Folks, I'm thinking about setting my modem in bridge mode to enable access to the other IP addresses in my block and I would appreciate some pointers : though I have looked around it's confusing me.
The short version: - switching modem to bridging mode means losing its NAT: how to replicate, preferably transparently c.f. present setup? - bridging also means losing PPP authentication: does the linux PPPoE daemon interact at all with Shorewall? - how to enable access and control of the "other" IPs through shorewall: linux virtual net interfaces and new "interfaces"? - adding in a wifi card as an access point to the config: just a new "interface" if IP addresses the same? The detail: At present the modem is running in basic (1 IP) + NAT with a single net wire to the main internet server/firewall - which is of course using Shorewall as well as email and web servers. I'm hoping for some pointers as my hesitancy is because it's a server several others depend on and I seem to have no choice but to take it down while this happens... so I want to get it right first time :-) My shorewall is based on Ubuntu Linux 12.1 with Shorewall 4.4.26.1. I can supply specifics of the rules, conf, etc if that helps: "interfaces": "net" == "eth1" and "loc" == "eth2" ; I also have an "eth3" which is a wifi card I hope to set up sometime to replace a separate wifi router... "policy": Standard sorts of things. Default reject "rules": Various additional macros, a couple of "blacklist" hosts, but again "normal" "Shorewall.conf": largely default. "zones": fw == firewall, net = ipv4, loc = ipv4 I think I have to add an entry to "masq" like this to enable NAT, where the first IP is my internal net block and the second is my main internet IP: eth2 192.168.2.0/24 82.62.47.198 Is that all I need to do to emulate what my modem's NAT is doing now? My ISP says that traffic to my other IPs is sent to the .198 address as a kind of "default gateway", so a client talking to a server running on 82.62.47.195 will still end up being sent through the .198 address ... confusing to me anyway... so: ...to use my multiple IPs I guess I need more zones and then use those zones in additional policies / rules? At present, the additional IPs will be given specific purposes and probably won't leave the internet server host; I guess I need to set up some virtual interfaces somewhere? Any hints? I believe I have to enable the pppoe daemon on the server to dial/redial the ISP as required. Is that done without regards to any shorewall config, or do I have to tell shorewall about it in some way? Lastly, the eth3/wifi link is supposed to be so I can monitor/secure wifi connections separately from the wired ones. Does that complicate the setup or just add a new "interface"? I would like to be able to use the same IP addresses over WiFi, so shorewall will just be saying (if comes from/to eth3 then apply rules X else if eth2 then rules Y) - at least that's my hope. Regards Ruth -- Software Manager & Engineer Tel: 01223 414180 Blog: http://www.ivimey.org/blog LinkedIn: http://uk.linkedin.com/in/ruthivimeycook/ ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
