Hi folks,
I''ve been using shorewall in a very simple way, and very successfully,
for a time, but have now come across a situation I am stumped by, so am
hoping someone can help.
I am rebuilding my main gateway/firewall machine, which has been using
Fedora 13, to use Ubuntu Server 12, and because it''s a complex change I
decided to get it running as a VM before trying to roll it out onto the
real hardware. I''m also taking the opportunity to change from
192.168.0.0/24 to 192.168.32.0/24, as use of the 0 net has caused
conflicts in the past. For the VMs DNS the internal IPs have been
changed to reflect this.
My main network has a DSL modem (on 192.168.1.0/30, implementing NAT)
connecting to the aforesaid Gateway connected (on 192.168.0.0/24) to a
Switch and the rest of the boxen: pretty standard.
I have set up the VirtualBox VM on my fileserver and within itself it''s
ok. I want to set it up so that
- from its perspective, it is the local net and everything else is
"internet"
- it implements shorewall to protect (as yet unbuilt) local-net VMs
forming the test network
- from the perspective of the existing local network, it''s just
another machine on the local net
- localnet VMs are not visible to the real local network: just as the
real local network machines are from the internet.
The only difference I expect between the test and real setups is that
the external IP for test will be 192.168.0.x while for the deployed
state it will be 192.168.1.2, and the default gateway for test will be
192.168.0.1 while for the deployed state it will be 192.168.1.1.
So Far:
- I''ve set up 2 interfaces on the VM, and configured them statically
to have external and internal addresses.
- The VM considers the external-interface to be the default gateway,
and it is forwarding to the real gateway, and its bind is configured to
consider itself canonical on the VM network and to ask the true internet
otherwise. I''ve also set it up with a "forwarder" of my ISPs
DNS server.
- Within the VM, resolv.conf points to the local Bind, and for test
net addresses DNS resolution is working.
- I have added "route" commands on the real gateway''s
rc.local script
so that it knows about the "32" network
- I''ve started to add shorewall config to the real gateway: entries
in
"hosts" and "zones" for the "0" network (loc) and
the new "32" network
(nloc) as eth3:192.168.32.0/24, and un-named "loc" in
"interfaces"
- I''ve set up a policy Accept for (nloc<->net) and
(nloc<->fw) on the
real gateway
- I''ve marked DNS traffic as loc<->net on the real gateway (as
well as
net<->fw, loc<->fw)
The problem is that although I can ping in all directions, the DNS
traffic (e.g. to resolve google.com) is heading out of the VM, getting
to the real gateway''s eth3 and that''s the last I see of it.
... and
switching off the real firewall doesn''t help so it''s not
totally a
shorewall issue (though I believe I need some reconfig of it).
I''ve probably done something dumb: can anyone see what it is?
Thanks
Ruth
--
Software Manager& Engineer
Tel: 01223 414180
Blog: http://www.ivimey.org/blog
LinkedIn: http://uk.linkedin.com/in/ruthivimeycook/
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
