Shorewall users - Feb 2007 - Re: Multiple Public IPs

Raleigh Guevarra wrote:
> Hi there,
>   
> I really need help to know how to do this. The requirement is to assign
> the Public IPs to the Private IPs, or I say, forward the inbound
> addressed to a specific Public IP to a specific Private IP. Like for the
> mail server, having both public IP and private IP (For LAN).
>  
> 224.104.97.1 = 192.168.0.1 - Firewall
> 224.104.97.2 = 192.168.0.2 - mail  - Reversed DNS
> 224.104.97.3 = 192.168.0.3 - vpn
> 224.104.97.4 = 192.168.0.4 - web server
> 224.104.97.5 = 192.168.0.5 - ftp server
>  
> And I wish to restrict ONLY with a specific private IP not to connect a
> particular internet application like Yahoo Messenger, Limewire, Skype, etc.
> 
> Hope you could give me a direction or instructions how to achieve these
> two.
Everything you need to do this is explained in the Shorewall Setup Guide
(http://www.shorewall.net/shorewall_setup_guide.htm). There is a
(somewhat outdated) version of that document in Spanish at
http://gomix.homelinux.net/gomix/shorewall/shorewall_setup_guide.htm if
you would find that easier to follow.

If you have specific questions, then you can ask them on the mailing
list (where you have posted already) and we will try to answer but you
cannot expect to be able to just explain your requirements and have
someone write your Shorewall configuration for you in their spare time
for free (and no -- I don''t do paid consulting).

The basic idea is:

a) Define each pair of addresses (public, private) in /etc/shorewall/nat.
b) Make your loc->net policy REJECT.
c) Add net->loc rules for just the applications that you want to allow
from the net to the local network (these rules specify the internal
address in the DEST column.
d) Be sure to allow for DNS from your local systems to whereever your
DNS server is.
e) If your local servers need to communicate, hopefully you have split
DNS. Otherwise, you will need to employ the hack outlined in Shorewall
FAQ 2.

-Tom

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Tom Eastep wrote:
> Raleigh Guevarra wrote:
>>
>> Hope you could give me a direction or instructions how to achieve these
>> two.
> 
> Everything you need to do this is explained in the Shorewall Setup Guide
> (http://www.shorewall.net/shorewall_setup_guide.htm). There is a
> (somewhat outdated) version of that document in Spanish at
> http://gomix.homelinux.net/gomix/shorewall/shorewall_setup_guide.htm if
> you would find that easier to follow.
Another article that you should read is

http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV