On Fri, Oct 29, 2010 at 10:09:18AM -0700, peasth...@shaw.ca wrote: > Lee, > > Thanks for the feedback. You are the first to mention these errors. > > From: lee <l...@yun.yagibdah.d.> > Date: Fri, 29 Oct 2010 17:53:31 +0200 > > There's no zone "ubc" defined on dalton. > > The concept is "OpenVPN tunnel zone" and the Web page was using > the two names ubc and vpn ambiguously. Now it is the vpn zone.
Shorewall usually doesn´t start when you refer to zones that aren´t defined. > > On dalton, you're not masquerading all the local zones but only those > > connected via eth0. > > I don't understand. There is only one local zone. It is loc > and it includes all subnets 172.24.0.0/16. /etc/shorewall/masq > specifies that these subnets are masqueraded via eth0. # dalton:/etc/shorewall/interfaces #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect #dhcp,tcpflags,nosmurfs,logmartians loc eth1 detect tcpflags,nosmurfs loc eth3 detect tcpflags,nosmurfs loc eth5 detect tcpflags,nosmurfs loc ppp+ # This is for the openvpn tunnel. vpn tun0 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE # dalton:/etc/shorewall/masq #INTERFACE SOURCE ADDRESS PROTO #PORT(S) IPSEC MARK #Masq all the local subnets. Includes Cantor and the PPP link. eth0 172.24.0.0/16 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE According to [1], eth0 is the net zone, and there are four interfaces for the loc zone. You´re masquerading eth0, which is the net zone, and none of the of local zones: not gona work. [1]: http://carnot.yi.org/NetworksPage.html > > How's joule connected to dalton? > > By the OpenVPN tunnel shown in the illustrations. > http://carnot.yi.org/NetworkExtant.jpg You have 142.103.107.137 on both Carnot and Dalton: not gona work. It seems weird that you have connected a hub to your internet connection. How´s the connection provided? You have two IPs on Cantor on the same physical interface? What´s the purpose of having "various machines" connected via a modem? > http://carnot.yi.org/NetworkProposed.jpg > Links to these illustrations are at the top of NetworksPage.html. Oh, I didn´t see that ... > Also, thanks to udev, I have a better way of naming the interfaces. > Can add that to the notes next week. Keep things simple. You´re trying to do too many things at once. I´d ignore the right side of the drawings at first and the "various machines" as well. Then I´d change the cabling, i. e. get a switch or, if none is available, use the hub instead. Plug the switch/hub into eth1 on Dalton. Simplify IPs, like assign 192.168.0.10 to Carnot and 192.168.0.20 to Cantor; if Cantor needs two IPs, also give it 192.168.0.30. Give 192.168.0.1 to eth1 on Dalton. Set up a nameserver on Dalton. I take it that 142.103.107.137 is the public IP to use, so that would be the IP of eth0 on Dalton. Then for Dalton it´s zones: net eth0 loc eth1 masq: eth0 192.168.0.0/24 policy: # net { $FW net ACCEPT net $FW DROP info net all DROP info # } # $FW { $FW loc ACCEPT } # loc { loc net ACCEPT } Give 192.168.0.100 to ppp0 on Dalton and 192.168.0.110 and 192.168.0.120 to the "various machines". This provides an internet connection for everyone on the right side through Dalton. If you don´t need that, you can disallow access and disable masquerading with shorewall and use the IPs within VPN instead (see below). Set up things on right side pretty much the same way. For hosts other than the firewalls which need to be reachable from the internet, add DNAT entries to the shorewall rules. Now for the VPN, it is most important to remember that every machine that needs to be reachable through the VPN MUST have (a second) IP address for that. You can give several IPs to the same physical interface. It´ll give you a virtual interface which is called, for example, eth0:1. You could use another subnet for the VPN, like 192.168.150.0/24. Then you just add routes to route the traffic for this subnet through the VPN. For example, Carnot would have an interface eth0:1 with the IP 192.168.150.10 and Dalton would have eth1:1 with 192.168.150.1. Dalton would be the gateway for Carnot for eth0:1. It´s confusing because things magically work by themselves once you set up the routing and shorewall correctly :) Setting up a name server helps a great deal in sorting things out. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101030150936.gp4...@yun.yagibdah.de
