PGNd <[email protected]> wrote: >> You are filtering RFC1918 traffic on egress aren't you ? > > Now, for access control/filtering of the rfc1918 nets, after reading > > http://shorewall.net/manpages/shorewall.conf.html > http://shorewall.net/MultiISP.html#null_routing > > , what I've had is embarrassingly sloppy. > > Starting to clean up, with > > SHOREWALL/shorewall.conf > NULL_ROUTE_RFC1918=No > ROUTE_FILTER=No > > SHOREWALL/interfaces > net EXT_IF > optional,physical=eth0,dhcp,tcpflags,nosmurfs,logmartians=1,routefilter=1,sourceroute=0 > vpn1 VPN_IF > optional,physical=tun1,logmartians=0,routefilter=0,routeback=1 > - INT_IF > physical=eth1,dhcp,tcpflags,logmartians=1,routefilter=0 > > SHOREWALL/providers > ISP01 1 0x100 main EXT_IF detect > track,balance INT_IF > VPN01 2 0x200 main VPN_IF 10.254.254.1 > track,fallback INT_IF > > SHOREWALL/routes > ISP01 10.0.0.0/8 blackhole > ISP01 172.16.0.0/12 blackhole > # ISP01 192.168.0.0/16 blackhole > # ISP01 192.168.1.254/24 - eth0 > > I've still got access to the 'net AND the modem's webserver. > > But if I add the 192. rfc1918 block to the restrictions, with and exlcusion > for the modem's webserver, > > SHOREWALL/routes > ... > - # ISP01 192.168.0.0/16 blackhole > - # ISP01 192.168.1.254/32 - eth0 > + ISP01 192.168.0.0/16 blackhole > + ISP01 192.168.1.254/24 - eth0 > > > On compile I get an ERROR, > > ... > Adding Providers... > RTNETLINK answers: Invalid argument > ERROR: Command "/sbin/ip -4 route add 192.168.1.254/24 dev eth0 > table ISP01" Failed > Restoring Shorewall Lite... > ...
Don't know if it's the problem, but 192.168.1.254/24 probably wants to be either 192.168.1.254/32 or 192.168.1.0/24 I've done my RFC1918 filtering with rules, rather than routes. So it's easy to permit a set of traffic and then block the larger block. I don't know if that works with routes - and also consider ordering, do routes specified in this file work in order specified or in order of "most specific first" ? Worst case, you might need to specify the 192.168 block in pieces : 192.168.0.0/24 192.168.2.0/23 192.168.4.0/22 192.168.8.0/21 192.168.16.0/20 192.168.32.0/19 192.168.64.0/18 192.168.128.0/17 ------------------------------------------------------------------------------ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
