Shorewall users - Feb 2012 - Shore wall and multi ISPs and ip addresses

Hi All!

I only ever have complex setups. 
Customer site has a dedicated leased line from their ISP terminating on a 
Cisco router. Router is configuered with the first usable address on a /28 
network - 196.x.y.73. The linux firewall is configured with the remaining 5 
ip''s, 196.x.y.74 to 196.x.y.78 and 79 as the broadcast. Sounds normal
but here
is the twist. The primary or first ip address ip adds is the 76 one as the 
primary and then 74, 77, 78 and finally 75. I inherited a very ancient ipchains 
firewall with the config and I know there had been some reason for it!
The A record that the MX points to  is 196.x.y.76. My old iptables firewall 
works fine with this weird setup and the local admin website, sshd server and 
smtp server are all accesable from the ''net. There are a bunch of dnat
rules
that use the other ip addresses for /net access to local inhouse servers.
A new twisted was added in with a wireless based internet connection intended 
as webrowseing via squid on the firewall and as an smtp mail backup. It has a 
stic ip address hidden behind the Mikrotik router. local lan port on the 
Mikrotik is 172.21.1.1 and I have used 172.21.1.2/28 as a second isp 
connection on the same network interface (eth1) as the dedicated line.Not 
really ready to use yet other than speed and capacity tests when I add a 
static route for the purpose. Just ignore this extra  bit.

The problem now comes when trying to connect ssh or smtp to the A record that 
points to the 196.x.y.76 ip! I see packets arrive with tcpdump but the firewall 
remains silent! Now if i ssh or smtp to 196.x.y.74 ip address it works!

Quick phix is quite simple really. Get ISP dudes to change the A record. They 
will have to add an extra A record anyway for an aql connection.

Is there another way around this issue?

I did a quick test of the squid server trying to force it out of the 
172.21.1.2 ip addresses just as a test a bit earlier today but it failed with 
squid reporting  a routing loop. I might have missed something in the config 
but it''s not the show stopper!

Cheers

Ang!

-- 
Angela Williams
angierfw at gmail dot com
Linux/Networking Hacker
Blog http://angierfw.wordpress.com

Smile! Jesus Loves You!


------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/

On Feb 19, 2012, at 6:45 AM, Angela Williams wrote:
> 
> Is there another way around this issue?
> 
Is sshd configured to only listen on the primary address?

-Tom

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/

Hi All

On Sunday 19 February 2012 at 21:24 Tom Eastep :-
> On Feb 19, 2012, at 6:45 AM, Angela Williams wrote:
> > Is there another way around this issue?
> 
> Is sshd configured to only listen on the primary address?
No. I did a little test with the old iptables script and I could access ssh 
and smtp quite happily on all 5 ip''s. 
The rules files was this snippet.
SMTP(ACCEPT)    loc             $FW
SMTPS(ACCEPT)   loc             $FW
SMTP(ACCEPT)    net             $FW
SMTP(ACCEPT)    $FW             net
SMTPS(ACCEPT)   net             $FW
SMTPS(ACCEPT)   $FW             net

route_rules has this. (running 4.4.23.2)
-               196.x.y.74/32      diginet         1000
-               196.x.y.75/32      diginet         1000
-               196.x.y.76/32      diginet         1000
-               196.x.y.77/32      diginet         1000
-               196.x.y.78/32      diginet         1000

Maybe I should put the ip''s in the same order the that my
/etc/conf.d/net has
them. (Gentoo system!) but somehow I cannot see that as route_rules only does 
the routing bit!

My providers for the diginet connection looks like this
diginet  1        1    -         eth1:196.x.y.76    196.x.y.73  
track,loose,balance

Cheers

Ang




-- 
Angela Williams
angierfw at gmail dot com
Linux/Networking Hacker
Blog http://angierfw.wordpress.com

Smile! Jesus Loves You!


------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2

On 02/20/2012 02:31 AM, Angela Williams wrote:
> Hi All
> 
> On Sunday 19 February 2012 at 21:24 Tom Eastep :-
> 
>> On Feb 19, 2012, at 6:45 AM, Angela Williams wrote:
>>> Is there another way around this issue?
>>
>> Is sshd configured to only listen on the primary address?
> 
> No. I did a little test with the old iptables script and I could access ssh
> and smtp quite happily on all 5 ip''s. 
> The rules files was this snippet.
> SMTP(ACCEPT)    loc             $FW
> SMTPS(ACCEPT)   loc             $FW
> SMTP(ACCEPT)    net             $FW
> SMTP(ACCEPT)    $FW             net
> SMTPS(ACCEPT)   net             $FW
> SMTPS(ACCEPT)   $FW             net
> 
> route_rules has this. (running 4.4.23.2)
> -               196.x.y.74/32      diginet         1000
> -               196.x.y.75/32      diginet         1000
> -               196.x.y.76/32      diginet         1000
> -               196.x.y.77/32      diginet         1000
> -               196.x.y.78/32      diginet         1000
> 
> Maybe I should put the ip''s in the same order the that my
/etc/conf.d/net has
> them. (Gentoo system!) but somehow I cannot see that as route_rules only
does
> the routing bit!
> 
> My providers for the diginet connection looks like this
> diginet  1        1    -         eth1:196.x.y.76    196.x.y.73  
> track,loose,balance
I think I''m going to need the output of ''shorewall
dump'' to understand
what might be going on.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2