Shorewall users - Oct 2010 - VLANs behind a router

Hi.

Im very newbie with shorewall.

Basically i need permit direct access form all the network to some
Publics IP, because they publish some applications to cant be accessed
using a proxy (the ips are declared in the /etc/shorewall/masq file).

The problem is: we have all the VLANs behind a router (192.168.200.1),
but the VLANs are not accessing to the Public IPs.    I declare in the
interfaces file the option routeback to LAN zone, because the VLANs
connect to the proxy using that interface.

PROXY:/etc/shorewall# cat interfaces
VPN	tun0
LAN	eth1	-	routeback
WAN	eth0


PROXY:/etc/shorewall# cat masq
eth0:200.1.173.12	eth1
eth0:200.1.173.78	eth1
eth0:173.224.118.154	eth1
eth0:173.224.112.70	eth1
eth0:72.21.203.149	eth1
eth0:72.21.207.165	eth1
eth0:72.21.211.171	eth1
eth0:69.163.136.121	eth1
eth0:200.58.204.118	eth1
COMMENT station with total internet access.
eth0	192.168.10.4/32
eth0	192.168.10.19/32


PROXY:/etc/shorewall# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.2.0    192.168.200.1   255.255.255.0   UG    0      0        0 eth1
192.168.5.0    192.168.200.1   255.255.255.0   UG    0      0        0 eth1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.3.0    192.168.200.1   255.255.255.0   UG    0      0        0 eth1
10.10.10.0      192.168.200.1   255.255.255.0   UG    0      0        0 eth1
192.168.200.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.4.0    192.168.200.1   255.255.255.0   UG    0      0        0 eth1
192.168.9.0    192.168.200.1   255.255.255.0   UG    0      0        0 eth1
0.0.0.0         192.168.100.254   0.0.0.0         UG    0      0        0 eth0

How can i permit the direct access to the public IPs declared in the masq file?

Thanks and regards.

------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev

On 10/23/10 7:14 PM, kazabe wrote:
> Hi.
> 
> Im very newbie with shorewall.
> 
> Basically i need permit direct access form all the network to some
> Publics IP, because they publish some applications to cant be accessed
> using a proxy (the ips are declared in the /etc/shorewall/masq file).
> 
> The problem is: we have all the VLANs behind a router (192.168.200.1),
> but the VLANs are not accessing to the Public IPs.    I declare in the
> interfaces file the option routeback to LAN zone, because the VLANs
> connect to the proxy using that interface.
> 
> PROXY:/etc/shorewall# cat interfaces
> VPN	tun0
> LAN	eth1	-	routeback
> WAN	eth0
> 
> 
> PROXY:/etc/shorewall# cat masq
> eth0:200.1.173.12	eth1
> eth0:200.1.173.78	eth1
> eth0:173.224.118.154	eth1
> eth0:173.224.112.70	eth1
> eth0:72.21.203.149	eth1
> eth0:72.21.207.165	eth1
> eth0:72.21.211.171	eth1
> eth0:69.163.136.121	eth1
> eth0:200.58.204.118	eth1
> COMMENT station with total internet access.
> eth0	192.168.10.4/32
> eth0	192.168.10.19/32
> 
> 
> PROXY:/etc/shorewall# route -n
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
> 192.168.2.0    192.168.200.1   255.255.255.0   UG    0      0        0 eth1
> 192.168.5.0    192.168.200.1   255.255.255.0   UG    0      0        0 eth1
> 192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0
eth0
> 192.168.3.0    192.168.200.1   255.255.255.0   UG    0      0        0 eth1
> 10.10.10.0      192.168.200.1   255.255.255.0   UG    0      0        0
eth1
> 192.168.200.0    0.0.0.0         255.255.255.0   U     0      0        0
eth1
> 192.168.4.0    192.168.200.1   255.255.255.0   UG    0      0        0 eth1
> 192.168.9.0    192.168.200.1   255.255.255.0   UG    0      0        0 eth1
> 0.0.0.0         192.168.100.254   0.0.0.0         UG    0      0        0
eth0
> 
> How can i permit the direct access to the public IPs declared in the masq
file?
First, stop using /etc/shorewall/masq for access control. That file is
about rewriting the SOURCE IP Address in outgoing connections; it is not
intended to control who can and cannot access the net. You want to use a
combination of policies and rules for that.

Second, check the setting of IP_FORWARDING in shorewall.conf; be sure
that forwarding is enabled.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev