Hello everyone! I am a relatively newbie to Shorewall, but have been
fruitlessly trying to get two "local zones" that cannot access the
each other. My Shorewall box is maxed out with 4 NICs, so I cannot
just add another NIC.
http://www.shorewall.net/Multiple_Zones.html#Parallel
I have a wireless router that is connected via it''s WAN port to the
switch that is connected to eth5 on my Shorewall box.
I have followed the steps precisely, and yet I can ping, access port
80 on certain machines in the local zone, access a samba share, etc --
it is like I am not even behind another router at all!
# shorewall version
4.0.6
# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen
1000
link/ether 00:50:8b:30:3b:10 brd ff:ff:ff:ff:ff:ff
inet 69.130.0.110/29 brd 69.130.0.111 scope global eth0
inet6 fe80::250:8bff:fe30:3b10/64 scope link
valid_lft forever preferred_lft forever
3: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen
1000
link/ether 00:02:b3:45:fe:db brd ff:ff:ff:ff:ff:ff
inet 192.168.99.1/24 brd 192.168.99.255 scope global eth3
inet6 fe80::202:b3ff:fe45:fedb/64 scope link
valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen
1000
link/ether 00:08:c7:3b:1a:cc brd ff:ff:ff:ff:ff:ff
inet 69.41.11.39/27 brd 69.41.11.63 scope global eth2
inet 69.41.11.42/27 brd 69.41.11.63 scope global secondary eth2:1
inet 69.41.11.45/27 brd 69.41.11.63 scope global secondary eth2:2
inet 69.41.11.46/27 brd 69.41.11.63 scope global secondary eth2:3
inet 69.41.11.47/27 brd 69.41.11.63 scope global secondary eth2:4
inet 69.41.11.48/27 brd 69.41.11.63 scope global secondary eth2:5
inet 69.41.11.43/27 brd 69.41.11.63 scope global secondary eth2:6
inet 69.41.11.49/27 brd 69.41.11.63 scope global secondary eth2:7
inet6 fe80::208:c7ff:fe3b:1acc/64 scope link
valid_lft forever preferred_lft forever
5: eth5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen
1000
link/ether 00:50:8b:5c:f5:a1 brd ff:ff:ff:ff:ff:ff
inet 192.168.168.1/24 brd 192.168.168.255 scope global eth5
inet6 fe80::250:8bff:fe5c:f5a1/64 scope link
valid_lft forever preferred_lft forever
eth0 and eth2 are the uplinks -- eth3 is the DMZ -- eth5 is the local
network, of which the wireless router (via the WAN port) is plugged
in. I gave it a static IP (192.168.168.13) and it is handing out IPs
via DHCP 192.168.2.0/24
I am sure some of my configuration is superfluous, but I was trying to
experiment a bit before asking for help on here.
# ip route show
69.130.0.104/29 dev eth0 proto kernel scope link src 69.130.0.110
69.41.11.32/27 dev eth2 proto kernel scope link src 69.41.11.39
192.168.99.0/24 dev eth3 proto kernel scope link src 192.168.99.1
192.168.168.0/24 dev eth5 proto kernel scope link src 192.168.168.1
169.254.0.0/16 dev eth3 scope link metric 1000
default
nexthop via 69.130.0.105 dev eth0 weight 1
nexthop via 69.41.11.33 dev eth2 weight 1
(The Multi-ISP setup and using route_rules is working great, BTW)
# cat /etc/shorewall/zones (comments removed)
fw firewall
loc ipv4
loc2 ipv4
net ipv4
dmz ipv4
# cat /etc/shorewall/interfaces (comments removed)
net eth0 detect norfc1918
net eth2 detect norfc1918
dmz eth3 detect
- eth5 192.168.168.255
# cat /etc/shorewall/hosts (comments removed)
loc eth5:192.168.168.0/24
loc2 eth5:192.168.2.0/24
# cat /etc/shorewall/policy (comments removed)
loc loc2 NONE
loc all REJECT
dmz all REJECT
fw all ACCEPT
net all DROP
net net DROP
loc2 loc DROP
loc2 dmz DROP
loc2 fw DROP
all all REJECT
A few select entries from rules...
