Re: [Shorewall-users] VLANs behind a router

Sat, 23 Oct 2010 20:42:08 -0700 

On 10/23/10 7:14 PM, kazabe wrote:
> Hi.
> 
> Im very newbie with shorewall.
> 
> Basically i need permit direct access form all the network to some
> Publics IP, because they publish some applications to cant be accessed
> using a proxy (the ips are declared in the /etc/shorewall/masq file).
> 
> The problem is: we have all the VLANs behind a router (192.168.200.1),
> but the VLANs are not accessing to the Public IPs.    I declare in the
> interfaces file the option routeback to LAN zone, because the VLANs
> connect to the proxy using that interface.
> 
> PROXY:/etc/shorewall# cat interfaces
> VPN   tun0
> LAN   eth1    -       routeback
> WAN   eth0
> 
> 
> PROXY:/etc/shorewall# cat masq
> eth0:200.1.173.12     eth1
> eth0:200.1.173.78     eth1
> eth0:173.224.118.154  eth1
> eth0:173.224.112.70   eth1
> eth0:72.21.203.149    eth1
> eth0:72.21.207.165    eth1
> eth0:72.21.211.171    eth1
> eth0:69.163.136.121   eth1
> eth0:200.58.204.118   eth1
> COMMENT station with total internet access.
> eth0  192.168.10.4/32
> eth0  192.168.10.19/32
> 
> 
> PROXY:/etc/shorewall# route -n
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> 192.168.2.0    192.168.200.1   255.255.255.0   UG    0      0        0 eth1
> 192.168.5.0    192.168.200.1   255.255.255.0   UG    0      0        0 eth1
> 192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
> 192.168.3.0    192.168.200.1   255.255.255.0   UG    0      0        0 eth1
> 10.10.10.0      192.168.200.1   255.255.255.0   UG    0      0        0 eth1
> 192.168.200.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1
> 192.168.4.0    192.168.200.1   255.255.255.0   UG    0      0        0 eth1
> 192.168.9.0    192.168.200.1   255.255.255.0   UG    0      0        0 eth1
> 0.0.0.0         192.168.100.254   0.0.0.0         UG    0      0        0 eth0
> 
> How can i permit the direct access to the public IPs declared in the masq 
> file?

First, stop using /etc/shorewall/masq for access control. That file is
about rewriting the SOURCE IP Address in outgoing connections; it is not
intended to control who can and cannot access the net. You want to use a
combination of policies and rules for that.

Second, check the setting of IP_FORWARDING in shorewall.conf; be sure
that forwarding is enabled.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to