Hi, I am new to using shorewall. I have problem trying to configure it to me specified needs. You see, currently I have iptables configured such that my users are divided into a few "zone". We are using ip of 192.168.10.x (255.255.255.0). So I seperate the users to 3 category. Those with ip from 192.168.10.1 to .16 will be able to access everything. Those with .17 to .255 will have their direct connections closed and can only access internet from the proxy server. So, can I know how to put this into shorewall. I have looked in the docs but can''t seems to find anything that describe this. The closest that I can find is something to do with using something like this eth1:1 and eth1:2 but i can''t figure out what it''s about. I would appreciate any help and suggestions. BTW, I am not listed in the mailing list. So please make sure I get your kind reply. Thanks in advance.
Thanks for the reply. Your reply really helped me to configure the firewall. But I am now stuck with port forwarding. I can''t seems to forward them correctly. Here is what i did. under rules DNAT net allaccess:192.168.10.3 tcp 33334 - i want to forward port 33334 to 192.168.10.3 of allaccess interface. allaccess is defined in hosts as eth0:192.168.10.0/28 should i put this instead? DNAT net allaccess:192.168.10.3:33334 tcp 33334 - If yes, then what about ports with range like this? DNAT net allaccess:192.168.10.3 tcp 33334:33344 - As usual, please remember to reply to kfliong@wofs.com. Thanks in advance.>X-ClientAddr: 64.59.134.9 >Date: Tue, 06 Jan 2004 23:54:37 -0600 >From: Jerry Vonau <jvonau@shaw.ca> >Subject: Re: [Shorewall-users] Separating ipaddresses to zones >To: kfliong@wofs.com >X-Mailer: Microsoft Outlook Express 5.50.4807.1700 >X-yoursite-MailScanner-Information: Please contact the ISP for more >information >X-yoursite-MailScanner: Found to be clean > > >Off the top of my head... >http://shorewall.net/Multiple_Zones.html >then see: Parallel Zones > >Create 2 local zones... say loc and loc1 in the zones file.. > >Say your local interface is eth1... >- eth1 192.168.10.255 > >Set the policy for the zones in the policy file. > >To bad you have 1-16... >In the hosts file define your zones... >loc eth2:192.168.10.0/28 >loc eth2:192.168.10.16 >loc1 eth2:192.168.10.17 >loc1 eth2:192.168.10.18 >loc1 eth2:192.168.10.19 >loc1 eth2:192.168.10.20 >loc1 eth2:192.168.10.21 >loc1 eth2:192.168.10.22 >loc1 eth2:192.168.10.23 >loc1 eth2:192.168.10.24 >loc1 eth2:192.168.10.25 >loc1 eth2:192.168.10.26 >loc1 eth2:192.168.10.27 >loc1 eth2:192.168.10.28 >loc1 eth2:192.168.10.29 >loc1 eth2:192.168.10.30 >loc1 eth2:192.168.10.31 >loc1 eth2:192.168.10.32/27 >loc1 eth2:192.168.10.64/26 >loc1 eth2:192.168.10.128/25 > >Then write your rules in the rules file... >ACCEPT loc net tcp www > >Depending on where the proxy is, the method varies see... >http://shorewall.net/Shorewall_Squid_Usage.html > >Changing the loc zone in the examples to loc1.... > >Jerry Vonau > > > >----- Original Message ----- >From: "kfliong" <kfliong@wofs.com> >To: <shorewall-users@lists.shorewall.net> >Sent: Tuesday, January 06, 2004 21:14 >Subject: [Shorewall-users] Separating ipaddresses to zones > > > > Hi, > > > > I am new to using shorewall. I have problem trying to configure it >to me > > specified needs. You see, currently I have iptables configured such >that my > > users are divided into a few "zone". We are using ip of 192.168.10.x > > (255.255.255.0). So I seperate the users to 3 category. Those with >ip from > > 192.168.10.1 to .16 will be able to access everything. Those with >.17 to > > .255 will have their direct connections closed and can only access >internet > > from the proxy server. > > > > So, can I know how to put this into shorewall. I have looked in the >docs > > but can''t seems to find anything that describe this. The closest >that I can > > find is something to do with using something like this eth1:1 and >eth1:2 > > but i can''t figure out what it''s about. > > > > I would appreciate any help and suggestions. > > > > BTW, I am not listed in the mailing list. So please make sure I get >your > > kind reply. > > > > Thanks in advance. > > > > > > _______________________________________________ > > Shorewall-users mailing list > > Post: Shorewall-users@lists.shorewall.net > > Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users > > Support: http://www.shorewall.net/support.htm > > FAQ: http://www.shorewall.net/FAQ.htmthanks
