>
> Mike Lander wrote:
>
> > not sure how to config shorewall or if I have this bridge right but
> > now there seems to be several ways to config shorewall here
> > which shorewall docs should I look at with suse 11.1 and shorewall 4.2.9?
>
> Hi Mike,
>
> 'brctl show br0' will show you the bridge configuration.
Tom
linux-rwu0:~ # brctl show br0
bridge name bridge id STP enabled interfaces
br0 8000.0016177efed1 no eth1
tap0
>
> Do you need to firewall traffic through the bridge? If not, simply set
> 'routeback' on 'br0' and you are finished. That's
> http://www.shorewall.net/SimpleBridge.html. If you need to firewall
> traffic through the bridge, then you need to folllow
> http://www.shorewall.net/bridge-Shorewall-perl.html.
I do need to firewall traffic to the internet eth0, however traffic
between the bridge I just need traffic shaping. I remove the push
route and bridge option.
Items I changed in shorewall from stock two interface is in interfaces,masq,
and routestopped
which is correct according to simple bridge I believe. I changed these as
follows
net eth0 detect tcpflags,nosmurfs
loc br0 detect routeback
masq
eth0 br0
routestopped
br0 -
However when starting the bridge with /etc/init.d/bridge, I lose connectivity
with
the internet from the firewall and lan. I believe routing in the
/etc/init.d/bridge
is incorrect. I followed examples and I believe the gateway is incorrect.
Here is /etc/init.d/bridge, ip route ls and ifconfig.
#!/bin/bash
########openvpn bridge-script#################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################
# Define Bridge Interface
br="br0"
# Define list of TAP interfaces to be bridged
tap="tap0"
# Define a list of physical ethernet interfaces to be bridged
# with TAP interface(s) above.
#
eth="eth1"
eth_ip="10.194.79.191"
eth_netmask="255.255.255.0"
eth_broadcast="10.194.79.255"
default_gw=10.194.79.191
# Path to the system networking script
# For Debian
#NETWORK="/etc/init.d/networking"
# For SuSE
NETWORK="/etc/init.d/network"
# Path to the openvpn start/stop script
OPENVPN_INIT="/etc/init.d/openvpn"
# Path to the openvpn binary
OPENVPN="/usr/sbin/openvpn"
# Path to the brctl binary
BRCTL="/sbin/brctl"
# Path to the ifconfig binary
IFCONFIG="/sbin/ifconfig"
# Path to the route binary
ROUTE="/sbin/route"
do_start(){
for i in $tap; do
$OPENVPN --mktun --dev $i
done
$BRCTL addbr $br
for i in $eth; do
$BRCTL addif $br $i
done
for i in $tap; do
$BRCTL addif $br $i
done
for i in $eth; do
$IFCONFIG $i 0.0.0.0 promisc up
done
for i in $tap; do
$IFCONFIG $i 0.0.0.0 promisc up
done
$IFCONFIG $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
$ROUTE add default gw $default_gw
$OPENVPN_INIT start
}
do_stop(){
$IFCONFIG $br down
$BRCTL delbr $br
for i in $tap; do
$OPENVPN --rmtun --dev $i
$IFCONFIG $i down
$NETWORK force-reload
done
$OPENVPN_INIT stop
}
case "$1" in
start)
do_start
;;
stop)
do_stop
;;
restart)
do_stop
sleep 1
do_start
;;
*)
echo "usage: $0 start|stop|restart" >&2
exit 3
;;
esac
exit 0
linux-rwu0:~ # ip route ls
75.149.172.80/28 dev eth0 proto kernel scope link src 75.149.172.88
10.194.79.0/24 dev br0 proto kernel scope link src 10.194.79.191
169.254.0.0/16 dev eth0 scope link
127.0.0.0/8 dev lo scope link
default via 10.194.79.191 dev br0 scope link
default via 75.149.172.94 dev eth0
The gateway to br0 is the problem I think. Since the firewall already has
a gateway do enter 75.149.172.94 as the gateway in /etc/init.d/bridge?
ifconfig
linux-rwu0:~ # ifconfig
br0 Link encap:Ethernet HWaddr 00:16:17:7E:FE:D1
inet addr:10.194.79.191 Bcast:10.194.79.255 Mask:255.255.255.0
inet6 addr: fe80::216:17ff:fe7e:fed1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1742 errors:0 dropped:0 overruns:0 frame:0
TX packets:881 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:145423 (142.0 Kb) TX bytes:257627 (251.5 Kb)
eth0 Link encap:Ethernet HWaddr 00:14:D1:13:43:11
inet addr:75.149.172.88 Bcast:75.149.172.95 Mask:255.255.255.240
inet6 addr: fe80::214:d1ff:fe13:4311/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:739 errors:0 dropped:0 overruns:0 frame:0
TX packets:309 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:69916 (68.2 Kb) TX bytes:36146 (35.2 Kb)
Interrupt:20 Base address:0x4000
eth1 Link encap:Ethernet HWaddr 00:16:17:7E:FE:D1
inet6 addr: fe80::216:17ff:fe7e:fed1/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:2987 errors:0 dropped:0 overruns:0 frame:0
TX packets:1538 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:317952 (310.5 Kb) TX bytes:528815 (516.4 Kb)
Interrupt:23 Base address:0xc000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:25 errors:0 dropped:0 overruns:0 frame:0
TX packets:25 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2788 (2.7 Kb) TX bytes:2788 (2.7 Kb)
tap0 Link encap:Ethernet HWaddr 8E:F2:06:E9:82:70
inet6 addr: fe80::8cf2:6ff:fee9:8270/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:1067 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:85438 (83.4 Kb)
Mike
------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing
server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
