Shorewall users - Aug 2008 - firewall bridge on eth1 eth0 with same subnet

hello,

i use shorewall for a gateway with two different subnet.
i have two cards
eth1 (wifi card) onnected to internet by a router (192.168.1.1)
eth0 (rj45 card) which i use to connect pc to internet (NET_B)


ACTUALLY
------------------
eth1 is 192.168.1.99 with gateway and dns server 192.168.1.1
eth0 is 192.168.2.1

wifi router (192.168.1.1)
  |-> eth1 (192.168.1.99) - shorewall - eth0 (192.168.2.1) <-> NET_B 
(192.168.2.0/24)
  |-> NET_A (192.168.1.0/24)

dnsmasq is listening to eth0
a dhcp server is running on eth0 assign range 192.168.2.100 to 
192.168.2.200 with gateway and dns 192.168.2.1

shorewall is running as a firewall and bridge, doing masq from eth0 to 
eth1, and blocking traffic from eth1 to eth0
-- /etc/shorewall/masq contains lines
eth1 eth0
-- /etc/shorewall/rules contains lines (where loc is eth1 and net is eth0)
DROP        net:192.168.1.0/24    loc:192.168.2.0/24    all    -

--my /etc/network/interfaces looks like this:
auto eth0
iface eth0 inet static
    address 192.168.2.1
    netmask 255.255.255.0

auto eth1
iface eth1 inet static
     address 192.168.1.103
    netmask 255.255.255.0
    network 192.168.1.0
    broadcast 255.255.255.255
    gateway 192.168.1.1
    wireless-essid myessidap


WHAT I WANT
---------------
i would like my NET_B to have the same subnet of NET_A but they should 
be "separated" by shorewall.
for example a pc in NET_A should have 192.168.1.10 ip, and a pc in NET_B 
should have 192.168.1.10, but they should not see each other and they 
should not conflict

wifi router (192.168.1.1)
  |-> eth1 (192.168.1.99) - shorewall - eth0 (192.168.1.1 OR other) <->
NET_B (192.168.1.0/24)
  |-> NET_A (192.168.1.0/24)

all traffic from NET_A to NET_B DROPPED
all traffic from NET_B to NET_A DROPPED

eth0 should be 192.168.1.1 if possible, or should be 
192.168.1.anyothernumber, the important think is that NET_B.

i''ve try with proxyarp and nat to make thinks works like this but
i''m
not able to do this.
can anyone help me?

regards,
Davide






-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

>WHAT I WANT
>---------------
>i would like my NET_B to have the same subnet of NET_A but they should
>be "separated" by shorewall.
>for example a pc in NET_A should have 192.168.1.10 ip, and a pc in NET_B
>should have 192.168.1.10, but they should not see each other and they
>should not conflict
>
>wifi router (192.168.1.1)
>   |-> eth1 (192.168.1.99) - shorewall - eth0 (192.168.1.1 OR other)
<->
>NET_B (192.168.1.0/24)
>   |-> NET_A (192.168.1.0/24)
>
>all traffic from NET_A to NET_B DROPPED
>all traffic from NET_B to NET_A DROPPED
>
>eth0 should be 192.168.1.1 if possible, or should be
>192.168.1.anyothernumber, the important think is that NET_B.
>
>i''ve try with proxyarp and nat to make thinks works like this but
i''m
>not able to do this.
>can anyone help me?
Not really, what you are asking for is not a valid IP setup.

You could have the two networks using the same IP subnet if you run 
your shorewall as a bridge, but you would still not be able to have 
the same IP in use on both networks. Think about it, the firewall has 
a packet addressed to 192.168.1.10 - does it send it to the device 
with that address in NET_A, or the different device with the same 
address in NET_B ?

Perhaps if you explained what your problem is/what you are trying to 
achieve then we might be able to suggest alternative ways of doing it.


