Hi folks, I've been using shorewall in a very simple way, and very successfully, for a time, but have now come across a situation I am stumped by, so am hoping someone can help.
I am rebuilding my main gateway/firewall machine, which has been using Fedora 13, to use Ubuntu Server 12, and because it's a complex change I decided to get it running as a VM before trying to roll it out onto the real hardware. I'm also taking the opportunity to change from 192.168.0.0/24 to 192.168.32.0/24, as use of the 0 net has caused conflicts in the past. For the VMs DNS the internal IPs have been changed to reflect this. My main network has a DSL modem (on 192.168.1.0/30, implementing NAT) connecting to the aforesaid Gateway connected (on 192.168.0.0/24) to a Switch and the rest of the boxen: pretty standard. I have set up the VirtualBox VM on my fileserver and within itself it's ok. I want to set it up so that - from its perspective, it is the local net and everything else is "internet" - it implements shorewall to protect (as yet unbuilt) local-net VMs forming the test network - from the perspective of the existing local network, it's just another machine on the local net - localnet VMs are not visible to the real local network: just as the real local network machines are from the internet. The only difference I expect between the test and real setups is that the external IP for test will be 192.168.0.x while for the deployed state it will be 192.168.1.2, and the default gateway for test will be 192.168.0.1 while for the deployed state it will be 192.168.1.1. So Far: - I've set up 2 interfaces on the VM, and configured them statically to have external and internal addresses. - The VM considers the external-interface to be the default gateway, and it is forwarding to the real gateway, and its bind is configured to consider itself canonical on the VM network and to ask the true internet otherwise. I've also set it up with a "forwarder" of my ISPs DNS server. - Within the VM, resolv.conf points to the local Bind, and for test net addresses DNS resolution is working. - I have added "route" commands on the real gateway's rc.local script so that it knows about the "32" network - I've started to add shorewall config to the real gateway: entries in "hosts" and "zones" for the "0" network (loc) and the new "32" network (nloc) as eth3:192.168.32.0/24, and un-named "loc" in "interfaces" - I've set up a policy Accept for (nloc<->net) and (nloc<->fw) on the real gateway - I've marked DNS traffic as loc<->net on the real gateway (as well as net<->fw, loc<->fw) The problem is that although I can ping in all directions, the DNS traffic (e.g. to resolve google.com) is heading out of the VM, getting to the real gateway's eth3 and that's the last I see of it. ... and switching off the real firewall doesn't help so it's not totally a shorewall issue (though I believe I need some reconfig of it). I've probably done something dumb: can anyone see what it is? Thanks Ruth -- Software Manager& Engineer Tel: 01223 414180 Blog: http://www.ivimey.org/blog LinkedIn: http://uk.linkedin.com/in/ruthivimeycook/ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
