I have two nic cards eth1 and eth2 (eth0 is disabled for backup). Our network has the following three blocks of IP address: 207.145.190.248/29 203.189.29.144/28 192.168.0.0/24 These are all distributed throughout our interal and external network. Several machines provide access from the Internet. If I can configure just one of these machines maybe I can configure the others using Shorewall. Here''s the first machine: eth1: 207.145.190.251 <- allows ftp,ssh,pop3 to the world and it has full access going out eth:1:1 207.145.190.254 <- allows all other incoming tcp traffic like http,https,smtp but ONLY for those coming from 207.145.190.248/29 and 203.189.29.144/28. We also have a few other networks outside of our internal IPs shown above who have access to this IP as well. eth2: 192.168.0.2 <- allows all our internal network via our local lan Using ipchains I had no trouble configuring this. It was simple and straight forward. Using shorewall however I can''t seem to get things configured. When I get one thing working it breaks something else. I had no problem configuring this machine to talk to the world (all outgoing) using Shorewall and following their examples. I also had no trouble setting up the routestopped so when shorewall was turned off, everyone on our network and outside our network (as configured) was able to access the machine. But when I shutdown shorewall, this machine can''t access the world. If I turn on shorewall our blocks of IPs as shown above can''t access this machine. Here''s our /etc/shorewall/routestopped: eth1 207.145.190.248/29 eth1 203.189.29.144/28 eth1 64.168.91.68 (outside of our normal network) eth2 192.168.0.0/24 Here''s our /etc/shorewall/interfaces: net eth1 207.145.190.255 multi,norfc1918,routefilter,blacklist loc eth2 192.168.0.255 Here''s our /etc/shorewall/policy: fw net ACCEPT loc net ACCEPT net all DROP info all all REJECT info Here''s our /etc/shorewall/zones net Net Internet loc Local Local networks Here''s our /etc/shorewall/rules: REJECT:info loc net tcp 6667 ACCEPT loc fw tcp 53 ACCEPT loc fw udp 53 I have tried all kinds of things using etc/shorewall/hosts, etc/shorewall/zones and etc/shorewall/rules, but can''t seem to get it to work the way I need it to. If anyone can help I would appreciate it. Thanks, John _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com
On Thursday 12 September 2002 02:10 pm, J and T wrote:> I have two nic cards eth1 and eth2 (eth0 is disabled for backup). Our > network has the following three blocks of IP address: > > 207.145.190.248/29 > 203.189.29.144/28 > 192.168.0.0/24 > > These are all distributed throughout our interal and external network. > Several machines provide access from the Internet. If I can configure just > one of these machines maybe I can configure the others using Shorewall. > Here''s the first machine: > > eth1: > 207.145.190.251 <- allows ftp,ssh,pop3 to the world and it has full access > going out > > eth:1:1 > 207.145.190.254 <- allows all other incoming tcp traffic like > http,https,smtp but ONLY for those coming from 207.145.190.248/29 and > 203.189.29.144/28. We also have a few other networks outside of our > internal IPs shown above who have access to this IP as well. > > eth2: > 192.168.0.2 <- allows all our internal network via our local lan > > Using ipchains I had no trouble configuring this. It was simple and > straight forward. Using shorewall however I can''t seem to get things > configured.So you''re saying that when contrasted to ipchains, Shorewall is complex and confusing?> When I get one thing working it breaks something else.Hardly a precise problem statement...> I had no > problem configuring this machine to talk to the world (all outgoing) using > Shorewall and following their examples. I also had no trouble setting up > the routestopped so when shorewall was turned off, everyone on our network > and outside our network (as configured) was able to access the machine. But > when I shutdown shorewall, this machine can''t access the world.That''s as intended -- when Shorewall is in the "stopped" state, it permits communication between a limited set of hosts (as defined in the routestopped file) AND NO MORE.> If I turn > on shorewall our blocks of IPs as shown above can''t access this machine. >With the policies and rules you have below, they would be able to access a DNS server on "this machine" and nothing else. Are you saying that they can''t access the DNS server on "this machine"?> Here''s our /etc/shorewall/routestopped: > > eth1 207.145.190.248/29 > eth1 203.189.29.144/28 > eth1 64.168.91.68 (outside of our normal network) > eth2 192.168.0.0/24 > > Here''s our /etc/shorewall/interfaces: > > net eth1 207.145.190.255 multi,norfc1918,routefilter,blacklist > loc eth2 192.168.0.255 > > Here''s our /etc/shorewall/policy: > fw net ACCEPT > loc net ACCEPT > net all DROP info > all all REJECT info > > Here''s our /etc/shorewall/zones > net Net Internet > loc Local Local networks > > Here''s our /etc/shorewall/rules: > REJECT:info loc net tcp 6667 > ACCEPT loc fw tcp 53 > ACCEPT loc fw udp 53 > > I have tried all kinds of things using etc/shorewall/hosts, > etc/shorewall/zones and etc/shorewall/rules, but can''t seem to get it to > work the way I need it to. If anyone can help I would appreciate it. >You don''t say what you have in the /etc/shorewall/masq file -- given that your loc zone uses RFC 1918 addresses, you have to have at least one entry in that file for you local systems to be able to access the internet. I don''t know what else I can tell you unless you can report a specific problem... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Thursday 12 September 2002 03:14 pm, Tom Eastep wrote:> On Thursday 12 September 2002 03:07 pm, J and T wrote: > > With ipchains all I did was: > > > > 1. Allow "this" machine outgoing access to the world > > > > Once this was setup I always had outgoing access regardless of who I let > > in or who I kept out. > > So you want in your policy file: > > fw all allowThat should be fw all ACCEPT> > > 2. Allow subnet 1 incoming access to eth1 for certain services > > > > This group of IPs are on the same subnet as me (207.145.190.248/29). I > > have 2 IPs from this block and the others are distributed. With ipchains > > I had no problem. With shorewall as soon as I add this group > > (207.145.190.248/29) to zones or hosts, I am unable to access these > > servers. They can access me, but I can''t access them. > > In /etc/shorewall/rules: > > ACCEPT net:207.145.190.248/29 fw <proto 1> <port 1> > ACCEPT net:207.145.190.248/29 fw <proto 2> <port 2> > ... > > > 3. Allow subnet 2 incoming access to eth1 for certain services > > In /etc/shorewall/rules: > > ACCEPT net:203.189.29.144/28 net:207.145.190.248/29 <proto i> <port i> > ACCEPT net:203.189.29.144/28 net:207.145.190.248/29 <proto j> <port j> > ... > > > 4. Allow subnet 3 incoming access to eth2 for all local services > > In /etc/shorewall/rules: > > ACCEPT net:203.189.29.144/28 loc all >-Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net