Shorewall users - Jul 2007 - Problem with standard two network interface

Hello everybody

  I`ve got this problem getting shorewall to work correctly with my network
setup. Firstly, I`ve been assigned a specific IP range by our ISP provider is
10.41.20.9 to 10.41.23.254 with a netmask of 255.255.252.0
  I`ve assigned my eth0 interface to an IP address 10.41.20.100 and given it a
default route of 10.41.20.1 (my gateway router to the internet). Now I want to
create an internal class C subnet with no direct connection to the gateway. Thus
I give the IP 10.41.22.200 to my eth1 interface.

config_eth0=( "10.41.20.100 netmask 255.255.252.0 brd 10.41.23.255")
routes_eth0=( "default via 10.41.20.1")
dhcp_eth0="nodns"
config_eth1=("10.41.22.200 netmask 255.255.255.0 brd 10.41.22.255")
dhcp_eth1="nodns"

My policy is 

# LOCAL network to Internet allowed
#loc            net               ACCEPT

# fw to network access allowed
fw              net             ACCEPT

# local to fw allowed
loc             fw              ACCEPT

# fw to local allowed
fw              loc             ACCEPT

# network to all dropped
net             all             DROP            info

# The following policy must be   last
all             all             REJECT          info
#LAST LINE -- DO NOT REMOVE

since I do not want direct connection to the Internet from my eth1 interface,
only via a proxy.

My rules are : 

# MAIL port - POP 3
ACCEPT  loc     net     tcp     110

since I want pop 3 traffic to pass through. 

I also attach my shorewall dump file. 

I do not use NAT currently. The problem is that pop3 traffic does not pass from
any computer on the Internal class C network 10.41.22.1 to 10.41.22.254. When I
turn on NAT pop traffic passes through the firewall with no problem.

Any idea what the problem might be?

  I would have attached my shorewall dump file but when I attach it I get
rejected by the mailing list due to a max message size cap. I tried zipping it
but now the system says that it cannot accept a zip file.

 	      
---------------------------------
 Χρησιμοποιείτε Yahoo!
 Βαρεθήκατε τα ενοχλητικά μηνύ ματα (spam); Το Yahoo! Mail διαθέτει την καλύτερη
δυνατή προστασία κατά των ενοχλητικών μηνυμάτων
 http://login.yahoo.com/config/mail?.intl=gr 

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

<divined2004@yahoo.gr> wrote:
>   I`ve got this problem getting shorewall to work correctly with my 
>network setup. Firstly, I`ve been assigned a specific IP range by 
>our ISP provider is 10.41.20.9 to 10.41.23.254 with a netmask of 
>255.255.252.0
>   I`ve assigned my eth0 interface to an IP address 10.41.20.100 and 
>given it a default route of 10.41.20.1 (my gateway router to the 
>internet). Now I want to create an internal class C subnet with no 
>direct connection to the gateway. Thus I give the IP 10.41.22.200 to 
>my eth1 interface.
>
>config_eth0=( "10.41.20.100 netmask 255.255.252.0 brd
10.41.23.255")
>routes_eth0=( "default via 10.41.20.1")
>dhcp_eth0="nodns"
>config_eth1=("10.41.22.200 netmask 255.255.255.0 brd
10.41.22.255")
>dhcp_eth1="nodns"

>I do not use NAT currently. The problem is that pop3 traffic does 
>not pass from any computer on the Internal class C network 
>10.41.22.1 to 10.41.22.254. When I turn on NAT pop traffic passes 
>through the firewall with no problem.
>
>Any idea what the problem might be?

You have an invalid IP setup. Rule 1 of IP, all addresses are globally unique.

You have IP addresses on eth1 which are also on eth0 - ie not unique 
and hence you have ambiguous routing. Also, the IP addresses you give 
don''t make sense !

You appear to have 10.41.20.0/22 which has addresses from 10.41.20.0 
to 10.41.23.255 - so what''s with the 10.41.20.9 as a starting point ?


There are two ways I see of resolving the first issue :

1) Use a bridge configuration so the firewall is transparent to the 
IP addresses in use, but be aware that a lot of useful functionality 
stops working if you use a 2.6.20 or above Linux kernel.

2) Change the IP setup of your outside interface.

You could for example split your allocation and set your outside 
interface as (say) 10.41.20.2/29 which is what I suspect your 
provider intended. You can then use various combinations of address 
blocks internally as long as they don''t overlap. The full and minimal 
set of subnets would be :

10.41.20.8/29
10.41.20.16/28
10.41.20.32/27
10.41.20.64/26
10.41.20.128/25
10.41.21.0/24
10.41.22.0/23

In either case you should check with your provider what the IP setup 
is on their router - they will need to have the same subnet mask as 
you, and may have to add static routes for the whole block going via 
your firewall.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

It seems I need to set a static route from my internal to the external network.
I used the 10.41.20.8/29 external subnet (eth0) and the 10.41.22.1/24 internal
subnet (eth1).
  The problem is that I have not the slightest idea on how to set a static
route. Can anyone help me out here?

Simon Hobson <linux@thehobsons.co.uk> έγραψε:  wrote:
>   I`ve got this problem getting shorewall to work correctly with my 
>network setup. Firstly, I`ve been assigned a specific IP range by 
>our ISP provider is 10.41.20.9 to 10.41.23.254 with a netmask of 
>255.255.252.0
>   I`ve assigned my eth0 interface to an IP address 10.41.20.100 and 
>given it a default route of 10.41.20.1 (my gateway router to the 
>internet). Now I want to create an internal class C subnet with no 
>direct connection to the gateway. Thus I give the IP 10.41.22.200 to 
>my eth1 interface.
>
>config_eth0=( "10.41.20.100 netmask 255.255.252.0 brd
10.41.23.255")
>routes_eth0=( "default via 10.41.20.1")
>dhcp_eth0="nodns"
>config_eth1=("10.41.22.200 netmask 255.255.255.0 brd
10.41.22.255")
>dhcp_eth1="nodns"

>I do not use NAT currently. The problem is that pop3 traffic does 
>not pass from any computer on the Internal class C network 
>10.41.22.1 to 10.41.22.254. When I turn on NAT pop traffic passes 
>through the firewall with no problem.
>
>Any idea what the problem might be?

You have an invalid IP setup. Rule 1 of IP, all addresses are globally unique.

You have IP addresses on eth1 which are also on eth0 - ie not unique 
and hence you have ambiguous routing. Also, the IP addresses you give 
don''t make sense !

You appear to have 10.41.20.0/22 which has addresses from 10.41.20.0 
to 10.41.23.255 - so what''s with the 10.41.20.9 as a starting point ?


There are two ways I see of resolving the first issue :

1) Use a bridge configuration so the firewall is transparent to the 
IP addresses in use, but be aware that a lot of useful functionality 
stops working if you use a 2.6.20 or above Linux kernel.

2) Change the IP setup of your outside interface.

You could for example split your allocation and set your outside 
interface as (say) 10.41.20.2/29 which is what I suspect your 
provider intended. You can then use various combinations of address 
blocks internally as long as they don''t overlap. The full and minimal 
set of subnets would be :

10.41.20.8/29
10.41.20.16/28
10.41.20.32/27
10.41.20.64/26
10.41.20.128/25
10.41.21.0/24
10.41.22.0/23

In either case you should check with your provider what the IP setup 
is on their router - they will need to have the same subnet mask as 
you, and may have to add static routes for the whole block going via 
your firewall.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



 	      
---------------------------------
 Χρησιμοποιείτε Yahoo!
 Βαρεθήκατε τα ενοχλητικά μηνύ ματα (spam); Το Yahoo! Mail διαθέτει την καλύτερη
δυνατή προστασία κατά των ενοχλητικών μηνυμάτων
 http://login.yahoo.com/config/mail?.intl=gr 

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

<divined2004@yahoo.gr> wrote:
>   It seems I need to set a static route from my internal to the 
>external network. I used the 10.41.20.8/29 external subnet (eth0) 
>and the 10.41.22.1/24 internal subnet (eth1).
>   The problem is that I have not the slightest idea on how to set a 
>static route. Can anyone help me out here?
I know this is going to sound terribly condescending, but your 
questions suggest that you do not (fully) understand the basics of IP 
networking. If you do not understand the basics, then I suggest that 
trying to understand and configure firewalls is a step too far.

You need a good textbook in IP networking to start with !


There is quite a lot of information on Linux specifics at the Linux 
Net wiki (http://linux-net.osdl.org/index.php/Main_Page). In 
particular you will probably be wanting to use the "ip" and/or 
"route" commands.


Be aware however that Linux will automatically set routes for all 
attached interfaces, so it is not your firewall box that needs the 
static route. I rather suspect that the route is needed on your ISPs 
router so that it knows where to route packets for the various 
subnets (ie via your firewall). If every device connected to the 
internet through this connection is going to be behind your firewall, 
then it should be sufficient to set a route for 10.41.20.0/22 via 
<your firewall IP address>.

As an alternative to having your ISP configure routes on their 
router, it may be possible to deal with the problem via proxy-arp. 
I''m not sure on that as I have very rarely used proxy-arp and
it''s
been a long time since I last had any dealings with it. In any case, 
getting the routes correct is a better way of doing it.

>I used the 10.41.20.8/29 external subnet (eth0)
Lastly, I think this conflicts with 10.41.20.1 being your gateway to 
the internet. 10.41.20.1 is not in the 10.41.20.8/29 subnet - again I 
return to the issue of understanding the basics of IP networking 
before attempting to configure firewalls.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/