Home / server / Questions / 473310
Accepted
Ville
Asked: 2013-01-29 21:26:53 +0800 CST

Routing to secondary LAN with Shorewall

  • 772

I'm setting up Shorewall (4.4.26.1), and have been trying to figure out routing between two LAN segments for the good part of the afternoon. It's time to ask for help.

 ((INTERNET))
      |
      |
 [shorewall]
   |     |
   |     |
(LAN1) (LAN2)

I have three NICs: WAN (Internet), LAN1, and LAN2. WAN-to-LAN is working inbound through NAT, and outbound through DNAT (set in masq). LAN2 should not (and currently does not) have access to the Internet, but it should be accessible from LAN1. I'm currently able to get to LAN2 from the firewall, but not from the servers in LAN1 (which is the problem). The necessary rules are in place, but apparently routing isn't working (when I disable the firewall rules, I get immediate "connection refused" on SSH connection from a server in LAN1; when the rules are enabled, SSH simply hangs and traceroute doesn't go beyond the firewall). LAN1 is in 172.0.0.0 address space and LAN2 is in 10.0.0.0 address space.

I currently have:

$LAN2_IF                 10.0.0.0/24

..in masq, but that's not working ($LAN2_IF resolves to eth2 which is the LAN2 interface).

My question is: What is the simplest Shorewall configuration to forward traffic between two differently addressed LAN segments that are connected to separate NICs? A pointer to documentation or other reference would help, a bare-bones config example would be even better. I've been sifting through the Shorewall documentation on routing, but haven't yet found a matching description (for instance, I would rather not have to bridge the LAN interfaces since they need to remain separated: LAN2 should not have access either to the Internet or LAN1).

Thanks for any advice!

linux

2 Answers

  1. Best Answer

    Looks like you have a routing problem, which has nothing to do with Shorewall. Disable Shorewall and get the routing right first.

    The gateway should have an IP address on each of the LAN segments, and a route for the LAN range on that interface. For example:

    $ ip -one addr
2: eth0    inet 172.16.0.1/24
3: eth1    inet 10.0.0.1/24
$ ip route
172.16.0.0/24 dev eth0
10.0.0.0/24 dev eth1

    Clients in LAN1 and LAN2 should have the respective IP on the gateway set as their default gateway (172.16.0.1 for clients in LAN1 and 10.0.0.1 for clients in LAN2). Check that clients in both LANs can ping both IPs on the gateway. Then try to ping between clients in different LANs.

    Once the routing is working you can setup Shorewall. You want to put the two LANs in different zones (e.g. lan1 containing eth0, and lan2 containing eth1). Then configure the appropriate policies:

    fw      all     ACCEPT
lan1    all     ACCEPT
lan2    fw      ACCEPT
lan2    lan1    ACCEPT
all     all     REJECT

    There shouldn't be any masquerading between LAN1 and LAN2.

    • 4

  2. I realise this wasn't Ville's problem, but the three-interface sample config (included with the Shorewall distribution) is probably the canonical answer to your question. It sets up lan & dmz as the zone names, but you can set them to anything you want them to be (lan & lan2 in this case).

    • 1