Hello everyone! I am a relatively newbie to Shorewall, but have been fruitlessly trying to get two "local zones" that cannot access the each other. My Shorewall box is maxed out with 4 NICs, so I cannot just add another NIC.
http://www.shorewall.net/Multiple_Zones.html#Parallel I have a wireless router that is connected via it's WAN port to the switch that is connected to eth5 on my Shorewall box. I have followed the steps precisely, and yet I can ping, access port 80 on certain machines in the local zone, access a samba share, etc -- it is like I am not even behind another router at all! # shorewall version 4.0.6 # ip addr show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:50:8b:30:3b:10 brd ff:ff:ff:ff:ff:ff inet 69.130.0.110/29 brd 69.130.0.111 scope global eth0 inet6 fe80::250:8bff:fe30:3b10/64 scope link valid_lft forever preferred_lft forever 3: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:02:b3:45:fe:db brd ff:ff:ff:ff:ff:ff inet 192.168.99.1/24 brd 192.168.99.255 scope global eth3 inet6 fe80::202:b3ff:fe45:fedb/64 scope link valid_lft forever preferred_lft forever 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:08:c7:3b:1a:cc brd ff:ff:ff:ff:ff:ff inet 69.41.11.39/27 brd 69.41.11.63 scope global eth2 inet 69.41.11.42/27 brd 69.41.11.63 scope global secondary eth2:1 inet 69.41.11.45/27 brd 69.41.11.63 scope global secondary eth2:2 inet 69.41.11.46/27 brd 69.41.11.63 scope global secondary eth2:3 inet 69.41.11.47/27 brd 69.41.11.63 scope global secondary eth2:4 inet 69.41.11.48/27 brd 69.41.11.63 scope global secondary eth2:5 inet 69.41.11.43/27 brd 69.41.11.63 scope global secondary eth2:6 inet 69.41.11.49/27 brd 69.41.11.63 scope global secondary eth2:7 inet6 fe80::208:c7ff:fe3b:1acc/64 scope link valid_lft forever preferred_lft forever 5: eth5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:50:8b:5c:f5:a1 brd ff:ff:ff:ff:ff:ff inet 192.168.168.1/24 brd 192.168.168.255 scope global eth5 inet6 fe80::250:8bff:fe5c:f5a1/64 scope link valid_lft forever preferred_lft forever eth0 and eth2 are the uplinks -- eth3 is the DMZ -- eth5 is the local network, of which the wireless router (via the WAN port) is plugged in. I gave it a static IP (192.168.168.13) and it is handing out IPs via DHCP 192.168.2.0/24 I am sure some of my configuration is superfluous, but I was trying to experiment a bit before asking for help on here. # ip route show 69.130.0.104/29 dev eth0 proto kernel scope link src 69.130.0.110 69.41.11.32/27 dev eth2 proto kernel scope link src 69.41.11.39 192.168.99.0/24 dev eth3 proto kernel scope link src 192.168.99.1 192.168.168.0/24 dev eth5 proto kernel scope link src 192.168.168.1 169.254.0.0/16 dev eth3 scope link metric 1000 default nexthop via 69.130.0.105 dev eth0 weight 1 nexthop via 69.41.11.33 dev eth2 weight 1 (The Multi-ISP setup and using route_rules is working great, BTW) # cat /etc/shorewall/zones (comments removed) fw firewall loc ipv4 loc2 ipv4 net ipv4 dmz ipv4 # cat /etc/shorewall/interfaces (comments removed) net eth0 detect norfc1918 net eth2 detect norfc1918 dmz eth3 detect - eth5 192.168.168.255 # cat /etc/shorewall/hosts (comments removed) loc eth5:192.168.168.0/24 loc2 eth5:192.168.2.0/24 # cat /etc/shorewall/policy (comments removed) loc loc2 NONE loc all REJECT dmz all REJECT fw all ACCEPT net all DROP net net DROP loc2 loc DROP loc2 dmz DROP loc2 fw DROP all all REJECT A few select entries from rules... # cat /etc/shorewall/rules (comments removed) SECTION ESTABLISHED REJECT loc:192.168.168.13,192.168.2.0/24 loc - - REJECT loc:192.168.168.13,192.168.2.0/24 dmz - - REJECT loc2:192.168.168.13,192.168.2.0/24 loc - - REJECT loc2:192.168.168.13,192.168.2.0/24 dmz - - SECTION NEW REJECT loc:192.168.168.13,192.168.2.0/24 loc - - REJECT loc:192.168.168.13,192.168.2.0/24 dmz - - REJECT loc2:192.168.168.13,192.168.2.0/24 loc - - REJECT loc2:192.168.168.13,192.168.2.0/24 dmz - - I even tried adding some exclusions in masq # cat /etc/shorewall/masq (comments removed) eth0 69.41.11.33 69.130.0.105 eth2 69.130.0.105 69.41.11.33 eth0 eth5:!192.168.2.0/24 eth0 eth3 eth2 eth5:!192.168.2.0/24 eth2 eth3 Any ideas would be greatly appreciated! I have a shorewall dump, but I think it is too big for the list? (about 656 KB) Thanks in advance, Jeremy ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
