a separate discussion. > > In the log, I also see other machines on local lan > (192.168.1.*) communicating with fw just fine. I guess > that means eth0 is indeed associated with a zone .. > correct ? > > Here is how policy looks like > --------------------- > loc net ACCEPT info > loc $FW ACCEPT info > loc all REJECT info > > # > # Policies for traffic originating from the firewall > ($FW) > # > # If you want open access to the Internet from your > firewall, change the > # $FW to net policy to ACCEPT and remove the ''info'' > LOG LEVEL. > # This may be useful if you run a proxy server on the > firewall. > $FW net ACCEPT info > $FW loc ACCEPT info > $FW all REJECT info > ----------------------------- > > I also read another document > http://www.shorewall.net/Multiple_Zones.html. Does my > situation require multizone setup ? > > > thx > > > > > -Tom > > -- > > Tom Eastep \ Nothing is foolproof to a > > sufficiently talented fool > > Shoreline, \ http://shorewall.net > > Washington USA \ teastep@shorewall.net > > PGP Public Key \ > > https://lists.shorewall.net/teastep.pgp.key > > > > > > ------------------------------------------------------------------------- > > Take Surveys. Earn Cash. Influence the Future of IT > > Join SourceForge.net''s Techsay panel and you''ll get > > the chance to share your > > opinions on IT & business topics through brief > > surveys-and earn cash > > > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV> > _______________________________________________ > > Shorewall-users mailing list > > Shorewall-users@lists.sourceforge.net > > > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > > > > > __________________________________________________________ > Yahoo! India Answers: Share what you know. Learn something new > http://in.answers.yahoo.com/ > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get the chance to share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
java guru
2007-Apr-02 02:06 UTC
Re: Two Interface config example, my ssh connection is being dropped..
Thanks Prasanna ....my reply below. --- Prasanna Krishnamoorthy <prasanna79@gmail.com> wrote:> What is the routing on your shorewall box? > > I don''t think your is a classic two-interface setup. > In the > two-interface setup, the default route would be > pointing out of the > ppp0, and connection tracking to determine the > outgoing interface (ala > multi-isp setup) is not required.EXACTLY.. the default route is pointing to eth0 - the cablemodemrouter (hardware). I am not sure once I bring the shorewall up, its changing any routing to default to ppp0. Way in the email below, you see my interfaces file. Thinking that "routeback" will get the ssh responses back to eth0 (the way they came in), I added routeback to eth0. But it didnt help.> > However, in your case packets coming in via cable > modem hit the > shorewall system on loc. But when they go out, they > may be going out > via ppp0 (because of your default route). > > I think you need to fix this via a route_rule - ssh > always goes out of > cable modem kind of thing.Yep. Bottom line being ssh comes in and goes out via eth0 (that goes out to internet via a hardware router/modem). Unfortunately, I am newbie here. Any thoughts ? Thx> > Hope that helps. > Prasanna. > > On 4/2/07, java guru <javacocoon@yahoo.co.in> wrote: > > > > --- Tom Eastep <teastep@shorewall.net> wrote: > > > > > java guru wrote: > > > > Hi - > > > > I am trying out two interface example. I > defined > > > loc > > > > (for eth0) and ppp0 (outgoing dialup modem) > and > > > rest > > > > of the setup per the document. > > > > > > > > But my ssh connection to fw box gets dropped > as > > > soon > > > > as I start shorewall. Below is what I see from > the > > > > log. See how the SRC is not loc network > > > (192.168.1.*), > > > > thats ''coz I am reaching fw box eth0 via a > cable > > > > modem. > > > > > > > > I am new to shorewall, so tell me if there > is a > > > > separate forum where i can get appropriate > help. > > > > > > > > ------------- > > > > kernel: [63010.560985] > > > Shorewall:INPUT:REJECT:IN=eth0 > > > > OUT= MAC=xx.xx.xx.xx.xx SRC=70.170.80.123 > > > > DST=192.168.1.104 LEN=48 TOS=0x00 PREC=0x00 > > > TTL=106 > > > > ID=63933 DF PROTO=TCP SPT=3556 DPT=22 > WINDOW=16384 > > > > RES=0x00 SYN URGP=0 > > > > ------------------------- > > > > > > Please check the instructions at > > > http://www.shorewall.net/two-interface.htm > > > again. You have set up Shorewall incorrectly > because > > > eth0 is not associated > > > with any zone. > > > > > Thanks Tom. Below is the line from my interfaces > > config. > > > > net ppp0 - > > > tcpflags,norfc1918,routefilter,nosmurfs,logmartians > > loc eth0 detect > > routeback,tcpflags,detectnets,nosmurfs > > > > > > loc is associated with eth0 and net is associated > with > > ppp0. > > > > > If you want SSH access to your Shorewall system > from > > > the net, you need to > > > add a rule. This is also explained in the > document. > > > The rule you need is > > > similar to the one in the Guide except that you > need > > > to replace ''loc'' with > > > ''net'' to allow SSH access to the ''net'' zone. > > > > I am accessing the machine where shorewall is > > installed via cablemodem to local lan to eth0. > > > > mysshclient -> Internet -> cablemodem (linksys > router) > > -> local lan(192.168.1.