On Sun, 30 Jun 2002, Richard James wrote:
> Hi
>
> I have read the documentation on the site for shorewall 1.3.x. But I
> still can not get my firewall to work as I want. The problem is I need
> to open up a range of ports to a local machine(192.168.0.8) ports
> 1024:52000 (port forwarding I think), BUT ONLY accessible from the net
> interface from 5 trusted servers:
>
> I have tried this in my rules file, but does not work
>
> #server2
> DNAT net:209.61.158.207 loc:192.168.0.8 tcp
> 1024:52000
> DNAT net:209.61.158.207 loc:192.168.0.8 udp
>
> ...
There''s no reason what that shouldn''t work assuming the
correct source IP
addresses. But "does not work" doesn''t give us anything to go
on.
What does "shorewall show nat" and "shorewall show net2loc"
give you?
>
> But this does:
>
> DNAT net loc:192.168.0.8 tcp 1024:52000
> DNAT net loc:192.168.0.8 udp 1024:52000
>
Ok.
> Policy file:
>
> loc net ACCEPT
> loc fw ACCEPT
> fw net ACCEPT
> fw loc ACCEPT
> net all DROP info
> all all REJECT info
>
> Interface file:
>
> net eth0 detect
> dhcp,blacklist,norfc1918,dropunclean
> loc eth1 detect routestopped
>
> But it is too much of a security hole. Am I missing something obvious?
>
> I have tried adding them o the host file and making a new zone called
> ''trust'' but no luck
> Hosts:
> #trust eth0:209.61.158.206
> #trust eth0:209.61.158.207
> #trust eth0:209.61.158.208
> #trust eth0:209.61.158.209
> #trust eth0:209.61.158.210
>
>
> What is the best way to do this?
>
I''d probably do the latter because it imposes fewer rules on other
traffic.
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net