Hi, hello
I''m new to iptables and firewalls. I began to use shorewall because its
logic makes it easy for beginners, and I learn allot about iptables true the
shorewall logs.
Ok here is my problem:
I have a Debian Lenny with Proxmox and one physical interface eth0. I also
have two public ip''s: 94.23.2xx.2xx and one eth0:0 94.23.1xx.xx
What I want is that all traffic pass true eth0, because my isp only accept
the mac address of eth0.
So I split both ip''s and with this config i have 94.23.2xx.2xx to all
machines on vmbr0 except 10.10.10.200 has 94.23.1xx.xx.
Now i can do port forwarding from both public ip''s.
Butt for a reason that I don''t understand, I''m not able to
DNAT a machine
anymore from my primary public ip 94.23.2xx.2xx to any machine on my DMZ. I
can however make a ACCEPT rule to my firewall (proxmox host)
I tought that if there was no rule, the default policy apply. So here it is
I have a rule that DNAT from net to dmz:10.10.10.230:8433 butt still
can''t
connect.
I get this in my log:
Shorewall:net2fw:DROP:IN=eth0 OUTMAC=00:30:48:be:33:a0:00:24:c3:84:04:00:08:00
SRC=115.67.30.81
DST=94.23.2xx.2xx LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=23540 DF PROTO=TCP
SPT=65059 DPT=8443 WINDOW=8192 RES=0x00 SYN URGP=0
Why and how can i resolve this? I don''t think i should make a policy to
accept instead to drop from net to fw.
And is this the right solution to split my two public ip''s? I have a
feeling
this is not how i should do it.
I hope my writing is more or less comprehensible,
Sincerely and happy new year,
Selvam Matthys
*
My situation:*
eth0 = 94.23.2xx.2xx
eth0:0 = 94.23.1xx.xx
vmbr0 = 10.10.10.254
vmbr1 = 192.168.1.0/24 (no ip, its just a switch)
*My zones:*
fw firewall
net ipv4
dmz ipv4
local ipv4
*My interfaces:*
net eth0 detect blacklist,nosmurfs
dmz venet0 detect routeback
dmz vmbr0 detect routeback,bridge
local vmbr1 detect routeback
*My Policy:*
# From Firewall Policy
fw fw ACCEPT
fw net ACCEPT
fw dmz ACCEPT
fw local ACCEPT
# From DMZ Policy
dmz dmz ACCEPT
dmz net ACCEPT
dmz fw DROP info 1/sec:2
# From Net Policy
net fw DROP info 1/sec:2
net dmz DROP info 8/sec:30
# From local Policy
local local ACCEPT
# THE FOLLOWING POLICY MUST BE LAST
#
all all REJECT info
*My Rules:*
##################################################################
# Permit access to SSH & ping
SSH/ACCEPT net fw - - -
- 6/min:5
Ping/ACCEPT all all
# Permit access to Proxmox Manager and Console
ACCEPT net fw tcp 443,943,5900:5999,10000
##################################################################
###################################################################
## OpenVz rules
#DNAT net dmz:10.10.10.201:22 tcp 22201
#
###################################################################
## Qemu KVM rules
#
#
DNAT net dmz:10.10.10.230 tcp 8022
DNAT net dmz:10.10.10.230:8443 tcp 8433
###################################################################
## virtual interface eth0:0
#
DNAT net dmz:10.10.10.200 all - - 94.23.1xx.xxx
###################################################################
# LAST LINE -- DO NOT REMOVE
#SECTION ESTABLISHED
#SECTION RELATED
#SECTION NEW
*My masquerading*:
eth0 10.10.10.0/24
*My static NAT:*
94.23.1xx.xxx eth0 10.10.10.200
no no
------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon''s best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev