Francesca C Smith
2002-Jan-20 01:07 UTC
[Shorewall-users] Two Newbie Questions. One About Virtual Addresses And The Other About IP-Chains
Hiya, I am new to using Shorewall and well am impressed. Ok here are the questions. I run a hosting server running Red-Hat 7.2 with all latest patches installed. Iptables version 1.2.4, Kernel 2.4.9-13. I start up shorewall with the following configuration params file configuration. I run one virtual host on this machine to serve up name based Apache Web Sites. The address''s are 216.25.199.137 for eth0 and 216.25.199.138 for eth0:0. I require all the following ports to be accessible on eth0 from outside. I only need 80,443 and 3306 for eth0:0 accessible from outside. >From inside only 20,21,22,53,123 need to access the local subnet 216.25.199/24. Inside hosts on sub-net 216.25.199/24 only require 20,21,22 access to this host. Im thinking I need local zones for the internal sub-net with 216.25.199.138 being excepted. Im thinking I need a dmz zone for 216.25.199.138. And all eth0 needs is a better thought out port access config than the simple one below. (Ftp Less UDP access Etc Etc). All I am asking is am I thinking in the right direction here.?? I can toy with and learn the best config just need a starting point. I have looked all over the archives and really don''t see much on iptables and virtual hosts. I am working off the sample one interface templates provided at the shorewall web site. NET_IF=eth0 NET_BCAST=detect NET_OPTIONS=noping,norfc1918 TCP_PORTS=20,21,22,25,53,80,110,123,443,3306,10000,10001 UDP_PORTS=20,21,22,25,53,80,110,123,443,3306,10000,10001 On another point .. Ip-Chains can be shut off I figure or does it even do anything but take up CPU cycles with ip-tables and netfilter ?? Thank You, Francesca C Smith SysAdmin Lady Linux Hosting And Consulting sysadmin@ladylinux.com
Tom Eastep
2002-Jan-20 02:06 UTC
[Shorewall-users] Two Newbie Questions. One About Virtual Addresses And The Other About IP-Chains
Francesca, On Saturday 19 January 2002 05:07 pm, Francesca C Smith wrote:> I am new to using Shorewall and well am impressed. Ok here are the > questions. I run a hosting server running Red-Hat 7.2 with all latest > patches installed. Iptables version 1.2.4, Kernel 2.4.9-13. I start up > shorewall with the following configuration params file configuration.I don''t see an attachment -- You mention later though that you are working=20 off of the one-interface sample.> I run > one virtual host on this machine to serve up name based Apache Web Sites. > The address''s are 216.25.199.137 for eth0 and 216.25.199.138 for eth0:0=2EWhile it wasn''t previously stated, the samples all assume a single internet=20 IP address. I''ve updated the web site to make that assumption explicit.> I > require all the following ports to be accessible on eth0 from outside. I > only need 80,443 and 3306 for eth0:0 accessible from outside. From inside > only 20,21,22,53,123 need to access the local subnet 216.25.199/24.You refer to "outside" and "inside" -- what exactly do these terms mean to=20 you?> Inside > hosts on sub-net 216.25.199/24 only require 20,21,22 access to this host.So does the firewall have more that one interface?> Im thinking I need local zones for the internal sub-net with 216.25.199=2E138 > being excepted.This is beginning to sound like my setup -- have you looked at=20 http://www.shorewall.net/myfiles.htm?> Im thinking I need a dmz zone for 216.25.199.138. And all > eth0 needs is a better thought out port access config than the simple one > below. (Ftp Less UDP access Etc Etc). All I am asking is am I thinking in > the right direction here.?? I can toy with and learn the best config just > need a starting point. I have looked all over the archives and really don''t > see much on iptables and virtual hosts. I am working off the sample one > interface templates provided at the shorewall web site.I think you need to abandon use of the sample configs -- I would also like to=20 know how many interfaces you have (or are thinking of having) on your=20 firewall. If you are doing this with only one interface, then you are=20 restricted to two zones: net (or whatever you choose to call the internet)=20 and fw. You can still differentiate between your external IP addresses but=20 you must do so entirely inside the rules file.=20 -Tom --=20 Tom Eastep \ A Firewall for Linux 2.4.* AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net