Gokul Poduval
2003-Jun-14 06:17 UTC
[Shorewall-users] DMZ with static NAT + port forwarding
Hello, I am trying to install shorewall to act as a firewall in a similar fashion to the three interface setup as mentioned in shorewall docs. The only problem is that I have two machines (say A and B), offering https service outside, and I want to put both of them in a DMZ (192.168.24.0/24). I have multiple IPs, therefore I was thinking of using port forwarding for A and static NAT for B. I do not want to use proxy ARP because then I would need to assign a public ip to B, while it resides in a 192.168.24.0/24 network. I had initially installed Mandrake 9.1, but I have upgraded the shorewall version with the RPM on the sf.net, and I have also overwritten the /etc/shorewall/* files with three-interfacs.tgz. I am able to successfully setup port forwarding to access machine A, but I cannot access machine B at its public ip. One potential problem could be that machines in DMZ need masquerading, hence the DMZ is defined in masq file. But shorewall docs say that machines requiring static NAT should not be defined in masq. Could that be a problem ? (Please cc your answers to me, I havent suscribed to the list yet) Here are my configuation files (the ones I modified, the others are untouched) zones ------- net Net Internet loc Local Local Networks dmz DMZ Demilitarized Zone interfaces ---------- net eth1 detect routefilter,norfc1918,tcpflags loc eth2 detect dmz eth0 detect masq ---- eth1 eth0 203.125.210.98 eth1 eth2 203.125.210.98 nat --- 203.125.210.99 eth1 192.168.24.16 yes yes policy ------ loc net ACCEPT fw net ACCEPT dmz net ACCEPT net all DROP info all all REJECT info rules ----- ACCEPT fw net tcp 53 ACCEPT fw net udp 53 ACCEPT loc fw tcp 22 ACCEPT loc dmz tcp 22 ACCEPT dmz net tcp 53 ACCEPT dmz net udp 53 ACCEPT net fw icmp 8 ACCEPT loc fw icmp 8 ACCEPT dmz fw icmp 8 ACCEPT loc dmz icmp 8 ACCEPT dmz loc icmp 8 ACCEPT dmz net icmp 8 ACCEPT fw loc icmp 8 ACCEPT fw dmz icmp 8 ACCEPT net dmz icmp 8 ACCEPT net loc icmp 8 #configure port forwarding for websrvr DNAT net dmz:192.168.24.8 tcp 80,443 ACCEPT loc dmz:192.168.24.8 tcp 80,443 #allow https and imap to mail server ACCEPT net dmz:192.168.24.16 tcp 143,443 -- Yours Sincerely, Gokul Poduval gokul.poduval@newgsystem.com
On Fri, 2003-06-13 at 02:55, Gokul Poduval wrote:> I am trying to install shorewall to act as a firewall in a similar > fashion to the three interface setup as mentioned in shorewall docs. The > only problem is that I have two machines (say A and B), offering https > service outside, and I want to put both of them in a DMZ > (192.168.24.0/24). I have multiple IPs, therefore I was thinking of > using port forwarding for A and static NAT for B. I do not want to use > proxy ARP because then I would need to assign a public ip to B, while it > resides in a 192.168.24.0/24 network. > I had initially installed Mandrake 9.1, but I have upgraded the > shorewall version with the RPM on the sf.net, and I have also > overwritten the /etc/shorewall/* files with three-interfacs.tgz. I am > able to successfully setup port forwarding to access machine A, but I > cannot access machine B at its public ip. One potential problem could be > that machines in DMZ need masquerading, hence the DMZ is defined in masq > file. But shorewall docs say that machines requiring static NAT should > not be defined in masq. Could that be a problem ?No -- you can use static NAT on some systems in a subnet and masquerade the rest. See http://www.shorewall.net/shorewall_setup_guide.htm and http://www.shorewall.net/myfiles.htm.> (Please cc your answers to me, I havent suscribed to the list yet) > > Here are my configuation files (the ones I modified, the others are > untouched) > > zones > ------- > net Net Internet > loc Local Local Networks > dmz DMZ Demilitarized Zone > > interfaces > ---------- > net eth1 detect routefilter,norfc1918,tcpflags > loc eth2 detect > dmz eth0 detect > > masq > ---- > eth1 eth0 203.125.210.98 > eth1 eth2 203.125.210.98 > > nat > --- > 203.125.210.99 eth1 192.168.24.16 yes yes >You probably want "no no" in the last two columns. If you want to access the server by its external IP address from your local network, add this rule: DNAT- loc net:192.168.24.16 all - - 203.125.210.99 I think you''ll be happier with the way that works.> policy > ------ > loc net ACCEPT > fw net ACCEPT > dmz net ACCEPT > net all DROP info > all all REJECT info > > rules > ----- > ACCEPT fw net tcp 53 > ACCEPT fw net udp 53 > > ACCEPT loc fw tcp 22 > ACCEPT loc dmz tcp 22 > > ACCEPT dmz net tcp 53 > ACCEPT dmz net udp 53 > > ACCEPT net fw icmp 8 > ACCEPT loc fw icmp 8 > ACCEPT dmz fw icmp 8 > ACCEPT loc dmz icmp 8 > ACCEPT dmz loc icmp 8 > ACCEPT dmz net icmp 8 > ACCEPT fw loc icmp 8 > ACCEPT fw dmz icmp 8 > ACCEPT net dmz icmp 8 > ACCEPT net loc icmp 8 > > > #configure port forwarding for websrvr > DNAT net dmz:192.168.24.8 tcp 80,443 > ACCEPT loc dmz:192.168.24.8 tcp 80,443 > > #allow https and imap to mail server > ACCEPT net dmz:192.168.24.16 tcp 143,443Do you also need port 25 open here or is it only IMAP[S] that this server provides? Is this a new server or was it previously parallel to the firewall? If the latter, see the warning at http://www.shorewall.net/shorewall_setup_guide.htm##NAT regarding ARP cache problems. Other that what I''ve mentioned, I don''t see anything wrong with your configuration. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net