The confuddles me, i have two proxy arped systems in my DMZ, one works
as expected, the other has no connectivity to the outside world
I enclose my configs for the firewall below, 213.212.33.20 has no
prblems, and works as expected.. .25 tho can resolve names, but cant
access any hosts on "Net". What might I be missing?
argus:~# cd /etc/shorewall/
argus:/etc/shorewall# cat policy proxyarp rules
#
# Shorewall 1.3 -- Policy File
#
# /etc/shorewall/policy
#
# This file determines what to do with a new connection request if
we
# don''t get a match from the /etc/shorewall/rules file or from
the
# /etc/shorewall/common[.def] file. For each source/destination
pair, the
# file is processed in order until a match is found ("all" will
match
# any client or server).
#
# Columns are:
#
# SOURCE Source zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all".
#
# DEST Destination zone. Must be the name of a zone
defined
# in /etc/shorewall/zones, $FW or "all"
#
# POLICY Policy if no match from the rules file is found.
Must
# be "ACCEPT", "DROP",
"REJECT" or "CONTINUE"
#
# LOG LEVEL If supplied, each connection handled under the
default
# POLICY is logged at that level. If not supplied,
no
# log message is generated. See syslog.conf(5) for
a
# description of log levels.
#
# If you don''t want to log but need to specify
the
# following column, place "_" here.
#
# LIMIT:BURST If passed, specifies the maximum TCP connection
rate
# and the size of an acceptable burst. If not
specified,
# TCP connections are not limited.
#
# As shipped, the default policies are:
#
# a) All connections from the local network to the internet are
allowed
# b) All connections from the internet are ignored but logged at
syslog
# level KERNEL.INFO.
# d) All other connection requests are rejected and logged at
level
# KERNEL.INFO.
########################################################################
#######
#SOURCE DEST POLICY LOG LEVEL
LIMIT:BURST
loc net ACCEPT
#loc fw ACCEPT
#fw loc ACCEPT
#fw net ACCEPT
dmz net ACCEPT
#loc dmz ACCEPT
net all DROP info
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
########################################################################
######
#
# Shorewall 1.3 -- Proxy ARP
#
# /etc/shorewall/proxyarp
#
# This file is used to define Proxy ARP.
#
# Columns must be separated by white space and are:
#
# ADDRESS IP Address
# INTERFACE Local interface where system is connected. If
the
# local interface is obvious from the subnetting,
# you may enter "-" in this column.
# EXTERNAL External Interface to be used to access this
system
#
# HAVEROUTE If there is already a route from the firewall to
# the host whose address is given, enter "Yes"
or
"yes"
# in this column. Otherwise, entry "no",
"No" or
leave
# the column empty.
#
# Example: Host with IP 155.186.235.6 is connected
to
# interface eth1 and we want hosts attached via
eth0
# to be able to access it using that address.
#
# #ADDRESS INTERFACE EXTERNAL
HAVEROUTE
# 155.186.235.6 eth1 eth0 No
########################################################################
######
#ADDRESS INTERFACE EXTERNAL HAVEROUTE
213.212.33.20 eth2 eth0 no
213.212.33.25 eth2 eth0 no
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#
# Shorewall version 1.3 - Rules File
#
# /etc/shorewall/rules
#
# Rules in this file govern connection establishment. Requests and
# responses are automatically allowed using connection tracking.
#
# In most places where an IP address or subnet is allowed, you
# can preceed the address/subnet with "!" (e.g.,
!192.168.1.0/24)
to
# indicate that the rule matches all addresses except the
address/subnet
# given. Notice that no white space is permitted between "!" and
the
# address/subnet.
#
# Columns are:
#
#
# ACTION ACCEPT, DROP, REJECT, DNAT or REDIRECT
#
# ACCEPT -- allow the connection request
# DROP -- ignore the request
# REJECT -- disallow the request and
return an
# icmp-unreachable or an RST
packet.
# DNAT -- Forward the request to
another
# system (and optionally
another
# port).
# REDIRECT -- Redirect the request to a
local
# port on the firewall.
#
# May optionally be followed by ":" and a syslog
log
# level (e.g, REJECT:info). This causes the packet
to be
# logged at the specified level.
#
# SOURCE Source hosts to which the rule applies. May be a
zone
# defined in /etc/shorewall/zones or $FW to
indicate the
# firewall itself. If the ACTION is DNAT or
REDIRECT,
# sub-zones of the specified zone may be excluded
from
# the rule by following the zone name with
"!'' and
a
# comma-separated list of sub-zone names.
#
# Clients may be further restricted to a list of
subnets
# and/or hosts by appending ":" and a
comma-separated
# list of subnets and/or hosts. Hosts may be
specified
# by IP or MAC address; mac addresses must begin
with
# "~" and must use "-" as a separator.
#
# dmz:192.168.2.2 Host 192.168.2.2 in the
DMZ
#
# net:155.186.235.0/24 Subnet 155.186.235.0/24
on the
# Internet
#
# loc:192.168.1.1,192.168.1.2
# Hosts 192.168.1.1 and
# 192.168.1.2 in the local
zone.
# loc:~00-A0-C9-15-39-78 Host in the local zone
with
# MAC address
00:A0:C9:15:39:78.
#
# Alternatively, clients may be specified by
interface
# by appending ":" to the zone name followed by
the
# interface name. For example, loc:eth1 specifies
a
# client that communicates with the firewall
system
# through eth1. This may be optionally followed by
# another colon (":") and an IP/MAC/subnet
address
# as described above (e.g., loc:eth1:192.168.1.5).
#
# DEST Location of Server. May be a zone defined in
# /etc/shorewall/zones or $FW to indicate the
firewall
# itself.
#
# The server may be further restricted to a
particular
# subnet, host or interface by appending ":" and
the
# subnet, host or interface. See above.
#
# Restrictions:
#
# 1. MAC addresses are not allowed.
# 2. In DNAT rules, only IP addresses are
# allowed; no FQDNs or subnet addresses
# are permitted.
#
# The port that the server is listening on may be
# included and separated from the server''s IP
address by
# ":". If omitted, the firewall will not modifiy
the
# destination port. A destination port may only be
# included if the ACTION is DNAT or REDIRECT.
#
# Example: loc:192.168.1.3:3128 specifies a local
# server at IP address 192.168.1.3 and listening
on port
# 3128. The port number MUST be specified as an
integer
# and not as a name from /etc/services.
#
# if the ACTION is REDIRECT, this column needs
only to
# contain the port number on the firewall that the
# request should be redirected to.
#
# PROTO Protocol - Must be "tcp", "udp",
"icmp", a
number,
# "all" or "related". If
"related", the remainder
of the
# entry must be omitted and connection requests
that are
# related to existing requests will be accepted.
#
# DEST PORT(S) Destination Ports. A comma-separated list of
Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column
is
# interpreted as the destination icmp-type(s).
#
# A port range is expressed as <low port>:<high
port>.
#
# This column is ignored if PROTOCOL = all but
must be
# entered if any of the following ields are
supplied.
# In that case, it is suggested that this field
contain
# "-"
#
# If MULTIPORT=Yes in
/etc/shorewall/shorewall.conf, then
# only a single Netfilter rule will be generated
if in
# this list and the CLIENT PORT(S) list below:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for
each
# port.
#
# CLIENT PORT(S) (Optional) Port(s) used by the client. If
omitted,
# any source port is acceptable. Specified as a
comma-
# separated list of port names, port numbers or
port
# ranges.
#
# If you don''t want to restrict client ports but
need to
# specify an ADDRESS in the next column, then
place "-"
# in this column.
#
# If MULTIPORT=Yes in
/etc/shorewall/shorewall.conf, then
# only a single Netfilter rule will be generated
if in
# this list and the DEST PORT(S) list above:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for
each
# port.
#
# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or
# REDIRECT) If included and different from the IP
# address given in the SERVER column, this is an
address
# on some interface on the firewall and
connections to
# that address will be forwarded to the IP and
port
# specified in the DEST column.
#
# The address may optionally be followed by
# a colon (":") and a second IP address. This
causes
# Shorewall to use the second IP address as the
source
# address in forwarded packets. See the Shorewall
# documentation for restrictions concerning this
feature.
# If no source IP address is given, the original
source
# address is not altered.
#
# Example: Accept SMTP requests from the DMZ to the internet
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# ACCEPT dmz net tcp smtp
#
# Example: Forward all ssh and http connection requests from the
internet
# to local system 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp ssh,http
#
# Example: Redirect all locally-originating www connection
requests to
# port 3128 on the firewall (Squid running on the
firewall
# system) except when the destination address is
192.168.2.2
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# REDIRECT loc 3128 tcp www - !192.168.2.2
#
# Example: All http requests from the internet to address
# 130.252.100.69 are to be forwarded to 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp 80 -
130.252.100.69
########################################################################
######
#ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL
# PORT PORT(S) DEST
#
#FW Rules
#Allow Time
ACCEPT $FW net tcp time
#
#Allow LOC->FW
ACCEPT loc $FW tcp ssh,www
#
#Allow FW->Net
ACCEPT $FW net tcp domain,www
ACCEPT $FW net udp domain
#
#Allow FW->DMZ
ACCEPT $FW dmz:213.212.33.20 tcp smtp
#
#Allow FW->LOC
ACCEPT $FW loc udp snmp,snmp-trap
#
#DMZ Rules
ACCEPT dmz net tcp domain,www,https,smtp,auth,ftp,time
ACCEPT dmz net udp domain,www,https,time
ACCEPT dmz loc udp domain
ACCEPT dmz loc tcp domain
#
#MAIL
#Open for smtp in.
ACCEPT net dmz:213.212.33.20 tcp smtp
#DNAT net loc:192.168.221.202 tcp smtp -
213.212.33.20
#
#Open for mail to DMZ
ACCEPT loc dmz:213.212.33.20 tcp smtp
#
#Redirect mail from loc -> smtp
#DNAT loc dmz:213.212.33.20 tcp smtp
#
#Backup via Dataphone.
#ACCEPT loc net:212.37.1.51 tcp smtp - 195.163.130.58
#
#Allow SMTP-relay -> Mailserver
ACCEPT dmz:213.212.33.20 loc:192.168.221.202 tcp smtp
#
#
#
#Allow smtp.nwl.se to fetch localparts
ACCEPT dmz:213.212.33.20 loc:192.168.221.202 tcp www
#
#Accept to POP-server from TrIPNet
DNAT net:217.28.207.0/24,195.100.170.0/24 loc:192.168.221.202
tcppop3
#PC Anywhwere -> KSD server
#DNAT net:209.10.140.0/24 loc:192.168.221.6 tcp 5631
#DNAT net:209.10.140.0/24 loc:192.168.221.6 udp 5632
#DNAT net loc:192.168.221.6 tcp 5631
#DNAT net loc:192.168.221.6 udp 5632
#
#LOC -> DMZ
ACCEPT loc dmz tcp www,ssh,https
#
#NET -> DMZ
ACCEPT net dmz:213.212.33.20 tcp www
#
#PPTP
DNAT net:213.67.241.162/32,212.151.0.0/16
loc:192.168.221.200 tcp 1723
DNAT net:213.67.241.162/32,212.151.0.0/16
loc:192.168.221.200 47 -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE