thr3ads.net - Shorewall users - shorewall

If this information is useful, please help other people find it:
Share via:

Erwin Geuens

2008-Oct-16 11:14 UTC

shorewall - 3 interfaces

Hi,

I installed a new soekris running Shorewall. 3 interfaces are active 
(eth0 = loc, eth1 = net, eth2 = dmz)
I want to run a mailserver (pop3, pop3s, imap, impas, smtp, http, https) 
in the dmz zone. the server IP = 192.168.40.52 and a webserver with ip 
192.168.40.51.
I used the 3 intrerfaces and almost everything i working fine. I can ssh 
to the server in the DMZ, I can browse the internet form loc, I can 
update the soekris ($fw).
The only problem is to connect to the webserver and mailserver from the 
internet. I use a remote server for testing.

my policy loc             dmz             ACCEPT          info
loc             $FW             ACCEPT          info
loc             all             ACCEPT          info
$FW             net             ACCEPT          info
$FW             dmz             REJECT          info
$FW             loc             REJECT          info
$FW             all             REJECT          info
dmz             net             ACCEPT          info
dmz             $FW             ACCEPT          info
dmz             loc             ACCEPT          info
dmz             all             ACCEPT          info
net             dmz             DROP            info
net             $FW             DROP            info
net             loc             DROP            info
net             all             DROP            info
all             all             REJECT          info

my rules DNS/ACCEPT      $FW             net
SSH/ACCEPT      loc             $FW
SSH/ACCEPT      loc             dmz
DNS/ACCEPT      dmz             net
Ping/DROP       net             $FW
Ping/ACCEPT     loc             $FW
Ping/ACCEPT     dmz             $FW
Ping/ACCEPT     loc             dmz
Ping/ACCEPT     dmz             loc
Ping/ACCEPT     dmz             net
ACCEPT          $FW             net             icmp
ACCEPT          $FW             loc             icmp
ACCEPT          $FW             dmz             icmp

Web/ACCEPT      loc             $FW                           (a minimal 
webserver on the soekirs, is working fine)
SMB/ACCEPT      loc             $FW                           (samba 
running on soekris, running fine)

SMTP/DNAT       net             dmz:192.168.40.52       tcp     25      
25   (192.168.40.52 = mailserver zimbra)
POP3/DNAT       net             dmz:192.168.40.52       tcp     110     110
POP3S/DNAT      net             dmz:192.168.40.52       tcp     995     995
IMAP/DNAT       net             dmz:192.168.40.52       tcp     143     143
IMAPS/DNAT      net             dmz:192.168.40.52       tcp     993     993
Web/DNAT        net             dmz:192.168.40.51       tcp     80      
80   (192.168.40.51 = webserver)
HTTPS/DNAT      net             dmz:192.168.40.51       tcp     443     443
DNAT            net             dmz:192.168.40.52       tcp     7071    
7071 (mailserver zimbra admin port)

Some rules will be closed after successfull testing.

What do I wrong? A NMAP scan (from remote server) does only reveal port 
22 is open, no other ports while all stated ports should answer.


Thx

Erwin

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Tom Eastep

2008-Oct-16 20:13 UTC

head link

Re: shorewall - 3 interfaces

Erwin Geuens wrote:> 
> What do I wrong? A NMAP scan (from remote server) does only reveal port 
> 22 is open, no other ports while all stated ports should answer.
A couple of things.

a) Since you are having problems with DNAT, you should follow the port
forwarding debugging steps outlined in FAQs 1a and 1b.

b) If that doesn''t resolve the problem, then please submit another
problem report following the instructions at
http://www.shorewall.net/support.htm#Guidelines.

Thanks,
-Tom
-- 
Tom Eastep        \ The ultimate result of shielding men from the
Shoreline,         \ effects of folly is to fill the world with fools.
Washington, USA     \                                 -Herbert Spencer
http://shorewall.net \________________________________________________



-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Shorewall users - Oct 2008 - shorewall - 3 interfaces

shorewall - 3 interfaces

Re: shorewall - 3 interfaces