Shorewall users - Mar 2003 - Vitual interfaces problem...

hi,=0D
 =0D
I have a firewall installed at the entrance of my private network with 2
interfaces. The eth0 interface is the one that connects to internet. This
one has two public IPs, 62.xx.xx.a y 62.xx.xx.b. The eth1 interface connects
to my internal IP and it has a private IP. The shorewall works perfectly to
protect the external income. But, I need to have access to ssh through the
first IP, 62.xx.xx.a, and DNS access to the second one, 62.xx.xx.b.=0D
 =0D
I added these rules in /etc/rules=0D
 =0D
DNAT net fw:62.xx.xx.b tcp 53 =0D
DNAT net fw:62.xx.xx.b udp 53 =0D
DNAT:info net fw:62.xx.xx.a tcp 22 =0D
=0D
The problem is that from other parts of internet you can have access to the
IP either using the 62.xx.xx.a IP, or 62.xx.xx.b, and it happens the same
with the DNS.=0D
=0D
The access logging to ssh is the following:=0D
=46rom outside, telnet 62.xx.xx.b 22: =0D
Mar 27 11:33:36 fw2 kernel: Shorewall:net2fw:DNAT:IN=3Deth0 OUT=3D=0D
MAC=3D00:02:a5:ed:ea:7f:00:03:31:b4:69:20:08:00 SRC=3Dx.x.x.x
DST=3D62.xx=2Exx.a=0D
LEN=3D60 TOS=3D0x10 PREC=3D0x00 TTL=3D56 ID=3D11877 DF PROTO=3DTCP SPT=3D43002
DPT=3D22
WINDOW=3D5840 RES=3D0x00 CWR ECE SYN URGP=3D0 =0D
=0D
=46rom outside, telnet 62.xx.xx.a 22: =0D
Mar 27 11:36:58 fw2 kernel: Shorewall:net2fw:DNAT:IN=3Deth0 OUT=3D=0D
MAC=3D00:02:a5:ed:ea:7f:00:03:31:b4:69:20:08:00 SRC=3Dxx.xx.xx.xx
DST=3D62.xx.xx.a=0D
LEN=3D60 TOS=3D0x10 PREC=3D0x00 TTL=3D56 ID=3D7183 DF PROTO=3DTCP SPT=3D43020
DPT=3D22=0D
WINDOW=3D5840 RES=3D0x00 CWR ECE SYN URGP=3D0 =0D
=0D
Is this normal? Shouldn''t it accept only the ssh from the 62.xx.xx.a
IP? And
only the DNS from the 62.xx.xx.b IP?=0D
 =0D
The firewall data is:=0D
$ ip addr show eth0 =0D
4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 =0D
link/ether 00:02:a5:ed:ea:7f brd ff:ff:ff:ff:ff:ff =0D
inet 62.97.78.99/27 brd 62.97.78.127 scope global eth0 =0D
inet 62.97.78.101/27 brd 62.97.78.127 scope global secondary eth0:0 =0D
=0D
/etc/shorewall/interface =0D
net eth0 62.97.78.127 routefilter,norfc1918 =0D
loc eth1 detect dhcp =0D
=0D
/etc/hosts =0D
loc eth1:192.168.15.0/24 =0D
=0D
/etc/shorewall/policy =0D
loc net ACCEPT =0D
fw net ACCEPT =0D
net all DROP info =0D
all all REJECT info =0D
=0D
Thanks a lot.=0D
=0D
---------------------------------------------=0D
Sergio Navarro i Fajardo=0D
snavarro@odec.es=0D
Valencia - Spain=0D
=20

On Thu, 27 Mar 2003, sergio wrote:
> hi,
>  
> I have a firewall installed at the entrance of my private network with 2
> interfaces. The eth0 interface is the one that connects to internet. This
> one has two public IPs, 62.xx.xx.a y 62.xx.xx.b. The eth1 interface
connects
> to my internal IP and it has a private IP. The shorewall works perfectly to
> protect the external income. But, I need to have access to ssh through the
> first IP, 62.xx.xx.a, and DNS access to the second one, 62.xx.xx.b.
>  
> I added these rules in /etc/rules
>  
> DNAT net fw:62.xx.xx.b tcp 53 
> DNAT net fw:62.xx.xx.b udp 53 
> DNAT:info net fw:62.xx.xx.a tcp 22 
> 
My apologies Sergio -- there is a typographical error in the documentation 
which has lead you to use DNAT rules where you want ACCEPT rules. If you 
change DNAT to ACCEPT in the above rules it will work as you expect.

I''ll change the documentation ASAP...
-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net