Re: Re (3): routing

To: debian-user@lists.debian.org
Subject: Re: Re (3): routing
From: lee <lee@yun.yagibdah.de>
Date: Sat, 30 Oct 2010 17:09:36 +0200
Message-id: <[🔎] 20101030150936.GP4736@yun.yagibdah.de>
In-reply-to: <[🔎] 171056669.41554.30450@cantor.invalid>
References: <[🔎] 20101029155330.GM4736@yun.yagibdah.de> <[🔎] 171056669.41554.30450@cantor.invalid>

On Fri, Oct 29, 2010 at 10:09:18AM -0700, peasthope@shaw.ca wrote:
> Lee,
> 
> Thanks for the feedback.  You are the first to mention these errors.
> 
> From:	lee <lee@yun.yagibdah.d.>
> Date:	Fri, 29 Oct 2010 17:53:31 +0200
> > There's no zone "ubc" defined on dalton. 
> 
> The concept is "OpenVPN tunnel zone" and the Web page was using 
> the two names ubc and vpn ambiguously.  Now it is the vpn zone.

Shorewall usually doesn´t start when you refer to zones that aren´t
defined.

> > On dalton, you're not masquerading all the local zones but only those connected via eth0.
> 
> I don't understand.  There is only one local zone.  It is loc 
> and it includes all subnets 172.24.0.0/16.  /etc/shorewall/masq 
> specifies that these subnets are masqueraded via eth0.

# dalton:/etc/shorewall/interfaces 
#ZONE   INTERFACE       BROADCAST       OPTIONS 
net     eth0            detect
#dhcp,tcpflags,nosmurfs,logmartians 
loc     eth1            detect          tcpflags,nosmurfs 
loc     eth3            detect          tcpflags,nosmurfs 
loc     eth5            detect          tcpflags,nosmurfs 
loc     ppp+ 
# This is for the openvpn tunnel. 
vpn     tun0 
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

# dalton:/etc/shorewall/masq 
#INTERFACE              SOURCE          ADDRESS         PROTO
#PORT(S) IPSEC 
MARK 
#Masq all the local subnets.  Includes Cantor and the PPP link. 
eth0                    172.24.0.0/16 
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

According to [1], eth0 is the net zone, and there are four
interfaces for the loc zone. You´re masquerading eth0, which is the
net zone, and none of the of local zones: not gona work.

[1]: http://carnot.yi.org/NetworksPage.html

> > How's joule connected to dalton?
> 
> By the OpenVPN tunnel shown in the illustrations.
>   http://carnot.yi.org/NetworkExtant.jpg

You have 142.103.107.137 on both Carnot and Dalton: not gona work. It
seems weird that you have connected a hub to your internet
connection. How´s the connection provided?

You have two IPs on Cantor on the same physical interface?

What´s the purpose of having "various machines" connected via a modem?

>   http://carnot.yi.org/NetworkProposed.jpg
> Links to these illustrations are at the top of NetworksPage.html.

Oh, I didn´t see that ...

> Also, thanks to udev, I have a better way of naming the interfaces.
> Can add that to the notes next week.

Keep things simple.

You´re trying to do too many things at once. I´d ignore the right side
of the drawings at first and the "various machines" as well.

Then I´d change the cabling, i. e. get a switch or, if none is
available, use the hub instead. Plug the switch/hub into eth1 on
Dalton.

Simplify IPs, like assign 192.168.0.10 to Carnot and 192.168.0.20 to
Cantor; if Cantor needs two IPs, also give it 192.168.0.30. Give
192.168.0.1 to eth1 on Dalton.

Set up a nameserver on Dalton.

I take it that 142.103.107.137 is the public IP to use, so that would
be the IP of eth0 on Dalton. Then for Dalton it´s

zones:

net eth0
loc eth1

masq:

eth0 192.168.0.0/24

policy:

# net {
$FW		net		ACCEPT
net		$FW		DROP		info
net		all		DROP		info
# }

# $FW {
$FW		loc		ACCEPT
}

# loc {
loc             net             ACCEPT
}

Give 192.168.0.100 to ppp0 on Dalton and 192.168.0.110 and
192.168.0.120 to the "various machines".

This provides an internet connection for everyone on the right side
through Dalton. If you don´t need that, you can disallow access and
disable masquerading with shorewall and use the IPs within VPN instead
(see below).

Set up things on right side pretty much the same way.

For hosts other than the firewalls which need to be reachable from the
internet, add DNAT entries to the shorewall rules.

Now for the VPN, it is most important to remember that every machine
that needs to be reachable through the VPN MUST have (a second) IP
address for that. You can give several IPs to the same physical
interface. It´ll give you a virtual interface which is called, for
example, eth0:1.

You could use another subnet for the VPN, like 192.168.150.0/24. Then
you just add routes to route the traffic for this subnet through the
VPN. For example, Carnot would have an interface eth0:1 with the IP
192.168.150.10 and Dalton would have eth1:1 with 192.168.150.1. Dalton
would be the gateway for Carnot for eth0:1.

It´s confusing because things magically work by themselves once you
set up the routing and shorewall correctly :) Setting up a name server
helps a great deal in sorting things out.

Reply to:

Follow-Ups:
- Re (4): routing
  - From: peasthope@shaw.ca

References:
- Re: Re (2): routing
  - From: lee <lee@yun.yagibdah.de>
- Re (3): routing
  - From: peasthope@shaw.ca

Prev by Date: Re: KMail - forwarding issues
Next by Date: kill pidof question
Previous by thread: Re (3): routing
Next by thread: Re (4): routing
Index(es):
- Date
- Thread