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Simon Hobson ha scritto:
>> WHAT I WANT
>> ---------------
>> i would like my NET_B to have the same subnet of NET_A but they should
>> be "separated" by shorewall.
>> for example a pc in NET_A should have 192.168.1.10 ip, and a pc in
NET_B
>> should have 192.168.1.10, but they should not see each other and they
>> should not conflict
>>
>> wifi router (192.168.1.1)
>>   |-> eth1 (192.168.1.99) - shorewall - eth0 (192.168.1.1 OR other)
<->
>> NET_B (192.168.1.0/24)
>>   |-> NET_A (192.168.1.0/24)
>>
>> all traffic from NET_A to NET_B DROPPED
>> all traffic from NET_B to NET_A DROPPED
>>
>> eth0 should be 192.168.1.1 if possible, or should be
>> 192.168.1.anyothernumber, the important think is that NET_B.
>>
>> i''ve try with proxyarp and nat to make thinks works like this
but i''m
>> not able to do this.
>> can anyone help me?
>
> Not really, what you are asking for is not a valid IP setup.
>
> You could have the two networks using the same IP subnet if you run 
> your shorewall as a bridge, but you would still not be able to have 
> the same IP in use on both networks. Think about it, the firewall has 
> a packet addressed to 192.168.1.10 - does it send it to the device 
> with that address in NET_A, or the different device with the same 
> address in NET_B ?
>
> Perhaps if you explained what your problem is/what you are trying to 
> achieve then we might be able to suggest alternative ways of doing it.
i have to create two separated network (NET_A and NET_B), using the same 
router.
pc on NET_A can not comunicate pc on NET_B, NET_B can not comunicate 
with pc on NET_A.
NET_A and NET_B should have the same subnet


my aim is not no "bridge", but to make two network, with the same
subnet.
eth0 should act as the wifi router (192.168.1.1) of the NET_A
shorewall should act as a gateway.





-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

hOZONE wrote:
>i have to create two separated network (NET_A and NET_B), using the 
>same router.
>pc on NET_A can not comunicate pc on NET_B, NET_B can not comunicate 
>with pc on NET_A.
>NET_A and NET_B should have the same subnet
>
>
>my aim is not no "bridge", but to make two network, with the same
subnet.
>eth0 should act as the wifi router (192.168.1.1) of the NET_A
>shorewall should act as a gateway.
You can do that by running the firewall as a bridge - but all 
addresses have to be unique. You can control traffic between physical 
nets with policies and rules - but you will have to carefully manage 
broadcast traffic to make the two sides invisible to each other.

But you haven''t said WHY you want to do this, it''s a far from
ideal
configuration.


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Simon Hobson ha scritto:
> hOZONE wrote:
>
>   
>> i have to create two separated network (NET_A and NET_B), using the 
>> same router.
>> pc on NET_A can not comunicate pc on NET_B, NET_B can not comunicate 
>> with pc on NET_A.
>> NET_A and NET_B should have the same subnet
>>
>>
>> my aim is not no "bridge", but to make two network, with the
same subnet.
>> eth0 should act as the wifi router (192.168.1.1) of the NET_A
>> shorewall should act as a gateway.
>>     
>
> You can do that by running the firewall as a bridge - but all 
> addresses have to be unique. You can control traffic between physical 
> nets with policies and rules - but you will have to carefully manage 
> broadcast traffic to make the two sides invisible to each other.
>
> But you haven''t said WHY you want to do this, it''s a far
from ideal
> configuration.
>
>   
it''s for a architect.
he has two office (let''s call NET_A and NET_B), max 10 pc per office.
the internet gateway is 192.168.1.1 with dhcp (192.168.1.100 to 
192.168.1.250) and it is "closed" by the ISP vendor, so it must has
this
addess.
there is one server (192.168.1.3) which must be visible in office A.
pc in office NET_A should not see pc of operators in office NET_B, and 
viceversa.
all pc has win XP.

NET_A can browse internet cause is connected to router.
if i act shorewall as a bridge, can i DROP all traffic from NET_A to 
NET_B, and from NET_B to NET_A, except traffic from NET_B to 192.168.1.1 
(cause i want pc in NET_B to browse on internet).

router (192.168.1.1)

   |-> eth1 (192.168.1.99) - shorewall bridge - eth0 (192.168.1.???)
<-> NET_B (192.168.1.0/24)
   |-> NET_A (192.168.1.0/24)
   |-> + server (192.168.1.3)

p.s. sorry but my english is poor.


