[plug] Shorewall config

Steve Baker steve at iinet.net.au
Tue Aug 9 20:05:32 WST 2005


skribe wrote:

> My problem is that pppoe has created ppp0 and I'm unsure how to handle it and 
> eth0 - given that they're kinda the same interface - as far as shorewall is 
> concerned.

Even though they both talk out of the same physical connector, they are 
considered by the system to be different interfaces.  They have 
different IP addresses, and shorewall can apply different rules to them.

If you are just using eth0 for pppoe, eth0 generally doesn't need to 
have an IP address assigned so you only need to worry about ppp0.  Your 
masq file just needs an entry for eth1 ppp0, not eth0 ppp0, and you can 
probably drop eth0 from your interfaces file as well (or at least give 
it a different zone name).  You might also want to add nosmurfs nobogons 
nowhateverelse to the 'net ppp0' entry in interfaces.

> kernel: Shorewall:net2all:DROP:IN=ppp0 OUT= MAC= SRC=x.x.x.x DST=x.x.x.x 
> LEN=86 TOS=0x00 PREC=0xE0 TTL=108 ID=18896 PROTO=UDP SP
> T=6881 DPT=6881 LEN=66
> 
> Even an hour after they're tracking me (bittorrent humour =)
> 
> I have the following Shorewall rule:
> DNAT    net     Local:192.168.x.x       tcp     6969
> DNAT    net     Local:192.168.x.x       tcp     6881:6889

Even though you have defined the DNAT rules, you might still need other 
rules to allow the packets to reach the ppp0 interface in the first 
place.  Try adding ALLOW rules for the same addresses/ports before the 
DNAT rules (I can't remember if shorewall automatically figures this out 
for itself).

Regards,
Steve




More information about the plug mailing list