shorewall configuration internal lan to external lan

[abenazus]

Hi,
I'm new here, and I'm searching for help arroung Shorewall.
That's my first experience with Shorewall and I'm little lost with the routing aspect of this tool.

My issue is :
Mu internal lan 10.141.0.0 could not connect my external lan 10.10.20.0

[NeddySeagoon]

abenazus,

Welcome to Gentoo.

As well as the IP addresses we need the subnet masks.
The default for 10.0.0.0 is 10.0.0.0/8, so you only have a single network there.

If its 10.10.20.0/24, 10.10.21/24 that's OK.
For a /24 private network, its customary co choose 192.168.x.0/24 where 0<=x<=255 but as long as its consistent, its not important.

If 10.141.0.0 is a /24 you may not have a host on IP 10.141.0.0/24 as that is the route address.
Likewise if 10.141.0.0 is a /16 then 10.141.0.0 cannot be a host.

I have a half written router guide using shorewall that I need to complete and put on the wiki.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[abenazus]

HI NeddySeagoon,

yes the 2 network are /24.


The fact is than the shorewall server block the traffic between 10.141.0.0 to 10.10.20.0.

[root@10.141.0.3 ~]# traceroute 10.10.20.240
traceroute to 10.10.20.240 (10.10.20.240), 30 hops max, 60 byte packets
1 shorewall (10.141.255.254) 0.240 ms 0.238 ms 0.233 ms
2 * * *
3 * * *

And on the shorewall :
[root@shorewall ~]# traceroute 10.10.20.240
traceroute to 10.10.20.240 (10.10.20.240), 30 hops max, 60 byte packets
1 _gateway (10.10.21.254) 0.322 ms 0.271 ms 0.213 ms
2 172.16.0.1 (172.16.0.1) 14.044 ms 14.077 ms 14.076 ms
3 server (10.10.20.240) 14.254 ms 14.041 ms 14.064 ms

[NeddySeagoon]

abenazus,


To save me posting the same information several times see Pi4 Router.
Do read the warning at the top.

I have in mind that answering your questions here will help improve that page.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[abenazus]

Hi NeddySeagoon,

nice page, I already read it but I have some difficulties to project my case into your example.

I try to project my need (issue) with your dmz configuration for example but didn't solve my issue.

The Shorewall philosophy is very different to what I know ...
I have the feeling to be very noob.

Regards
Abé

[NeddySeagoon]

abenazus,

You need some entries in the the snat file so that masquerading works.
Leave the complication of rules for later and set the policy to ACCEPT.

Using your ASCII art and addind a bit to it.

[abenazus]

Thanks NeddySeagoon for your help.
I really appreciate your help and your time.

I think than I understand the 4 items : zones, interfaces, policy and rules.

I did :
interfaces :
dmz enp17s0f0 detect dhcp
net enp97s0f1 detect dhcp
Zones :
dmz ipv4
fw firewall
net ipv4
policy :
fw all ACCEPT
dmz all ACCEPT
net all ACCEPT

That's my actual situation.
So I need now to add snat configuration ?

Abé

[NeddySeagoon]

abenazus,

Yes. snat will do NAT between the dmz and net zones.

If you want the hosts in the dmz to use dhcp rather than static configuration, you will also need dhcpd to serve the setups.
Its also possible to serve a fixed configuration with dhcpd, one that is tied to the MAC Adddresses of the host(s) being served that way.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[abenazus]

I try :
snat
MASQUERADE 10.10.20.0/24 enp97s0f1
MASQUERADE 10.141.0.0/24 enp97s0f1

without success

[NeddySeagoon]

abenazus,

MASQUERATE 10.141.0.0/24

[abenazus]

Works !!!!
MASQUERATE was a typo ... sorry for that.

To success the connection, I add in masq file :
enp97s0f1 10.141.0.0/24

thanks a lot for your help