View previous topic :: View next topic |
Author |
Message |
abenazus n00b
Joined: 17 Sep 2022 Posts: 6
|
Posted: Sat Sep 17, 2022 4:34 pm Post subject: shorewall configuration internal lan to external lan |
|
|
Hi,
I'm new here, and I'm searching for help arroung Shorewall.
That's my first experience with Shorewall and I'm little lost with the routing aspect of this tool.
My issue is :
Mu internal lan 10.141.0.0 could not connect my external lan 10.10.20.0
Code: |
10.10.20.0
┌────────┴───────────┐
│ 10.10.20.254
│ Router
│ 10.10.21.254
└────────┬───────────┘
┌────────┴───────────┐
│ 10.10.21.253
│ Shorewall
│ 10.141.0.254
└──────────┬─────────┘
10.141.0.0
|
A server on 10.141.0.0 can ping 10.10.21.254
A server on 10.141.0.0 cannot ping 10.10.20.0
The Shorewall server can ping 10.10.20.0
The router can ping the server on 10.141.0.0 and a server on 10.10.20.0
I suppose than I need to create a nat or routing on Shorewall to allow the server on 10.141.0.0 to access 10.10.20.0
Thanks by advance for you help
Abé |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54237 Location: 56N 3W
|
Posted: Sat Sep 17, 2022 10:47 pm Post subject: |
|
|
abenazus,
Welcome to Gentoo.
As well as the IP addresses we need the subnet masks.
The default for 10.0.0.0 is 10.0.0.0/8, so you only have a single network there.
If its 10.10.20.0/24, 10.10.21/24 that's OK.
For a /24 private network, its customary co choose 192.168.x.0/24 where 0<=x<=255 but as long as its consistent, its not important.
If 10.141.0.0 is a /24 you may not have a host on IP 10.141.0.0/24 as that is the route address.
Likewise if 10.141.0.0 is a /16 then 10.141.0.0 cannot be a host.
I have a half written router guide using shorewall that I need to complete and put on the wiki. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
abenazus n00b
Joined: 17 Sep 2022 Posts: 6
|
Posted: Sun Sep 18, 2022 9:08 am Post subject: |
|
|
HI NeddySeagoon,
yes the 2 network are /24.
The fact is than the shorewall server block the traffic between 10.141.0.0 to 10.10.20.0.
[root@10.141.0.3 ~]# traceroute 10.10.20.240
traceroute to 10.10.20.240 (10.10.20.240), 30 hops max, 60 byte packets
1 shorewall (10.141.255.254) 0.240 ms 0.238 ms 0.233 ms
2 * * *
3 * * *
And on the shorewall :
[root@shorewall ~]# traceroute 10.10.20.240
traceroute to 10.10.20.240 (10.10.20.240), 30 hops max, 60 byte packets
1 _gateway (10.10.21.254) 0.322 ms 0.271 ms 0.213 ms
2 172.16.0.1 (172.16.0.1) 14.044 ms 14.077 ms 14.076 ms
3 server (10.10.20.240) 14.254 ms 14.041 ms 14.064 ms |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54237 Location: 56N 3W
|
Posted: Sun Sep 18, 2022 10:21 am Post subject: |
|
|
abenazus,
To save me posting the same information several times see Pi4 Router.
Do read the warning at the top.
I have in mind that answering your questions here will help improve that page. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
abenazus n00b
Joined: 17 Sep 2022 Posts: 6
|
Posted: Sun Sep 18, 2022 4:49 pm Post subject: |
|
|
Hi NeddySeagoon,
nice page, I already read it but I have some difficulties to project my case into your example.
I try to project my need (issue) with your dmz configuration for example but didn't solve my issue.
The Shorewall philosophy is very different to what I know ...
I have the feeling to be very noob.
Regards
Abé |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54237 Location: 56N 3W
|
Posted: Sun Sep 18, 2022 5:18 pm Post subject: |
|
|
abenazus,
You need some entries in the the snat file so that masquerading works.
Leave the complication of rules for later and set the policy to ACCEPT.
Using your ASCII art and addind a bit to it.
Code: |
10.10.20.0/24
┌────────┴───────────┐
│ 10.10.20.254/24
│ Router
│ 10.10.21.254/24
└────────┬───────────┘
┌────────┴───────────┐
│ 10.10.21.253/24 eth0
│ Shorewall
│ 10.141.0.254/24 eth1
└──────────┬─────────┘
10.141.0.0/24
|
Your shorewall has three zones net (provided by eth0) the fw (the firewall itself) and DMZ (provided by eth1)
Your interfaces won't be named like that but you can do the name substitution.
You can write the zones, interfaces and policy files now. Post them, they will be quite small.
Try the snat file too. Post that. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
abenazus n00b
Joined: 17 Sep 2022 Posts: 6
|
Posted: Sun Sep 18, 2022 6:18 pm Post subject: |
|
|
Thanks NeddySeagoon for your help.
I really appreciate your help and your time.
I think than I understand the 4 items : zones, interfaces, policy and rules.
I did :
interfaces :
dmz enp17s0f0 detect dhcp
net enp97s0f1 detect dhcp
Zones :
dmz ipv4
fw firewall
net ipv4
policy :
fw all ACCEPT
dmz all ACCEPT
net all ACCEPT
That's my actual situation.
So I need now to add snat configuration ?
Abé |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54237 Location: 56N 3W
|
Posted: Sun Sep 18, 2022 6:44 pm Post subject: |
|
|
abenazus,
Yes. snat will do NAT between the dmz and net zones.
If you want the hosts in the dmz to use dhcp rather than static configuration, you will also need dhcpd to serve the setups.
Its also possible to serve a fixed configuration with dhcpd, one that is tied to the MAC Adddresses of the host(s) being served that way. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
abenazus n00b
Joined: 17 Sep 2022 Posts: 6
|
Posted: Sun Sep 18, 2022 7:06 pm Post subject: |
|
|
I try :
snat
MASQUERADE 10.10.20.0/24 enp97s0f1
MASQUERADE 10.141.0.0/24 enp97s0f1
without success
Last edited by abenazus on Sun Sep 18, 2022 7:42 pm; edited 1 time in total |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54237 Location: 56N 3W
|
Posted: Sun Sep 18, 2022 7:36 pm Post subject: |
|
|
abenazus,
MASQUERATE 10.141.0.0/24
Code: | MASQUERADE 10.141.0.0/24 eth0 |
Would be correct using my ASCII art example.
The spelling of MASQUERATE in your post is not correct. If its correct in your snat file, that's fine.
You also need kernel support
Code: | $ grep MASQUERADE /usr/src/linux/.config
CONFIG_NF_NAT_MASQUERADE=y
CONFIG_NETFILTER_XT_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_MASQUERADE=m |
=y or =m works.
Routing also needs to be enabled, after you provide kernel support. See /etc/sysctl.d/router.conf on the wiki page.
That activates routing at boot. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
abenazus n00b
Joined: 17 Sep 2022 Posts: 6
|
Posted: Sun Sep 18, 2022 8:00 pm Post subject: |
|
|
Works !!!!
MASQUERATE was a typo ... sorry for that.
To success the connection, I add in masq file :
enp97s0f1 10.141.0.0/24
thanks a lot for your help |
|
Back to top |
|
|
|