Mark D. Montgomery II
2010-Jun-20 13:45 UTC
Proper setup for a router with 2 interfaces and a bridge on one?
I''m working on setting up a new router/server/etc. box. I''m using Proxmox as the base system (Debian Lenny basically). I''m trying to figure out the right way to configure Shorewall on it. I''ve looked at some of the bridging info but they seem to all be talking about single-interface setups. Could someone look over my setup and give me some input into the proper way to set this up so that I can do all the normal Shorewall things properly like blocking like normal, port forwards, etc. ? I think my current setup mostly works, but I''m seeing messages like: Shorewall:FORWARD:REJECT:IN=vmbr0 OUT=vmbr0 PHYSIN=vmtab101i0 PHYSOUT=vmtab102i0 SRC=10.10.42.3 DST=10.10.42.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61722 DF PROTO=TCP SPT=47118 DPT=3260 WINDOW=5840 RES=0x00 SYN URGP=0 (some of these are from external machines to a virtual machine and mention eth1 as the physical - this one is both virtual machines) I''m assuming something isn''t setup quite right. :) My setup is: eth0 - external (internet) eth1 - internal (not configured - the physical interface to the lan) vmbr0 - the ProxMox bridge interface on eth1 /etc/network/interfaces: # network interface settings auto lo iface lo inet loopback auto eth0 iface eth0 inet dhcp iface eth1 inet manual auto vmbr0 iface vmbr0 inet static address 10.10.42.1 netmask 255.255.255.0 broadcast 10.10.42.255 bridge_ports eth1 bridge_stp off bridge_fd 0 ##################################3 /etc/shorewall/interfaces #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect dhcp,tcpflags,routefilter,nosmurfs,logmartians loc vmbr0 detect tcpflags,dhcp,nosmurfs ##################################################### /etc/shorewall/policy (wide open for now, but obviously should be locked later) ################ #Testing Section # Policies for traffic originating from the local LAN (loc) # # If you want to force clients to access the Internet via a proxy server # on your firewall, change the loc to net policy to REJECT info. loc net ACCEPT loc $FW ACCEPT loc all ACCEPT # # Policies for traffic originating from the firewall ($FW) # # If you want open access to the Internet from your firewall, change the # $FW to net policy to ACCEPT and remove the ''info'' LOG LEVEL. # This may be useful if you run a proxy server on the firewall. $FW net ACCEPT $FW loc ACCEPT $FW all ACCEPT # # Policies for traffic originating from the Internet zone (net) # net $FW ACCEPT net loc ACCEPT net all ACCEPT ################################################## # THE FOLLOWING POLICY MUST BE LAST all all REJECT info ######################################################### Thanks! Mark II -- Mark D. Montgomery II http://www.techiem2.net ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
Tom Eastep
2010-Jun-20 23:21 UTC
Re: Proper setup for a router with 2 interfaces and a bridge on one?
On 6/20/10 6:45 AM, Mark D. Montgomery II wrote:> I''m working on setting up a new router/server/etc. box. > I''m using Proxmox as the base system (Debian Lenny basically). > I''m trying to figure out the right way to configure Shorewall on it. > I''ve looked at some of the bridging info but they seem to all be talking > about single-interface setups. > Could someone look over my setup and give me some input into the proper > way to set this up so that I can do all the normal Shorewall things > properly like blocking like normal, port forwards, etc. ? > > I think my current setup mostly works, but I''m seeing messages like: > > Shorewall:FORWARD:REJECT:IN=vmbr0 OUT=vmbr0 PHYSIN=vmtab101i0 > PHYSOUT=vmtab102i0 SRC=10.10.42.3 DST=10.10.42.2 LEN=60 TOS=0x00 > PREC=0x00 TTL=64 ID=61722 DF PROTO=TCP SPT=47118 DPT=3260 WINDOW=5840 > RES=0x00 SYN URGP=0Shorewall FAQs 17 and 35. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
Mark D. Montgomery II
2010-Jun-21 12:29 UTC
Re: Proper setup for a router with 2 interfaces and a bridge on one?
Quoting Tom Eastep <teastep@shorewall.net>:> > Shorewall FAQs 17 and 35.Thanks. I found the routeback option a bit later after digging around some more, so it seems to be behaving properly now (it''s not good to block your iscsi target and initiator from talking to each other... :P ). Now I just have to start locking it down and testing forwards and such.> > -TomMark II -- Mark D. Montgomery II http://www.techiem2.net ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo