Greetings all, I''m new to the list and shorewall, but I''m relatively savy in the ways of Linux/UNIX. I''ve never, however, built my own firewall, so this aspect of the equation is new to me. I have two (well, to start anyway ;-). Shorewall 1.4.7-beta1 installed and running on RHEL 2.9.5 (beta 2, Taroon). After a day of hacking I have one remaining niggle I can''t seem work through. I have a web and mail server running on 192.168.1.10. Mail is working as advertised. The web server is operational and visible from the "outside" world. I cannot, however, access it from any of my internal machines. Below are the applicable rules I have in place. I''ve tried appending a '':80 to the loc;192.168.1.10 address as noted in the documentation; no joy. What am I missing here?: ===snip==# WWW server connections on Hydras # DNAT net loc:192.168.1.10 tcp 80 DNAT net loc:192.168.1.10 tcp 8000:8200 # # Mail server connections on Hydras # DNAT net loc:192.168.1.10 tcp smtp DNAT net loc:192.168.1.10 tcp pop-3 DNAT net loc:192.168.1.10 tcp imap # ===ends== TIA, /tom
Hi Tom, On Thu, 4 Sep 2003, Tom Syroid wrote:>I have a web and mail server running on 192.168.1.10. Mail is working as >advertised. The web server is operational and visible from the "outside" >world. I cannot, however, access it from any of my internal machines.Check out FAQs 2 and 2a and see if they help you out: http://shorewall.net/FAQ.htm#faq2 -Jason
Thanks for the reply Jason, I''ve been at this four days now, and I''m getting closer thanks to the insights offered, but I''m not fully functional yet. I don''t have the time or energy to summarize everything I''ve tried, but in brief: * setup up my 3-interface firewall using according to the user''s guide, * got everything working (using DNAT for my web/mail server) but couldn''t "see" my web server internally, * studied the message and faqs as suggested, * tried to dmz my web/mail server as suggested, * no joy whatsoever (will return to this later, as I agree it''s a good move, but for now I need functionality to do my job), * returned to my original working configuration (with no internal web access) * implemented "internal views" on my DNS server as suggested, * no joy; still couldn''t see internal webs, * tried the "hack" suggested in the faq, * no joy; still can''t see my internal web server, * returned to "internal views" without "hack", and here I sit -- no further than I was three days ago. Almost. - everything appears to be working (less internal web views) - running DNAT for internal mail/web (for now) my current mail/web rules are: # WWW server connections on Hydras # DNAT net loc:192.168.1.10 tcp 80 DNAT net loc:192.168.1.10 tcp 8000:8200 # # Mail server connections on Hydras # DNAT net loc:192.168.1.10 tcp smtp DNAT net loc:192.168.1.10 tcp pop-3 DNAT net loc:192.168.1.10 tcp imap # As noted, mail works, web works externally, no web views internally. The error message I get on the shorewall box when a client tried to access one of my internal web sites is (thumper is the shorewall/firewall box): Sep 5 14:03:51 thumper kernel: Shorewall:all2all:REJECT:IN=eth1 OUT= MAC=00:80:c6:fd:3c:df:00:06:25:aa:ae:c3:08:00 SRC=192.168.1.8 DST=142.165.167.14 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21562 DF PROTO=TCP SPT=32854 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Where should I be looking? TIA, and thanks to the devs for a great product... Best, /tom --On Thursday, September 04, 2003 17:21:10 -0400 Jason Maas <maasj@dm.org> wrote:> Hi Tom, > > On Thu, 4 Sep 2003, Tom Syroid wrote: > >> I have a web and mail server running on 192.168.1.10. Mail is working as >> advertised. The web server is operational and visible from the "outside" >> world. I cannot, however, access it from any of my internal machines. > > Check out FAQs 2 and 2a and see if they help you out: > > http://shorewall.net/FAQ.htm#faq2 > > -Jason > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > http://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Hi Tom, On Fri, 5 Sep 2003, Tom Syroid wrote:>* returned to "internal views" without "hack", >and here I sit -- no further than I was three days ago. Almost. > >[...] > >The error message I get on the shorewall box when a client tried to access >one of my internal web sites is (thumper is the shorewall/firewall box): > >Sep 5 14:03:51 thumper kernel: Shorewall:all2all:REJECT:IN=eth1 OUT>MAC=00:80:c6:fd:3c:df:00:06:25:aa:ae:c3:08:00 SRC=192.168.1.8 >DST=142.165.167.14 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21562 DF PROTO=TCP >SPT=32854 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 > >Where should I be looking?If you think you''re using BIND 9 "views" right now then either your DNS server is not configured properly, or the web client is not configured to use your DNS server to resolve an IP address for your web server. Note that the Destination address (DST) in that Shorewall log entry is a "publicly routable" IP address, and not 192.168.1.10 like it should be. -Jason
> Hi Tom, > > On Fri, 5 Sep 2003, Tom Syroid wrote: > >>* returned to "internal views" without "hack", >>and here I sit -- no further than I was three days ago. Almost. >> >>[...] >> >>The error message I get on the shorewall box when a client tried to >> access >>one of my internal web sites is (thumper is the shorewall/firewall box): >> >>Sep 5 14:03:51 thumper kernel: Shorewall:all2all:REJECT:IN=eth1 OUT>>MAC=00:80:c6:fd:3c:df:00:06:25:aa:ae:c3:08:00 SRC=192.168.1.8 >>DST=142.165.167.14 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21562 DF PROTO=TCP >>SPT=32854 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 >> >>Where should I be looking? > > If you think you''re using BIND 9 "views" right now then either your DNS > server is not configured properly, or the web client is not configured to > use your DNS server to resolve an IP address for your web server. Note > that the Destination address (DST) in that Shorewall log entry is a > "publicly routable" IP address, and not 192.168.1.10 like it should be.Didn''t he say that he removed the DNS view again? Anyway, I agree that using DNS views is the way to go. I suggest trying to figure out why it didn''t work with views. I think it was only a small detail. Simon> > -Jason > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > http://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
Jason, --On Friday, September 05, 2003 20:03:05 -0400 Jason Maas <maasj@dm.org> wrote:> Hi Tom, >> Where should I be looking? > > If you think you''re using BIND 9 "views" right now then either your DNS > server is not configured properly, or the web client is not configured to > use your DNS server to resolve an IP address for your web server. Note > that the Destination address (DST) in that Shorewall log entry is a > "publicly routable" IP address, and not 192.168.1.10 like it should be. > > -JasonThanks for teaching me to read a log error ;-) Completely missed that one. I (back) in the loc-to-loc rule as Jerry suggested (had it back a few revs ago, but I didn''t want to make the classic error of adding rules to fix problems that are not caused by rules). I had a bad ip entry in one of my internal zone files. Fixed that, and presto pocus. Thanks again all who helped. Next week, once I''ve recharged my batteries, I''ll tackle getting my web/mail traffic off my internal subnet as suggested in the faq. I need a day or two to bask in my accomplishments, however ;-) So now I''ve corrected the BIND "internal views" issue, can I strip out the local redirect rules? (REALLY hate to mess with anything at this point now that it''s finally working, but I don''t want any unnecessary rules in my configuration)... The two lines I refer to are: /etc/shorewall/interfaces (the routeback option): loc eth1 detect routeback And /etc/shorewall/rules: DNAT loc loc:192.168.1.10 tcp www - 142.168.167.14:192.168.1.1 Best, /tom> _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > http://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Tom, On Fri, 5 Sep 2003, Tom Syroid wrote:>Thanks for teaching me to read a log error ;-) Completely missed that one.You''re welcome. That was a relatively easy one, so I was actually able to help! =)>So now I''ve corrected the BIND "internal views" issue, can I strip out the >local redirect rules? > >The two lines I refer to are:You should be fine without those changes, at least for this web server problem. Jason