| Main Archive Page > Month Archives > shorewall-users archives |
[Shorewall-users] Test Zone config question
From: Ruth Ivimey-Cook <ruth_at_nospam>Date: Thu May 17 2012 - 12:01:29 GMT
To: Shorewall Users <shorewall-users@lists.sourceforge.net>
Hi folks,
I've been using shorewall in a very simple way, and very successfully,
for a time, but have now come across a situation I am stumped by, so am
hoping someone can help.
I am rebuilding my main gateway/firewall machine, which has been using
Fedora 13, to use Ubuntu Server 12, and because it's a complex change I
decided to get it running as a VM before trying to roll it out onto the
real hardware. I'm also taking the opportunity to change from
192.168.0.0/24 to 192.168.32.0/24, as use of the 0 net has caused
conflicts in the past. For the VMs DNS the internal IPs have been
changed to reflect this.
My main network has a DSL modem (on 192.168.1.0/30, implementing NAT)
connecting to the aforesaid Gateway connected (on 192.168.0.0/24) to a
Switch and the rest of the boxen: pretty standard.
I have set up the VirtualBox VM on my fileserver and within itself it's
ok. I want to set it up so that
- from its perspective, it is the local net and everything else is
"internet"
- it implements shorewall to protect (as yet unbuilt) local-net VMs
forming the test network
- from the perspective of the existing local network, it's just
another machine on the local net
- localnet VMs are not visible to the real local network: just as the
real local network machines are from the internet.
The only difference I expect between the test and real setups is that
the external IP for test will be 192.168.0.x while for the deployed
state it will be 192.168.1.2, and the default gateway for test will be
192.168.0.1 while for the deployed state it will be 192.168.1.1.
So Far:
- I've set up 2 interfaces on the VM, and configured them statically
to have external and internal addresses.
- The VM considers the external-interface to be the default gateway,
and it is forwarding to the real gateway, and its bind is configured to
consider itself canonical on the VM network and to ask the true internet
otherwise. I've also set it up with a "forwarder" of my ISPs DNS server.
- Within the VM, resolv.conf points to the local Bind, and for test
net addresses DNS resolution is working.
- I have added "route" commands on the real gateway's rc.local script
so that it knows about the "32" network
- I've started to add shorewall config to the real gateway: entries in
"hosts" and "zones" for the "0" network (loc) and the new "32" network
(nloc) as eth3:192.168.32.0/24, and un-named "loc" in "interfaces"
- I've set up a policy Accept for (nloc<->net) and (nloc<->fw) on the
real gateway
- I've marked DNS traffic as loc<->net on the real gateway (as well as
net<->fw, loc<->fw)
The problem is that although I can ping in all directions, the DNS
traffic (e.g. to resolve google.com) is heading out of the VM, getting
to the real gateway's eth3 and that's the last I see of it. ... and
switching off the real firewall doesn't help so it's not totally a
shorewall issue (though I believe I need some reconfig of it).
I've probably done something dumb: can anyone see what it is?
Thanks
Ruth
-- Software Manager& Engineer Tel: 01223 414180 Blog: http://www.ivimey.org/blog LinkedIn: http://uk.linkedin.com/in/ruthivimeycook/ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users