At this point, your past the how can I.... What service is this anyway?? The order of what appears in the file is important.... Can you post the info requested from: http://shorewall.net/support.htm I know that the interfaces are different in the hosts & interfaces examples I posted below. That was misleading, sorry. Jerry Vonau ----- Original Message ----- From: "kfliong" <kfliong@wofs.com> To: <shorewall-users@lists.shorewall.net> Sent: Wednesday, January 07, 2004 03:50 Subject: Re: [Shorewall-users] Separating ipaddresses to zones> Thanks for the reply. Your reply really helped me to configure thefirewall.> > But I am now stuck with port forwarding. > > I can''t seems to forward them correctly. Here is what i did. > > under rules > > DNAT net allaccess:192.168.10.3 tcp 33334 - > > > > i want to forward port 33334 to 192.168.10.3 of allaccess interface. > > allaccess is defined in hosts as eth0:192.168.10.0/28 > > should i put this instead? > > DNAT net allaccess:192.168.10.3:33334 tcp 33334 - > > If yes, then what about ports with range like this? > > DNAT net allaccess:192.168.10.3 tcp 33334:33344 - > > > > As usual, please remember to reply to kfliong@wofs.com. > > Thanks in advance. > > >X-ClientAddr: 64.59.134.9 > >Date: Tue, 06 Jan 2004 23:54:37 -0600 > >From: Jerry Vonau <jvonau@shaw.ca> > >Subject: Re: [Shorewall-users] Separating ipaddresses to zones > >To: kfliong@wofs.com > >X-Mailer: Microsoft Outlook Express 5.50.4807.1700 > >X-yoursite-MailScanner-Information: Please contact the ISP for more > >information > >X-yoursite-MailScanner: Found to be clean > > > > > >Off the top of my head... > >http://shorewall.net/Multiple_Zones.html > >then see: Parallel Zones > > > >Create 2 local zones... say loc and loc1 in the zones file.. > > > >Say your local interface is eth1... > >- eth1 192.168.10.255 > > > >Set the policy for the zones in the policy file. > > > >To bad you have 1-16... > >In the hosts file define your zones... > >loc eth2:192.168.10.0/28 > >loc eth2:192.168.10.16 > >loc1 eth2:192.168.10.17 > >loc1 eth2:192.168.10.18 > >loc1 eth2:192.168.10.19 > >loc1 eth2:192.168.10.20 > >loc1 eth2:192.168.10.21 > >loc1 eth2:192.168.10.22 > >loc1 eth2:192.168.10.23 > >loc1 eth2:192.168.10.24 > >loc1 eth2:192.168.10.25 > >loc1 eth2:192.168.10.26 > >loc1 eth2:192.168.10.27 > >loc1 eth2:192.168.10.28 > >loc1 eth2:192.168.10.29 > >loc1 eth2:192.168.10.30 > >loc1 eth2:192.168.10.31 > >loc1 eth2:192.168.10.32/27 > >loc1 eth2:192.168.10.64/26 > >loc1 eth2:192.168.10.128/25 > > > >Then write your rules in the rules file... > >ACCEPT loc net tcp www > > > >Depending on where the proxy is, the method varies see... > >http://shorewall.net/Shorewall_Squid_Usage.html > > > >Changing the loc zone in the examples to loc1.... > > > >Jerry Vonau > > > > > > > >----- Original Message ----- > >From: "kfliong" <kfliong@wofs.com> > >To: <shorewall-users@lists.shorewall.net> > >Sent: Tuesday, January 06, 2004 21:14 > >Subject: [Shorewall-users] Separating ipaddresses to zones > > > > > > > Hi, > > > > > > I am new to using shorewall. I have problem trying to configureit> >to me > > > specified needs. You see, currently I have iptables configuredsuch> >that my > > > users are divided into a few "zone". We are using ip of192.168.10.x> > > (255.255.255.0). So I seperate the users to 3 category. Thosewith> >ip from > > > 192.168.10.1 to .16 will be able to access everything. Thosewith> >.17 to > > > .255 will have their direct connections closed and can onlyaccess> >internet > > > from the proxy server. > > > > > > So, can I know how to put this into shorewall. I have looked inthe> >docs > > > but can''t seems to find anything that describe this. The closest > >that I can > > > find is something to do with using something like this eth1:1and> >eth1:2 > > > but i can''t figure out what it''s about. > > > > > > I would appreciate any help and suggestions. > > > > > > BTW, I am not listed in the mailing list. So please make sure Iget> >your > > > kind reply. > > > > > > Thanks in advance. > > > > > > > > > _______________________________________________ > > > Shorewall-users mailing list > > > Post: Shorewall-users@lists.shorewall.net > > > Subscribe/Unsubscribe: > >https://lists.shorewall.net/mailman/listinfo/shorewall-users > > > Support: http://www.shorewall.net/support.htm > > > FAQ: http://www.shorewall.net/FAQ.htm > > thanks > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Just had a thought... Your testing from the net correct? and not the local lan?? Jerry Vonau ----- Original Message ----- From: "kfliong" <kfliong@wofs.com> To: <shorewall-users@lists.shorewall.net> Sent: Wednesday, January 07, 2004 03:50 Subject: Re: [Shorewall-users] Separating ipaddresses to zones> Thanks for the reply. Your reply really helped me to configure thefirewall.> > But I am now stuck with port forwarding. > > I can''t seems to forward them correctly. Here is what i did. > > under rules > > DNAT net allaccess:192.168.10.3 tcp 33334 - > > > > i want to forward port 33334 to 192.168.10.3 of allaccess interface. > > allaccess is defined in hosts as eth0:192.168.10.0/28 > > should i put this instead? > > DNAT net allaccess:192.168.10.3:33334 tcp 33334 - > > If yes, then what about ports with range like this? > > DNAT net allaccess:192.168.10.3 tcp 33334:33344 - > > > > As usual, please remember to reply to kfliong@wofs.com. > > Thanks in advance. > > >X-ClientAddr: 64.59.134.9 > >Date: Tue, 06 Jan 2004 23:54:37 -0600 > >From: Jerry Vonau <jvonau@shaw.ca> > >Subject: Re: [Shorewall-users] Separating ipaddresses to zones > >To: kfliong@wofs.com > >X-Mailer: Microsoft Outlook Express 5.50.4807.1700 > >X-yoursite-MailScanner-Information: Please contact the ISP for more > >information > >X-yoursite-MailScanner: Found to be clean > > > > > >Off the top of my head... > >http://shorewall.net/Multiple_Zones.html > >then see: Parallel Zones > > > >Create 2 local zones... say loc and loc1 in the zones file.. > > > >Say your local interface is eth1... > >- eth1 192.168.10.255 > > > >Set the policy for the zones in the policy file. > > > >To bad you have 1-16... > >In the hosts file define your zones... > >loc eth2:192.168.10.0/28 > >loc eth2:192.168.10.16 > >loc1 eth2:192.168.10.17 > >loc1 eth2:192.168.10.18 > >loc1 eth2:192.168.10.19 > >loc1 eth2:192.168.10.20 > >loc1 eth2:192.168.10.21 > >loc1 eth2:192.168.10.22 > >loc1 eth2:192.168.10.23 > >loc1 eth2:192.168.10.24 > >loc1 eth2:192.168.10.25 > >loc1 eth2:192.168.10.26 > >loc1 eth2:192.168.10.27 > >loc1 eth2:192.168.10.28 > >loc1 eth2:192.168.10.29 > >loc1 eth2:192.168.10.30 > >loc1 eth2:192.168.10.31 > >loc1 eth2:192.168.10.32/27 > >loc1 eth2:192.168.10.64/26 > >loc1 eth2:192.168.10.128/25 > > > >Then write your rules in the rules file... > >ACCEPT loc net tcp www > > > >Depending on where the proxy is, the method varies see... > >http://shorewall.net/Shorewall_Squid_Usage.html > > > >Changing the loc zone in the examples to loc1.... > > > >Jerry Vonau > > > > > > > >----- Original Message ----- > >From: "kfliong" <kfliong@wofs.com> > >To: <shorewall-users@lists.shorewall.net> > >Sent: Tuesday, January 06, 2004 21:14 > >Subject: [Shorewall-users] Separating ipaddresses to zones > > > > > > > Hi, > > > > > > I am new to using shorewall. I have problem trying to configureit> >to me > > > specified needs. You see, currently I have iptables configuredsuch> >that my > > > users are divided into a few "zone". We are using ip of192.168.10.x> > > (255.255.255.0). So I seperate the users to 3 category. Thosewith> >ip from > > > 192.168.10.1 to .16 will be able to access everything. Thosewith> >.17 to > > > .255 will have their direct connections closed and can onlyaccess> >internet > > > from the proxy server. > > > > > > So, can I know how to put this into shorewall. I have looked inthe> >docs > > > but can''t seems to find anything that describe this. The closest > >that I can > > > find is something to do with using something like this eth1:1and> >eth1:2 > > > but i can''t figure out what it''s about. > > > > > > I would appreciate any help and suggestions. > > > > > > BTW, I am not listed in the mailing list. So please make sure Iget> >your > > > kind reply. > > > > > > Thanks in advance. > > > > > > > > > _______________________________________________ > > > Shorewall-users mailing list > > > Post: Shorewall-users@lists.shorewall.net > > > Subscribe/Unsubscribe: > >https://lists.shorewall.net/mailman/listinfo/shorewall-users > > > Support: http://www.shorewall.net/support.htm > > > FAQ: http://www.shorewall.net/FAQ.htm > > thanks > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm