Shorewall users - Feb 2003 - Trying to get same result as IPCHAINS - How?

Ok, this is what I used to do...

/sbin/ipchains -A forward -s 192.168.0.1/255.255.255.0 -j MASQ

Basicaly anything going out goes out
anything coming in comes in.

i have 2 machines on the inside, both needing acces to HTTP, FTP, SSH and a
whole lotta other ports.

I canot specifialy port forward a link to a certain machine as both machines
need full access

How can I mimic the above ipchains statement via shorewall''s webmin
module

Please help if you can.

-- 
Matthew Koster
Web/System Administrator
http://www.kronos3.com
http://www.lostnode.net

Use the "two interfaces" example - you only have to uncomment ONE line
in the RULES file and it works perfectly.
> -----Original Message-----
> From: shorewall-users-bounces@lists.shorewall.net 
> [mailto:shorewall-users-bounces@lists.shorewall.net] On 
> Behalf Of Matthew Koster
> Sent: Sunday, 9 February 2003 19:38
> To: shorewall-users@lists.shorewall.net
> Subject: [Shorewall-users] Trying to get same result as 
> IPCHAINS - How?
> 
> 
> Ok, this is what I used to do...
> 
> /sbin/ipchains -A forward -s 192.168.0.1/255.255.255.0 -j MASQ
> 
> Basicaly anything going out goes out
> anything coming in comes in.
> 
> i have 2 machines on the inside, both needing acces to HTTP, 
> FTP, SSH and a whole lotta other ports.
> 
> I canot specifialy port forward a link to a certain machine 
> as both machines need full access
> 
> How can I mimic the above ipchains statement via shorewall''s 
> webmin module
> 
> Please help if you can.
> 
> -- 
> Matthew Koster
> Web/System Administrator
> http://www.kronos3.com
> http://www.lostnode.net
> 
> 
> _______________________________________________
> Shorewall-users mailing list Shorewall-users@lists.shorewall.net
> http://lists.shorewall.net/mailman/listinfo/shorewall-users
>

--On Sunday, February 09, 2003 3:37 AM -0500 Matthew Koster 
<kronos3@kronos3.com> wrote:
> Ok, this is what I used to do...
>
> /sbin/ipchains -A forward -s 192.168.0.1/255.255.255.0 -j MASQ
>
> Basicaly anything going out goes out
> anything coming in comes in.
>
> i have 2 machines on the inside, both needing acces to HTTP, FTP, SSH and
> a whole lotta other ports.
>
> I canot specifialy port forward a link to a certain machine as both
> machines need full access
>
> How can I mimic the above ipchains statement via shorewall''s
webmin module
>
If all you want is the above masquerade statement:

a) Unintall Shorewall -- You don''t need a firewall apparently.
b) Arrange for the following to be executed at boot:

/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQ

Now if you want a masquerading firewall:

a) Log out of webmin -- you don''t want it yet.
b) Install Shorewall as documented on the web site and in the HTML 
documentation that is included with Shorewall. This includes following the 
instructions found in the two-interface QuickStart Guide 
(http://www.shorewall.net/two-interface.htm).

You will now have a masquerading FIREWALL that you can administer (for the 
most part) through the webmin interface.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

I assume you meant the line

fw		net		ACCEPT

But I found that I had to change the following

net		all		REJECT
all		all		REJECT

to

net		all		ACCEPT
all		all		ACCEPT

so I can access (ping) the net from my linux box.

However, under both circomstances, I cannot access the net through any other
machine on my network.

Regards
Matthew


Jon Biddell said:
> Use the "two interfaces" example - you only have to uncomment ONE
line
> in the RULES file and it works perfectly.
>
>> -----Original Message-----
>> From: shorewall-users-bounces@lists.shorewall.net
>> [mailto:shorewall-users-bounces@lists.shorewall.net] On
>> Behalf Of Matthew Koster
>> Sent: Sunday, 9 February 2003 19:38
>> To: shorewall-users@lists.shorewall.net
>> Subject: [Shorewall-users] Trying to get same result as
>> IPCHAINS - How?
>>
>>
>> Ok, this is what I used to do...
>>
>> /sbin/ipchains -A forward -s 192.168.0.1/255.255.255.0 -j MASQ
>>
>> Basicaly anything going out goes out
>> anything coming in comes in.
>>
>> i have 2 machines on the inside, both needing acces to HTTP,
>> FTP, SSH and a whole lotta other ports.
>>
>> I canot specifialy port forward a link to a certain machine
>> as both machines need full access
>>
>> How can I mimic the above ipchains statement via shorewall''s
>> webmin module
>>
>> Please help if you can.
>>
>> --
>> Matthew Koster
>> Web/System Administrator
>> http://www.kronos3.com
>> http://www.lostnode.net
>>
>>
>> _______________________________________________
>> Shorewall-users mailing list Shorewall-users@lists.shorewall.net
>> http://lists.shorewall.net/mailman/listinfo/shorewall-users
>>

-- 
Matthew Koster
Web/System Administrator
http://www.kronos3.com
http://www.lostnode.net

Matthew Koster wrote:
> I assume you meant the line
> 
> fw		net		ACCEPT
> 
> But I found that I had to change the following
> 
> net		all		REJECT
> all		all		REJECT
> 
> to
> 
> net		all		ACCEPT
> all		all		ACCEPT
> 
> so I can access (ping) the net from my linux box.
That''s incredible since outgoing pings are allowed by Shorewall no 
matter what policies you have!!
> 
> However, under both circomstances, I cannot access the net through any
other
> machine on my network.
> 
You have something really messed up on your system. Please provide us 
with the information requested on the Shorewall support page and we''ll 
try to help.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:
> 
> You have something really messed up on your system. Please provide us 
> with the information requested on the Shorewall support page and
we''ll
> try to help.
> 
Oh -- and before you do, put your Shorewall configuration back the way 
it''s supposed to be (policies) and try to ping from the firewall and
try
to connect from the local network so we can see what''s going wrong.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

>net all ACCEPT
>all all ACCEPT
Then you no longer have a firewall. Its now wide open.
>so I can access (ping) the net from my linux box.
Pings are always allowed (outgoing) unless you have changed something major.