Answer the question
In order to leave comments, you need to log in
How to solve the problem with access between two local subnets (Shorewall)?
Good afternoon!
Interested in the following question. There is a configured server on Debian 7.8, two physical interfaces - one looks to the provider (eth0), the other to the local network (eth1). On eth1, addresses are distributed via DHCP (subnet 10.0.0.0/8) and masquerading (NAT) is configured on them. Additionally, the virtual interface eth1:1 with static addressing, without DHCP (subnet 192.168.0.0/16) has been raised. From this subnet, access is via Squid3, but that's not the point. On the eth1:1 network, there is a shared resource with a static ip, to which you need to give access to clients from the eth1 network (10.0.0.0/8).
The whole thing is resolved with the help of Shorewall.
I bring configs.
/etc/shorewall/interfaces
#ZONE INTERFACE OPTIONS
net eth0 tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
- eth1 dhcp,tcpflags,nosmurfs,routefilter,logmartians
/etc/shorewall/zones
#ZONE TYPE OPTIONS
fw firewall
net ipv4
loc ipv4
loc2 ipv4
/etc/shorewall/hosts
#ZONE HOSTS OPTIONS
loc eth1:10.0.0.0/8
loc2 eth1:192.168.0.0/16
/etc/shorewall/policy
#SOURCE DEST POLICY LOG LEVEL
net fw DROP err
net all DROP
loc net ACCEPT
loc2 net DROP
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT err
/etc/shorewall/rules
#... I omitted some of the rules, because not relevant
#ACTION SOURCE DEST PROTO DEST SOURCE
# Allow Ping n SMB between loc and loc2 (test)
Ping(ACCEPT) loc loc2
Ping(ACCEPT) loc2 loc
SMB(ACCEPT) loc loc2:192.168.100.5
/etc/shorewall /masq
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
eth0
10.0.0.0/8 resources over SMB, although there are explicit rules for this in /etc/shorewall/rules.
I used the official manual, there is an example of how a similar issue is solved (Example 6) - shorewall.net/Shorewall_and_Aliased_Interfaces.html
Tell me, where could be the error? If you need additional logs or configs, then I will give it without problems.
Answer the question
In order to leave comments, you need to log in
Some difficulties.
I don’t know what a shorewall is, I suspect that it’s some kind of firewall, but your problem is resolved by normal routing. As I understand it is your gateway. Well, check the routes, make permissive rules on your shorewall. So that it does not block the circulation of packets from one network to another
PS. I read about shorewall .. Some kind of horror. What did not suit iptables?
PS2 .. Ah, I understood everything. This is a wrapper for iptables. Still horror!
Seriously with your configs did not understand. But from experience:
1) In order for the interface to start passing packets to the input / output (closing traffic processing on itself, without transferring to other interfaces) in Shorewall, you need to use the routeback option in the interfaces. As in the example on your link, in Example 5.
2) I did not understand why eth1 is described twice in zones for both internal subnets. This is not used in my configs. Well, maybe not much of an issue. Although..
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question