is there any way to use alased ip addresses with shorewall, and maintain separate rulesets for different ip''s I cannot find any documentation on this.
Robin Mordasiewicz wrote:> is there any way to use alased ip addresses with shorewall, and maintain > separate rulesets for different ip''sYes -- simply use the IP address in your rules (or if you use NAT, use the local IP address in your rules). Example 1: /etc/shorewall/rules # Accept AUTH but only on address 192.0.2.125 ACCEPT net fw:192.0.2.125 tcp auth Example 2 (NAT): /etc/shorewall/nat 192.0.2.126 eth0 10.1.1.126 # Accept HTTP on 192.0.2.126 ACCEPT net loc:10.1.1.126 tcp www -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Thanks I was trying to build a new interface with an extension of :0 such as /etc/shorewall/interfaces netfw eth0:0 detect On Mon, 28 Oct 2002, Tom Eastep wrote:> > > Robin Mordasiewicz wrote: > > is there any way to use alased ip addresses with shorewall, and maintain > > separate rulesets for different ip''s > > Yes -- simply use the IP address in your rules (or if you use NAT, use the > local IP address in your rules). > > Example 1: > > /etc/shorewall/rules > > # Accept AUTH but only on address 192.0.2.125 > > ACCEPT net fw:192.0.2.125 tcp auth > > Example 2 (NAT): > > /etc/shorewall/nat > > 192.0.2.126 eth0 10.1.1.126 > > # Accept HTTP on 192.0.2.126 > > ACCEPT net loc:10.1.1.126 tcp www > > -Tom >-- Robin Mordasiewicz 416-207-7012 UNIX Administrator Primus Canada
Robin Mordasiewicz wrote:> Thanks I was trying to build a new interface with an extension of :0 > such as > > /etc/shorewall/interfaces > netfw eth0:0 detect >The ":0" notation is deprecated and will disappear eventually. Neither iproute (ip and tc) nor iptables supports that notation so neither does Shorewall. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
hi Thanks for your help. I have one more question I am trying to build an HA firewall, so I have one floating ip address which will forward internet requests to an intername machine. Basically what I want is for the floating ip address to forward ssh and other queries to an internal server and the primary address to accept ssh for the fw I have tried a few variations of the following. /etc/shorewall/rules DNAT net:216.253.141.42 loc:192.168.5.4 tcp ssh,www, ACCEPT net fw:216.254.179.43 tcp ssh On Mon, 28 Oct 2002, Tom Eastep wrote:> > > Robin Mordasiewicz wrote: > > is there any way to use alased ip addresses with shorewall, and maintain > > separate rulesets for different ip''s > > Yes -- simply use the IP address in your rules (or if you use NAT, use the > local IP address in your rules). > > Example 1: > > /etc/shorewall/rules > > # Accept AUTH but only on address 192.0.2.125 > > ACCEPT net fw:192.0.2.125 tcp auth > > Example 2 (NAT): > > /etc/shorewall/nat > > 192.0.2.126 eth0 10.1.1.126 > > # Accept HTTP on 192.0.2.126 > > ACCEPT net loc:10.1.1.126 tcp www > > -Tom >-- Robin Mordasiewicz 416-207-7012 UNIX Administrator Primus Canada
Robin Mordasiewicz wrote:> hi Thanks for your help. I have one more question > I am trying to build an HA firewall, so I have one floating ip address > which will forward internet requests to an intername machine. Basically > what I want is for the floating ip address to forward ssh and other > queries to an internal server and the primary address to accept ssh for > the fw > > I have tried a few variations of the following. > /etc/shorewall/rules > DNAT net:216.253.141.42 loc:192.168.5.4 tcp ssh,www, > ACCEPT net fw:216.254.179.43 tcp ssh >You need to differentiate the two cases by using the "ORIGINAL DESTINATION" column. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
that works perfectly this is my config line so the firewall now accepts ssh on the primary address and forwards requests on the aliased ip. DNAT net loc:192.168.5.4 tcp ssh - 216.254.178.42 ACCEPT net fw:216.254.178.43 tcp ssh p.s. Great Work and thanks . On Mon, 28 Oct 2002, Tom Eastep wrote:> > > Robin Mordasiewicz wrote: > > hi Thanks for your help. I have one more question > > I am trying to build an HA firewall, so I have one floating ip address > > which will forward internet requests to an intername machine. Basically > > what I want is for the floating ip address to forward ssh and other > > queries to an internal server and the primary address to accept ssh for > > the fw > > > > I have tried a few variations of the following. > > /etc/shorewall/rules > > DNAT net:216.253.141.42 loc:192.168.5.4 tcp ssh,www, > > ACCEPT net fw:216.254.179.43 tcp ssh > > > > You need to differentiate the two cases by using the "ORIGINAL > DESTINATION" column. > > -Tom >-- Robin Mordasiewicz 416-207-7012 UNIX Administrator Primus Canada