# cat /etc/shorewall/rules (comments removed)
SECTION ESTABLISHED
REJECT loc:192.168.168.13,192.168.2.0/24 loc - -
REJECT loc:192.168.168.13,192.168.2.0/24 dmz - -
REJECT loc2:192.168.168.13,192.168.2.0/24 loc - -
REJECT loc2:192.168.168.13,192.168.2.0/24 dmz - -
SECTION NEW
REJECT loc:192.168.168.13,192.168.2.0/24 loc - -
REJECT loc:192.168.168.13,192.168.2.0/24 dmz - -
REJECT loc2:192.168.168.13,192.168.2.0/24 loc - -
REJECT loc2:192.168.168.13,192.168.2.0/24 dmz - -
I even tried adding some exclusions in masq
# cat /etc/shorewall/masq (comments removed)
eth0 69.41.11.33 69.130.0.105
eth2 69.130.0.105 69.41.11.33
eth0 eth5:!192.168.2.0/24
eth0 eth3
eth2 eth5:!192.168.2.0/24
eth2 eth3
Any ideas would be greatly appreciated!
I have a shorewall dump, but I think it is too big for the list? (about 656 KB)
Thanks in advance,
Jeremy
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
Tom Eastep
2008-Oct-29 23:13 UTC
Re: Parallel zones - how to block traffic from one to the other?
lounds wrote:> Hello everyone! I am a relatively newbie to Shorewall, but have been > fruitlessly trying to get two "local zones" that cannot access the > each other. My Shorewall box is maxed out with 4 NICs, so I cannot > just add another NIC. > > http://www.shorewall.net/Multiple_Zones.html#Parallel > > I have a wireless router that is connected via it''s WAN port to the > switch that is connected to eth5 on my Shorewall box. > > I have followed the steps precisely, and yet I can ping, access port > 80 on certain machines in the local zone, access a samba share, etc -- > it is like I am not even behind another router at all! > > # shorewall version > 4.0.6-shell or -perl?> > # ip addr show > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > valid_lft forever preferred_lft forever > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:50:8b:30:3b:10 brd ff:ff:ff:ff:ff:ff > inet 69.130.0.110/29 brd 69.130.0.111 scope global eth0 > inet6 fe80::250:8bff:fe30:3b10/64 scope link > valid_lft forever preferred_lft forever > 3: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:02:b3:45:fe:db brd ff:ff:ff:ff:ff:ff > inet 192.168.99.1/24 brd 192.168.99.255 scope global eth3 > inet6 fe80::202:b3ff:fe45:fedb/64 scope link > valid_lft forever preferred_lft forever > 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:08:c7:3b:1a:cc brd ff:ff:ff:ff:ff:ff > inet 69.41.11.39/27 brd 69.41.11.63 scope global eth2 > inet 69.41.11.42/27 brd 69.41.11.63 scope global secondary eth2:1 > inet 69.41.11.45/27 brd 69.41.11.63 scope global secondary eth2:2 > inet 69.41.11.46/27 brd 69.41.11.63 scope global secondary eth2:3 > inet 69.41.11.47/27 brd 69.41.11.63 scope global secondary eth2:4 > inet 69.41.11.48/27 brd 69.41.11.63 scope global secondary eth2:5 > inet 69.41.11.43/27 brd 69.41.11.63 scope global secondary eth2:6 > inet 69.41.11.49/27 brd 69.41.11.63 scope global secondary eth2:7 > inet6 fe80::208:c7ff:fe3b:1acc/64 scope link > valid_lft forever preferred_lft forever > 5: eth5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:50:8b:5c:f5:a1 brd ff:ff:ff:ff:ff:ff > inet 192.168.168.1/24 brd 192.168.168.255 scope global eth5 > inet6 fe80::250:8bff:fe5c:f5a1/64 scope link > valid_lft forever preferred_lft forever > > eth0 and eth2 are the uplinks -- eth3 is the DMZ -- eth5 is the local > network, of which the wireless router (via the WAN port) is plugged > in. I gave it a static IP (192.168.168.13) and it is handing out IPs > via DHCP 192.168.2.0/24 >Okay -- I assume then that this wireless router is doing SNAT/Masquerade; so your Shorewall box *will never pass packets with addresses in the 192.168.2.0/24 range.> # ip route show > 69.130.0.104/29 dev eth0 proto kernel scope link src 69.130.0.110 > 69.41.11.32/27 dev eth2 proto kernel scope link src 69.41.11.39 > 192.168.99.0/24 dev eth3 proto kernel scope link src 192.168.99.1 > 192.168.168.0/24 dev eth5 proto kernel scope link src 192.168.168.1 > 169.254.0.0/16 dev eth3 scope link metric 1000 > default > nexthop via 69.130.0.105 dev eth0 weight 1 > nexthop via 69.41.11.33 dev eth2 weight 1 > >See? You don''t even have a route to 192.168.2.0/24!> > # cat /etc/shorewall/hosts (comments removed) > loc eth5:192.168.168.0/24 > loc2 eth5:192.168.2.0/24So the definition of loc2 is completely silly. It should be eth5:192.168.168.13. Now, loc2 will be a sub-zone of loc and you will need to follow the Nested example rather than the Parallel one. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Tom Eastep
2008-Oct-30 00:30 UTC
Re: Parallel zones - how to block traffic from one to the other?
Tom Eastep wrote:> lounds wrote: >> Hello everyone! I am a relatively newbie to Shorewall, but have been >> fruitlessly trying to get two "local zones" that cannot access the >> each other. My Shorewall box is maxed out with 4 NICs, so I cannot >> just add another NIC. >> >> http://www.shorewall.net/Multiple_Zones.html#Parallel >> >> I have a wireless router that is connected via it''s WAN port to the >> switch that is connected to eth5 on my Shorewall box. >> >> I have followed the steps precisely, and yet I can ping, access port >> 80 on certain machines in the local zone, access a samba share, etc -- >> it is like I am not even behind another router at all! >> >> # shorewall version >> 4.0.6 > > -shell or -perl? > >> # ip addr show >> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue >> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 >> inet 127.0.0.1/8 scope host lo >> inet6 ::1/128 scope host >> valid_lft forever preferred_lft forever >> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 >> link/ether 00:50:8b:30:3b:10 brd ff:ff:ff:ff:ff:ff >> inet 69.130.0.110/29 brd 69.130.0.111 scope global eth0 >> inet6 fe80::250:8bff:fe30:3b10/64 scope link >> valid_lft forever preferred_lft forever >> 3: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 >> link/ether 00:02:b3:45:fe:db brd ff:ff:ff:ff:ff:ff >> inet 192.168.99.1/24 brd 192.168.99.255 scope global eth3 >> inet6 fe80::202:b3ff:fe45:fedb/64 scope link >> valid_lft forever preferred_lft forever >> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 >> link/ether 00:08:c7:3b:1a:cc brd ff:ff:ff:ff:ff:ff >> inet 69.41.11.39/27 brd 69.41.11.63 scope global eth2 >> inet 69.41.11.42/27 brd 69.41.11.63 scope global secondary eth2:1 >> inet 69.41.11.45/27 brd 69.41.11.63 scope global secondary eth2:2 >> inet 69.41.11.46/27 brd 69.41.11.63 scope global secondary eth2:3 >> inet 69.41.11.47/27 brd 69.41.11.63 scope global secondary eth2:4 >> inet 69.41.11.48/27 brd 69.41.11.63 scope global secondary eth2:5 >> inet 69.41.11.43/27 brd 69.41.11.63 scope global secondary eth2:6 >> inet 69.41.11.49/27 brd 69.41.11.63 scope global secondary eth2:7 >> inet6 fe80::208:c7ff:fe3b:1acc/64 scope link >> valid_lft forever preferred_lft forever >> 5: eth5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 >> link/ether 00:50:8b:5c:f5:a1 brd ff:ff:ff:ff:ff:ff >> inet 192.168.168.1/24 brd 192.168.168.255 scope global eth5 >> inet6 fe80::250:8bff:fe5c:f5a1/64 scope link >> valid_lft forever preferred_lft forever >> >> eth0 and eth2 are the uplinks -- eth3 is the DMZ -- eth5 is the local >> network, of which the wireless router (via the WAN port) is plugged >> in. I gave it a static IP (192.168.168.13) and it is handing out IPs >> via DHCP 192.168.2.0/24 >> > > Okay -- I assume then that this wireless router is doing > SNAT/Masquerade; so your Shorewall