Shorewall users - Dec 2002 - 2 problems

Hi there!

Some months ago I set up a Linux Machine with IP Masq. (to distribute our
internet connection through the LAN) and Apache (for an intranet web page)
in a radio station. We also installed shorewall on that same machine.

Now, we need to deny access to some ports to some LAN machines. This
denial includes access to our intranet web page, and other services as
well. This is what we have:

ACCEPT   loc       $FW           tcp     http,https
ACCEPT   loc       net           tcp     http,https
ACCEPT   loc       loc           tcp     http,https
DROP  net     loc:172.26.0.3     tcp     http,https
DROP  loc:172.26.0.3     net     tcp     http,https
DROP  loc:172.26.0.3     loc     tcp     http,https
DROP  loc     loc:172.26.0.3     tcp     http,https
DROP  loc:172.26.0.3     $FW     tcp     http,https
DROP  $FW     loc:172.26.0.3     tcp     http,https

OK, now we do not have access to external web pages, but we still have
access to our intranet page (which sits in the same firewall machine).
Could you tell me what I´m doing wrong here?


Second problem:

That same radio sation now needs to access some service provided by the
news agency. This comes as a windows program installed in 1 machine behind
the firewall. The program connects to the agency server using a random
port, and gets all answers from that server on a different random port as
well. Is there any way I can tell shorewall to DNAT all communications
from one and exclusive external IP (the agency server) to 1 machine in our
LAN?

TIA, and greetings,

Ignasi

On Sat, 14 Dec 2002, OenusTech wrote:
> Now, we need to deny access to some ports to some LAN machines. This
> denial includes access to our intranet web page, and other services as
> well. This is what we have:
>=20
> ACCEPT   loc       $FW           tcp     http,https
> ACCEPT   loc       net           tcp     http,https
> ACCEPT   loc       loc           tcp     http,https
> DROP  net     loc:172.26.0.3     tcp     http,https
> DROP  loc:172.26.0.3     net     tcp     http,https
> DROP  loc:172.26.0.3     loc     tcp     http,https
> DROP  loc     loc:172.26.0.3     tcp     http,https
> DROP  loc:172.26.0.3     $FW     tcp     http,https
> DROP  $FW     loc:172.26.0.3     tcp     http,https
>=20
> OK, now we do not have access to external web pages, but we still have
> access to our intranet page (which sits in the same firewall machine).
> Could you tell me what I=B4m doing wrong here?
>
I''m not sure I follow exactly what you are trying to do or what
isn''t=20
working but I can tell you that all of the DROP loc: net rules are=20
useless since they follow ACCEPT rules that include them.

Example:

ACCEPT=09loc=09=09net=09tcp=09http,https
DROP=09loc:172.26.0.3=09net=09tcp=09http,https

The first rule accepts ALL loc->net http/https traffic so none of that=20
traffic is ever passed to the second rule.
>=20
> Second problem:
>=20
> That same radio sation now needs to access some service provided by the
> news agency. This comes as a windows program installed in 1 machine behind
> the firewall. The program connects to the agency server using a random
> port, and gets all answers from that server on a different random port as
> well. Is there any way I can tell shorewall to DNAT all communications
> from one and exclusive external IP (the agency server) to 1 machine in our
> LAN?
>=20

DNAT=09net:<agency ip>=09loc:<station ip>=09all
ACCEPT=09loc:<station ip> net:<agency ip>=09all

-Tom
--=20
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.sf.net
Washington USA  \ teastep@shorewall.net