[Shorewall-users] Shorewall and Bridge...

Wed, 22 Oct 2008 08:43:36 -0700 

Hi all

I have a firewall host working very well...
I setting up a openvpn on this firewall...
My vpn is working on a bridge mode.
I have this interfaces:

br0  inet addr:172.168.1.1  Bcast:172.168.1.255  Mask:255.255.255.0
eth0   inet addr:10.1.1.5  Bcast:10.1.1.255  Mask:255.255.255.0
eth2   inet6 addr: fe80::217:9aff:fe7f:c7ec/64 Scope:Link
tap0   inet6 addr: fe80::2ff:31ff:fe46:207d/64 Scope:Link

/etc/network/interfaces is:
# The primary network interface
auto eth0
iface eth0 inet static
address 10.1.1.5
network 10.1.1.0
netmask 255.255.255.0
broadcast 10.1.1.255
gateway 10.1.1.1

auto br0
iface br0 inet static
address 172.168.1.1
netmask 255.255.255.0
pre-up /usr/sbin/openvpn --mktun --dev tap0
pre-up /sbin/ip link set tap0 up
pre-up /sbin/ip link set eth2 up
pre-up /usr/sbin/brctl addbr br0
pre-up /usr/sbin/brctl addif br0 eth2
pre-up /usr/sbin/brctl addif br0 tap0
pre-down /usr/sbin/brctl delif br0 eth2
pre-down /sbin/ip link set eth2 down
pre-down /usr/sbin/brctl delif br0 tap0
pre-down /sbin/ip link set tap0 down
post-down /usr/sbin/brctl delbr br0
post-down /usr/sbin/openvpn --rmtun --dev tap0

Route table:

[EMAIL PROTECTED]:/etc/shorewall# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
172.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0
br0
10.1.1.0        0.0.0.0         255.255.255.0   U     0      0        0
eth0
0.0.0.0         10.1.1.1        0.0.0.0         UG    100    0        0
eth0

I have this on shorewall interfaces files:

#loc    eth2
loc     br0     detect  routeback
net     eth0    detect  tcpflags,routefilter,nosmurfs,logmartians

What is happen is:

When I have the bridge interface up (i.e. BR0), my clients inside the
lan, can't surf on web, instead via squid proxy.
Other problem that appears now is that all my DNAT rules don't work any
more:
I try this, on rules file:

DNAT    net     loc:172.168.1.20        tcp     3389
DNAT    net     loc:172.168.1.20        tcp     4899

But don't work...

What can I do?

Thanks...



-- 
Gilberto Nunes

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to