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

hOZONE wrote:
>it''s for a architect.
>he has two office (let''s call NET_A and NET_B), max 10 pc per
office.
>the internet gateway is 192.168.1.1 with dhcp (192.168.1.100 to 
>192.168.1.250) and it is "closed" by the ISP vendor, so it must
has
>this addess.
>there is one server (192.168.1.3) which must be visible in office A.
>pc in office NET_A should not see pc of operators in office NET_B, 
>and viceversa.

Several ways of dealing with this - none of it is Shorewall specific.

Ideally, what you would do is simply set up net B with a different 
subnet, and add a route in the router - ie tell the router that 
192.168.2.0/24 is reached via your shorewall. If you can gain access 
to the router then that would be my recommended option.

If you can''t access the router, then consider doing a second level of 
NAT - ie you have your own router with an ''external'' interface
in
192.168.1.0/24, and as many other interfaces as you want for the rest 
of your network. You simply MASQ all your internal networks onto one 
''external'' address to get out to the internet. You could
renumber net
A so that there is no NAT between anything internal.


If you choose to use bridging, then you will have to block all 
traffic by default, and then allow certain traffic. You will have to 
selectively allow some ARP traffic so that net B devices can find the 
router and server, and vice versa. You will probably also have to 
allow some broadcast traffic to/from the server to make Windows 
networking operate.

With Linux/Shorewall there are restrictions when bridging (see the 
Shorewall website) - after some version of kernel, you cannot filter 
outbound traffic from the firewall, only inbound - but I think you 
should have no trouble achieving what you are after.

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Hi,

First of all, you cannot do that. It's impossible to make 2 same  
subnet communicate on a different network interface.  What I'll  
suggest it that you block DHCP packets with the firewall and you  
create your own internal DHCP and you attribute different subnet for  
each subnet (NET_A = 192.168.1.0/24 and NET_B = 192.168.2.0/24).

You need to set a default route on both side that point to ther  
firewall interface (Ex : eth0:192.168.1.1 and eth1:192.168.2.1)

After that you will be able to filter traffic with shorewall.

This is not a limitation of shorewall nor iptables. This is how IP is working.



hOZONE <hozone@tiscali.it> a écrit :
>
>
> Simon Hobson ha scritto:
>> hOZONE wrote:
>>
>>
>>> i have to create two separated network (NET_A and NET_B), using  
>>> the same router.
>>> pc on NET_A can not comunicate pc on NET_B, NET_B can not  
>>> comunicate with pc on NET_A.
>>> NET_A and NET_B should have the same subnet
>>>
>>>
>>> my aim is not no "bridge", but to make two network, with
the same subnet.
>>> eth0 should act as the wifi router (192.168.1.1) of the NET_A
>>> shorewall should act as a gateway.
>>>
>>
>> You can do that by running the firewall as a bridge - but all  
>> addresses have to be unique. You can control traffic between  
>> physical nets with policies and rules - but you will have to  
>> carefully manage broadcast traffic to make the two sides invisible  
>> to each other.
>>
>> But you haven't said WHY you want to do this, it's a far from
ideal
>> configuration.
>>
>>
> it's for a architect.
> he has two office (let's call NET_A and NET_B), max 10 pc per office.
> the internet gateway is 192.168.1.1 with dhcp (192.168.1.100 to  
> 192.168.1.250) and it is "closed" by the ISP vendor, so it must
has
> this addess.
> there is one server (192.168.1.3) which must be visible in office A.
> pc in office NET_A should not see pc of operators in office NET_B,  
> and viceversa.
> all pc has win XP.
>
> NET_A can browse internet cause is connected to router.
> if i act shorewall as a bridge, can i DROP all traffic from NET_A to  
> NET_B, and from NET_B to NET_A, except traffic from NET_B to  
> 192.168.1.1 (cause i want pc in NET_B to browse on internet).
>
> router (192.168.1.1)
>
>   |-> eth1 (192.168.1.99) - shorewall bridge - eth0 (192.168.1.???)  
> <-> NET_B (192.168.1.0/24)
>   |-> NET_A (192.168.1.0/24)
>   |-> + server (192.168.1.3)
>
> p.s. sorry but my english is poor.
>

----------------------------------------------------------------
Messages de confidentialité

Ce courriel (de même que les fichiers joints) est strictement réservé à
l'usage de la personne ou de l'entité à qui il est adressé et peut
contenir
de l'information privilégiée et confidentielle. Toute divulgation,
distribution ou copie de ce courriel est strictement prohibée. Si vous avez
reçu ce courriel par erreur, veuillez nous en aviser sur-le-champ, détruire
toutes les copies et le supprimer de votre système informatique.

Merci.

Confidentiality Notice

This communication (including any files transmitted with it) is intended
solely for the person or entity to whom it is addressed, and may contain
confidential or privileged information. The disclosure, distribution or
copying of this message is strictly forbidden. Should you have received this
communication in error, kindly contact the sender promptly, destroy any
copies and delete this message from your computer system.

Thank you..


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Pascal Poudrier wrote:
>First of all, you cannot do that. It''s impossible to make 2 same 
>subnet communicate on a different network interface.  What I''ll 
>suggest it that you block DHCP packets with the firewall and you 
>create your own internal DHCP and you attribute different subnet for
>each subnet (NET_A = 192.168.1.0/24 and NET_B = 192.168.2.0/24).
He probably can''t do that so simply. If he can''t access the
internet
router config (which I think is the case from what he''s written) then 
he can''t add the route required for that router to manage packets 
to/from the 192.168.2.0/24 subnet.

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Yeah, you are right, I forgot to add another NIC between the Router  
and the Firewall, that way, all the workstation will only see the  
firewall and he can put a DHCP on the firewall to distribute IPs.

This will look like this :

NET_A --> Firewall --> Router
NET_B --> Firewall --> Router

The Firewall-Router interface will get it's IP from the Router and the  
other Subnet will get their IPs from the Firewall.

This is a way to bypass the protected router and be able to manage a  
separate network.


"Simon Hobson" <linux@thehobsons.co.uk> a écrit :
> Pascal Poudrier wrote:
>
>> First of all, you cannot do that. It's impossible to make 2 same
>> subnet communicate on a different network interface.  What I'll
>> suggest it that you block DHCP packets with the firewall and you
>> create your own internal DHCP and you attribute different subnet for
>> each subnet (NET_A = 192.168.1.0/24 and NET_B = 192.168.2.0/24).
>
> He probably can't do that so simply. If he can't access the
internet
> router config (which I think is the case from what he's written) then
> he can't add the route required for that router to manage packets
> to/from the 192.168.2.0/24 subnet.
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
> Build the coolest Linux based applications with Moblin SDK & win great
prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>

----------------------------------------------------------------
Messages de confidentialité

Ce courriel (de même que les fichiers joints) est strictement réservé à
l'usage de la personne ou de l'entité à qui il est adressé et peut
contenir
de l'information privilégiée et confidentielle. Toute divulgation,
distribution ou copie de ce courriel est strictement prohibée. Si vous avez
reçu ce courriel par erreur, veuillez nous en aviser sur-le-champ, détruire
toutes les copies et le supprimer de votre système informatique.

Merci.

Confidentiality Notice

This communication (including any files transmitted with it) is intended
solely for the person or entity to whom it is addressed, and may contain
confidential or privileged information. The disclosure, distribution or
copying of this message is strictly forbidden. Should you have received this
communication in error, kindly contact the sender promptly, destroy any
copies and delete this message from your computer system.

Thank you..


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

There are 2 problems with your desired setup:

1) you are using the term ''subnet'' incorrectly. A subnet is a
separately
routable slice of the same network range (e.g. IP network 192.168.0.0
with a subnet mask 255.255.255.248 allows subnet addresses in the range
192.168.0.1 to 192.168.0.8 only. YOu must have a clear understanding of
why this is TRUE - see
http://www.shorewall.net/shorewall_setup_guide.htm . 

2) You cannot have two machines on the same network with the same IP
address - that is like having two houses on the same road having the
same house number - who does the postman (IP layer) deliver to? 

It seems to me you want 2 networks with 2 identical ranges of IP
addresses... this is the same as having 2 streets with the same name
(Mao Tse Tung Avenue) and with the same address (no 1,2,3 & 4). Why
would any city or town need this? Please explain WHY you want identical
addresses on two class C networks.

If you cannot answer this question then set shorewall up according to
the 3 interface example in the documentation at
http://www.shorewall.net/three-interface.htm . First deal with NET_A and
when you have it working according to your expectation then progress to
NET_B...

regards,
Werner


On Fri, 2008-08-29 at 15:15 +0200, hOZONE wrote:
> hello,
> 
> i use shorewall for a gateway with two different subnet.
> i have two cards
> eth1 (wifi card) onnected to internet by a router (192.168.1.1)
> eth0 (rj45 card) which i use to connect pc to internet (NET_B)
> 
> 
> ACTUALLY
> ------------------
> eth1 is 192.168.1.99 with gateway and dns server 192.168.1.1
> eth0 is 192.168.2.1
> 
> wifi router (192.168.1.1)
>   |-> eth1 (192.168.1.99) - shorewall - eth0 (192.168.2.1) <->
NET_B
> (192.168.2.0/24)
>   |-> NET_A (192.168.1.0/24)
> 
> dnsmasq is listening to eth0
> a dhcp server is running on eth0 assign range 192.168.2.100 to 
> 192.168.2.200 with gateway and dns 192.168.2.1
> 
> shorewall is running as a firewall and bridge, doing masq from eth0 to 
> eth1, and blocking traffic from eth1 to eth0
> -- /etc/shorewall/masq contains lines
> eth1 eth0
> -- /etc/shorewall/rules contains lines (where loc is eth1 and net is eth0)
> DROP        net:192.168.1.0/24    loc:192.168.2.0/24    all    -
> 
> --my /etc/network/interfaces looks like this:
> auto eth0
> iface eth0 inet static
>     address 192.168.2.1
>     netmask 255.255.255.0
> 
> auto eth1
> iface eth1 inet static
>      address 192.168.1.103
>     netmask 255.255.255.0
>     network 192.168.1.0
>     broadcast 255.255.255.255
>     gateway 192.168.1.1
>     wireless-essid myessidap
> 
> 
> WHAT I WANT
> ---------------
> i would like my NET_B to have the same subnet of NET_A but they should 
> be "separated" by shorewall.
> for example a pc in NET_A should have 192.168.1.10 ip, and a pc in NET_B 
> should have 192.168.1.10, but they should not see each other and they 
> should not conflict
> 
> wifi router (192.168.1.1)
>   |-> eth1 (192.168.1.99) - shorewall - eth0 (192.168.1.1 OR other)
<->
> NET_B (192.168.1.0/24)
>   |-> NET_A (192.168.1.0/24)
> 
> all traffic from NET_A to NET_B DROPPED
> all traffic from NET_B to NET_A DROPPED
> 
> eth0 should be 192.168.1.1 if possible, or should be 
> 192.168.1.anyothernumber, the important think is that NET_B.
> 
> i''ve try with proxyarp and nat to make thinks works like this but
i''m
> not able to do this.
> can anyone help me?
> 
> regards,
> Davide
> 
> 
> 
> 
> 
> 
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
> Build the coolest Linux based applications with Moblin SDK & win great
prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Pascal Poudrier wrote:
>Yeah, you are right, I forgot to add another NIC between the Router 
>and the Firewall, that way, all the workstation will only see the 
>firewall and he can put a DHCP on the firewall to distribute IPs.
>
>This will look like this :
>
>NET_A --> Firewall --> Router
>NET_B --> Firewall --> Router
>
>The Firewall-Router interface will get it''s IP from the Router and 
>the other Subnet will get their IPs from the Firewall.
>
>This is a way to bypass the protected router and be able to manage a 
>separate network.

Not forgetting that unless you have access to the router to add 
static routes for the two subnets you choose for NET_A and NET_B, 
then the firewall will have to do NAT.



-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/