*)->eth0->shorewall > machine. > > > > ppp0 is on shorewall machine with a dialup modem. > > Eventually I want to have all http traffic > generated > > on the shorewall machine to be routed out via > ppp0. > > But thats a separate discussion. > > > > In the log, I also see other machines on local lan > > (192.168.1.*) communicating with fw just fine. I > guess > > that means eth0 is indeed associated with a zone > .. > > correct ? > > > > Here is how policy looks like > > --------------------- > > loc net ACCEPT > info > > loc $FW ACCEPT > info > > loc all REJECT > info > > > > # > > # Policies for traffic originating from the > firewall > > ($FW) > > # > > # If you want open access to the Internet from > your > > firewall, change the > > # $FW to net policy to ACCEPT and remove the > ''info'' > > LOG LEVEL. > > # This may be useful if you run a proxy server on > the > > firewall. > > $FW net ACCEPT > info > > $FW loc ACCEPT > info > > $FW all REJECT > info > > ----------------------------- > > > > I also read another document > > http://www.shorewall.net/Multiple_Zones.html. Does > my > > situation require multizone setup ? > > > > > > thx > > > > > > > > -Tom > > > -- > > > Tom Eastep \ Nothing is foolproof to a > > > sufficiently talented fool > > > Shoreline, \ http://shorewall.net > > > Washington USA \ teastep@shorewall.net > > > PGP Public Key \ > > > https://lists.shorewall.net/teastep.pgp.key > > > > > > > > > >-------------------------------------------------------------------------> > > Take Surveys. Earn Cash. Influence the Future of > IT > > > Join SourceForge.net''s Techsay panel and you''ll > get > > > the chance to share your > > > opinions on IT & business topics through brief > > > surveys-and earn cash > > > > > >http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV>> > _______________________________________________ > > > Shorewall-users mailing list > > > Shorewall-users@lists.sourceforge.net > > > > > >https://lists.sourceforge.net/lists/listinfo/shorewall-users> > > > > > > > > > > > > >__________________________________________________________> > Yahoo! India Answers: Share what you know. Learn > something new > > http://in.answers.yahoo.com/ > > > > >-------------------------------------------------------------------------> > Take Surveys. Earn Cash. Influence the Future of > IT >=== message truncated == __________________________________________________________ Yahoo! India Answers: Share what you know. Learn something new http://in.answers.yahoo.com/ ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Prasanna Krishnamoorthy
2007-Apr-02 02:50 UTC
Re: Two Interface config example, my ssh connection is being dropped..
On 4/2/07, java guru <javacocoon@yahoo.co.in> wrote:> EXACTLY.. the default route is pointing to eth0 - the > cablemodemrouter (hardware). > > I am not sure once I bring the shorewall up, its > changing any routing to default to ppp0.Shorewall doesn''t. However, check your ppp settings, it may force the default route. You can of course turn that off.> > Yep. Bottom line being ssh comes in and goes out via > eth0 (that goes out to internet via a hardware > router/modem). Unfortunately, I am newbie here. Any > thoughts ? > ThxAs of now, I think you should forget about trying to get ppp0 working, and just try to ssh into the box. a) Please try the www.shorewall.net/troubleshoot.htm instructions and send a dump according to that. b) Describe when you can, and when you can''t ssh into the box. Do you get locked out of the ssh session when ppp comes up? Or what''s the trigger for the ssh connection to get disconnected? c) If you have a dynamic address on ppp0, I believe a shorewall restart is required in /etc/ppp/ip-up.d/ Hope that helps, Prasanna. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Karsten Bräckelmann
2007-Apr-04 18:15 UTC
Re: Two Interface config example, my ssh connection is being dropped..
On Sun, 2007-04-01 at 21:24 +0100, java guru wrote:> net ppp0 - tcpflags,norfc1918,routefilter,nosmurfs,logmartians > loc eth0 detect routeback,tcpflags,detectnets,nosmurfs[...]> I am accessing the machine where shorewall is installed via cablemodem > to local lan to eth0. > > mysshclient -> Internet -> cablemodem (linksys router) > -> local lan(192.168.1.*)->eth0->shorewall machine. > > ppp0 is on shorewall machine with a dialup modem. Eventually I want to > have all http traffic generated on the shorewall machine to be routed > out via ppp0. But thats a separate discussion.How many *physical* interfaces does that machine have?>From your description and that thread I get the impression, there''s onlyone, and the cable modem actually is "just another machine" in your local network. This wouldn''t happen to be true, by any chance? karsten -- [ESR] Eric S. Raymond: "How To Ask Questions The Smart Way" http://www.catb.org/~esr/faqs/smart-questions.html [SGT] Simon G. Tatham: "How to Report Bugs Effectively" http://www.chiark.greenend.org.uk/~sgtatham/bugs.html ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV