Shorewall users - Mar 2002 - multiple external statics forwarded to different internal servers

Hi All,
	I''m new to Shorewall, and I''m sorry if this is basic. I
looked
through the docs and on google, cannot find anything on this. I have a
debian box (2.4.18) up with three interfaces using a modified
3-interfaces example - all is fine. Here is my ASCII Art network...


  /^^^^^^^^^^^\
 |  internet  |
  \           /
   vvvvvvvvvvv
        |<-T1
+-------|---------+
|   cisco 2600    |
| xx.xx.xx.224/27 |
+-------|(.225)---+
        |
+-------|---------+
|      eth0 (.226)|
|    eth0:0 (.227)|---eth1->local network 192.168.0.0/24
|    eth0:1 (.228)|
|    eth0:n (.254)|
|  Debian 2.4.18  |
| Shorewall 1.2.9 |---eth2->DMZ 192.168.100.0/24
|                 |
+-----------------+

Here is what I''m wanting:=20
My mail server to be seen outside as .230 (eth0:3), forwarded to
192.168.0.5
My VPN server to be seen outside as .229 (eth0:2), forwarded to
192.168.0.10, ad nauseum...

Would I create a zone called net0, with an interface of eth0:0, net1 for
eth0:1, etc. for each external? or can
net have multiple interfaces?

Could these be forwarded to the correct internal server by adding to the
rules file in a
way similar to server1? Any examples of this would be great.

Thanks for your assistance, and great job you''ve done. Thanks.
--=20
Christopher Barry
InfiniCon Systems
Systems Administrator
700 American Avenue
King of Prussia, PA 19406
Tel:610.205.0130x25=20
FAX:0488

Barry,

What are you trying to accomplish here? Given that your servers have addressis
in 192.168.0.0/24, they seem to be in the local network; is that really what you
want? If so, what is your DMZ for?

I''ll assume for the time being that you want to have your servers off
of eth1 -- what zone that corresponds to isn''t really relevant at this
point.

What I personally would do in this case is to use Proxy ARP -- place the servers
inside the firewall but give them public IP addresses (subnet eth1 with
xx.xx.xx.224/27, don''t subnet eth0 and add a host route on eth0 to
xx.xx.xx.225). You don''t need to define aliases at all in that case and
you don''t have to resort to DNS tricks or (gasp, cough) routing local
traffic through your firewall (see http://www.shorewall.net/FAQ.htm#faq2). This
is the way that I handle my DMZ (http://www.shorewall.net/myfiles.htm); although
my DNZ only has a single system, it could have any number (so long as I had
enough public IP addresses).

One additional note. The "eth0:i" thingys are not interfaces and
neither Netfilter/iptables nor Shorewall know anything about them. You will have
just a single ''net'' interface (eth0) in any case.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

----- Original Message ----- 
From: "Barry, Christopher" <cbarry@infiniconsys.com>
To: "Shorewall-Users (E-mail)" <shorewall-users@shorewall.net>
Sent: Thursday, March 14, 2002 10:47 AM
Subject: [Shorewall-users] multiple external statics forwarded to different
internal servers


Hi All,
I''m new to Shorewall, and I''m sorry if this is basic. I looked
through the docs and on google, cannot find anything on this. I have a
debian box (2.4.18) up with three interfaces using a modified
3-interfaces example - all is fine. Here is my ASCII Art network...


  /^^^^^^^^^^^\
 |  internet  |
  \           /
   vvvvvvvvvvv
        |<-T1
+-------|---------+
|   cisco 2600    |
| xx.xx.xx.224/27 |
+-------|(.225)---+
        |
+-------|---------+
|      eth0 (.226)|
|    eth0:0 (.227)|---eth1->local network 192.168.0.0/24
|    eth0:1 (.228)|
|    eth0:n (.254)|
|  Debian 2.4.18  |
| Shorewall 1.2.9 |---eth2->DMZ 192.168.100.0/24
|                 |
+-----------------+

Here is what I''m wanting: 
My mail server to be seen outside as .230 (eth0:3), forwarded to
192.168.0.5
My VPN server to be seen outside as .229 (eth0:2), forwarded to
192.168.0.10, ad nauseum...

Would I create a zone called net0, with an interface of eth0:0, net1 for
eth0:1, etc. for each external? or can
net have multiple interfaces?

Could these be forwarded to the correct internal server by adding to the
rules file in a
way similar to server1? Any examples of this would be great.

Thanks for your assistance, and great job you''ve done. Thanks.
-- 
Christopher Barry
InfiniCon Systems
Systems Administrator
700 American Avenue
King of Prussia, PA 19406
Tel:610.205.0130x25 
FAX:0488
_______________________________________________
Shorewall-users mailing list
Shorewall-users@shorewall.net
http://www.shorewall.net/mailman/listinfo/shorewall-users