box *will never pass packets with > addresses in the 192.168.2.0/24 range. > > >> # ip route show >> 69.130.0.104/29 dev eth0 proto kernel scope link src 69.130.0.110 >> 69.41.11.32/27 dev eth2 proto kernel scope link src 69.41.11.39 >> 192.168.99.0/24 dev eth3 proto kernel scope link src 192.168.99.1 >> 192.168.168.0/24 dev eth5 proto kernel scope link src 192.168.168.1 >> 169.254.0.0/16 dev eth3 scope link metric 1000 >> default >> nexthop via 69.130.0.105 dev eth0 weight 1 >> nexthop via 69.41.11.33 dev eth2 weight 1 >> >> > > See? You don''t even have a route to 192.168.2.0/24! > > >> # cat /etc/shorewall/hosts (comments removed) >> loc eth5:192.168.168.0/24 >> loc2 eth5:192.168.2.0/24 > > So the definition of loc2 is completely silly. It should be > eth5:192.168.168.13. > > Now, loc2 will be a sub-zone of loc and you will need to follow the > Nested example rather than the Parallel one.Or, you can turn of NAT in your wireless router. But if you do, you need to update your routing on the firewall. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Simon Hobson
2008-Oct-30 06:58 UTC
Re: Parallel zones - how to block traffic from one to the other?
Tom Eastep wrote:>Or, you can turn of NAT in your wireless router. But if you do, you need >to update your routing on the firewall.Do you think : Turn off NAT in wireless router & put it''s WAN IP on a different subnet to the ''loc'' subnet. would be better/easier to manage ? Ie, the connection from WAN port of wireless router would be to eth5:0 and use (say) 192.168.3.0/24). Loc could then be eth5:192.168.168.0/24 (or however that''s correctly written), and Loc2 could then be eth5:192.168.2.0/23 (/23 encompasses both the Loc2 subnet, and the extra one just created). Loc and Loc2 are then separate zones I believe. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
lounds
2008-Oct-31 13:00 UTC
Re: Parallel zones - how to block traffic from one to the other?
> See? You don''t even have a route to 192.168.2.0/24! >> >> # cat /etc/shorewall/hosts (comments removed) >> loc eth5:192.168.168.0/24 >> loc2 eth5:192.168.2.0/24 > > So the definition of loc2 is completely silly. It should be > eth5:192.168.168.13. > > Now, loc2 will be a sub-zone of loc and you will need to follow the > Nested example rather than the Parallel one. > > -TomThanks, Tom, that did the trick. I knew I was overlooking something, I just couldn''t find it. Jeremy ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Tom Eastep
2008-Oct-31 14:11 UTC
Re: Parallel zones - how to block traffic from one to the other?
Simon Hobson wrote:> Tom Eastep wrote: > >> Or, you can turn of NAT in your wireless router. But if you do, you need >> to update your routing on the firewall. > > Do you think : > > Turn off NAT in wireless router & put it''s WAN IP on a different > subnet to the ''loc'' subnet. > > would be better/easier to manage ? > > Ie, the connection from WAN port of wireless router would be to > eth5:0 and use (say) 192.168.3.0/24). > Loc could then be eth5:192.168.168.0/24 (or however that''s correctly > written), and Loc2 could then be eth5:192.168.2.0/23 (/23 encompasses > both the Loc2 subnet, and the extra one just created). > > Loc and Loc2 are then separate zones I believe. >Simon, Your approach would certainly help isolate the wireless network from the local network. I don''t know if that is one of Jeremy''s goals or not. He could be relying WPA2 authentication in which case it is probably safe to allow wireless clients to connect to local hosts. Note that in his current setup that uses NAT, it is generally not possible for local hosts to connect to a host in the wireless network. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/