I have been running a couple of Shorewall system now of about 4 months. Works great. I have a couple of questions. 1. I would like to limit SSH access to an external subnet, I believe I just need to create a ZONE and the necessary RULES for it and then DENY all others. Is this correct? 2. I would like all requests to port 80/443 from the internet to get passed to a couple of system (round robin) on my internel network, is this possible? I currently have the 1 to 1 working. Thanks Jim
Jim,>1. I would like to limit SSH access to an external subnet, I believe Ijust need to create a ZONE >and the necessary>RULES for it and then DENY all others. Is this correct?You shouldn''t have to create a new ZONE for this. Try adding a rule like: ACCEPT net:<remote_subnet> loc:<local_address> tcp ssh>2. I would like all requests to port 80/443 from the internet to getpassed to a couple of system (round robin) on my>internel network, is this possible? I currently have the 1 to 1 working.As far as I am aware, Shorewall won''t load balance connections (someone please correct me if I am wrong). You could allow access to several machines on your internal network (via Shorewall), then use DNS round robining to do the load balancing. Maybe someone else has a better idea? -Jim Susoy
Item 1 works great. I don''t know why IPTABLES can''t do the round robin, with my old firewall I used ipchains/ipmasqadm to do it. Jim> Jim, > > >1. I would like to limit SSH access to an external subnet, I believe I > just need to create a ZONE >and the necessary > >RULES for it and then DENY all others. Is this correct? > > You shouldn''t have to create a new ZONE for this. Try adding a rule like: > > ACCEPT net:<remote_subnet> loc:<local_address> tcp ssh > > >2. I would like all requests to port 80/443 from the internet to get > passed to a couple of system (round robin) on my > >internel network, is this possible? I currently have the 1 to 1 working. > > As far as I am aware, Shorewall won''t load balance connections (someone > please correct me if I am wrong). You could allow access to several > machines on your internal network (via Shorewall), then use DNS round > robining to do the load balancing. Maybe someone else has a better idea? > > -Jim Susoy
Ok, but how to do it with shorewall?> Jim, > > >Item 1 works great. > Great! > > I don''t know why IPTABLES can''t do the round robin, with my old firewall I > used ipchains/ipmasqadm to do it. > > I''ve never done this personally so I can''t really speak from experience > here. I''ve seen posts to other mailing list which indicate that IPTABLES > can do this with something like: > > /sbin/iptables -t nat -A PREROUTING -p udp -d 1.2.3.4 --dport 433 -j DNAT \ > --to-destination 192.168.1.1:80 \ > --to-destination 192.168.1.12:80 \ > --to-destination 192.168.1.16:80 \ > --to-destination 192.168.1.17:80 > > I haven''t tried it though. I''m sure others on this list can provide more > help in regards to getting this going. > > -Jim Susoy
On Sat, 19 Apr 2003, Jim Buttafuoco wrote:> Item 1 works great. > > I don''t know why IPTABLES can''t do the round robin, with my old firewall > I used ipchains/ipmasqadm to do it.Iptables CAN do it -- Shorewall can''t.... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Sat, 19 Apr 2003, Jim Buttafuoco wrote:> Ok, but how to do it with shorewall? > > > > Jim, > > > > >Item 1 works great. > > Great! > > > > I don''t know why IPTABLES can''t do the round robin, with my old firewall I > > used ipchains/ipmasqadm to do it. > > > > I''ve never done this personally so I can''t really speak from experience > > here. I''ve seen posts to other mailing list which indicate that IPTABLES > > can do this with something like: > > > > /sbin/iptables -t nat -A PREROUTING -p udp -d 1.2.3.4 --dport 433 -j DNAT \ > > --to-destination 192.168.1.1:80 \ > > --to-destination 192.168.1.12:80 \ > > --to-destination 192.168.1.16:80 \ > > --to-destination 192.168.1.17:80 > > > > I haven''t tried it though. I''m sure others on this list can provide more > > help in regards to getting this going. > >If the hosts that you want to round robin are in a contiguous range (such as 192.168.1.12-14) then: DNAT- net z:192.168.1.12-192.168.1.14 tcp <port list> ACCEPT net z:192.168.1.12 tcp <port list> ACCEPT net z:192.168.1.13 tcp <port list> ACCEPT net z:192.168.1.14 tcp <port list> Where ''z'' is the zone where the servers are located. If the addresses aren''t contiguous, then you will have to manually add the DNAT rule in /etc/shorewall/start (the ACCEPT rules are still required). You can add it to the PREROUTING chain as Jim Susoy suggested or if the nat table chain ''net_dnat'' exists, it is better to add the rule there. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom/Jim Thanks for you help. I will try your suggestion below and report back Jim> On Sat, 19 Apr 2003, Jim Buttafuoco wrote: > > > Ok, but how to do it with shorewall? > > > > > > > Jim, > > > > > > >Item 1 works great. > > > Great! > > > > > > I don''t know why IPTABLES can''t do the round robin, with my old firewall I > > > used ipchains/ipmasqadm to do it. > > > > > > I''ve never done this personally so I can''t really speak from experience > > > here. I''ve seen posts to other mailing list which indicate that IPTABLES > > > can do this with something like: > > > > > > /sbin/iptables -t nat -A PREROUTING -p udp -d 1.2.3.4 --dport 433 -j DNAT \ > > > --to-destination 192.168.1.1:80 \ > > > --to-destination 192.168.1.12:80 \ > > > --to-destination 192.168.1.16:80 \ > > > --to-destination 192.168.1.17:80 > > > > > > I haven''t tried it though. I''m sure others on this list can provide more > > > help in regards to getting this going. > > > > > If the hosts that you want to round robin are in a contiguous range > (such as 192.168.1.12-14) then: > > DNAT- net z:192.168.1.12-192.168.1.14 tcp <port list> > ACCEPT net z:192.168.1.12 tcp <port list> > ACCEPT net z:192.168.1.13 tcp <port list> > ACCEPT net z:192.168.1.14 tcp <port list> > > Where ''z'' is the zone where the servers are located. > > If the addresses aren''t contiguous, then you will have to manually add the > DNAT rule in /etc/shorewall/start (the ACCEPT rules are still required). > You can add it to the PREROUTING chain as Jim Susoy suggested or if the > nat table chain ''net_dnat'' exists, it is better to add the rule there. > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://www.shorewall.net > Washington USA \ teastep@shorewall.net