Greetings all,
I''m a bit of a linux rookie, but a friend and I have built a
firewall running Shorewall 1.4.6c over a minimal install of Redhat 9.
Out network setup looks something like this:
Cable Modem : eth0 :12.xxx.xxx.3 (Zone is named INSIGHT)
Campus Lan : eth1 : 10.176.9.21 (Zone is named MULAN)
DMZ : eth2 : 192.168.1.0 255.255.255.0 (Zone is named DMZ)
Currently, I have masqueraded eth2 through eth0 (DMZ hosts use the cable
connection to go out). What we ideally want is all http (port 80)
traffic to go over the campus lan connection, saving some of our cable
bandwidth for other things. I can make this happen by masquerading eth2
through eth1, but then I''d have to write a series of rules for each
type
of traffic I want to go over eth0. Is there a rule I can make that
would make all DMZ port 80 traffic go out eth2?
I''ve tried a variety of DNAT rules, and haven''t had much
success.
Current RULES file
ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
PORT
PORT(S) DEST
DNAT INSIGHT DMZ:192.168.1.87:80 tcp 87
DNAT MULAN DMZ:192.168.1.87:80 tcp 87
DNAT MULAN DMZ:192.168.1.87:88 tcp 88
DNAT INSIGHT DMZ:192.168.1.87:88 tcp 88
DNAT INSIGHT DMZ:192.168.1.87:3389 tcp 3389
DNAT MULAN DMZ:192.168.1.87:3389 tcp 3389
As you can see, I''ve got two websites running over different ports on
one machine, and I''m also directing Microsoft Terminal Service requests
to that machine. These rules all work fine. Some of what I''ve tried
is
along the lines of
DNAT DMZ MULAN:10.176.9.21:80 tcp 80
I can successfully do a Shorewall restart command, but then all web
traffic seems to go by the wayside. I thought I may have been
restricting it via POLICY, but as you can see, I''m not (this is a
testing POLICY file, not what will actually be used)
#SOURCE DEST POLICY LOG LEVEL
LIMIT:BURST
INSIGHT DMZ ACCEPT
MULAN INSIGHT DROP info
all all ACCEPT info
If anyone could point me in the right direction, I''d appriciate it.
Thanks
Thomas: Think this is a bit of an routing issue.. Your default route is with the cable modem, correct? Your talking out bound from the box, and not http requests from others on the internet though the cable modem?? Either way, you''ll need to build some iproute tables to have the http traffic use a second default gateway that is on MULAN. Shorewall comes into play with the tcrules file that you would use to mark the packets for iproute2, kind of like the Shorewall_Squid_Usage example. First you''ll need to build the routing, Start here http://lartc.org/howto/index.html I''m Just starting to play around with this stuff also, just got a second isp at work to play with.... :) I''ll know more after a weekend of playing. Hope this helps... Jerry Vonau> Greetings all, > > I''m a bit of a linux rookie, but a friend and I have built a > firewall running Shorewall 1.4.6c over a minimal install of Redhat 9. > Out network setup looks something like this: > > > Cable Modem : eth0 :12.xxx.xxx.3 (Zone is named INSIGHT) > > Campus Lan : eth1 : 10.176.9.21 (Zone is named MULAN) > > DMZ : eth2 : 192.168.1.0 255.255.255.0 (Zone is named DMZ) > > Currently, I have masqueraded eth2 through eth0 (DMZ hosts use the cable > connection to go out). What we ideally want is all http (port 80) > traffic to go over the campus lan connection, saving some of our cable > bandwidth for other things. I can make this happen by masquerading eth2 > through eth1, but then I''d have to write a series of rules for each type > of traffic I want to go over eth0. Is there a rule I can make that > would make all DMZ port 80 traffic go out eth2? > > I''ve tried a variety of DNAT rules, and haven''t had much success. > > Current RULES file > > ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL > PORT > PORT(S) DEST > DNAT INSIGHT DMZ:192.168.1.87:80 tcp 87 > DNAT MULAN DMZ:192.168.1.87:80 tcp 87 > DNAT MULAN DMZ:192.168.1.87:88 tcp 88 > DNAT INSIGHT DMZ:192.168.1.87:88 tcp 88 > DNAT INSIGHT DMZ:192.168.1.87:3389 tcp 3389 > DNAT MULAN DMZ:192.168.1.87:3389 tcp 3389 > > As you can see, I''ve got two websites running over different ports on > one machine, and I''m also directing Microsoft Terminal Service requests > to that machine. These rules all work fine. Some of what I''ve tried is > along the lines of > > DNAT DMZ MULAN:10.176.9.21:80 tcp 80 > > I can successfully do a Shorewall restart command, but then all web > traffic seems to go by the wayside. I thought I may have been > restricting it via POLICY, but as you can see, I''m not (this is a > testing POLICY file, not what will actually be used) > > #SOURCE DEST POLICY LOG LEVEL > LIMIT:BURST > INSIGHT DMZ ACCEPT > MULAN INSIGHT DROP info > all all ACCEPT info > > > If anyone could point me in the right direction, I''d appriciate it. > Thanks > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:http://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Shorewall - 1.4.6c Linux - Redhad 9, Minimal Install Setup: Firewall/Router w/ 3 NIC Eth0 -- INSIGHT (cable modem) 12.xxx.xxx.3 Eth1 -- MULAN (campus LAN)-- 10.176.9.21 Eth2 -- DMZ -- 192.168.1.1 The idea is to route all traffic destined for a 10.0.0.0 address out eth1. That''s easy enough to do, but what I''m confused about is the next situation : To preserve bandwidth on the cable modem, we want http traffic (port 80) to be routed out eth1 as well. I know that I can mark those packets in the TCRULES file, but can I specify an interface to send them out? Both eth0 and eth1 have gateway information. **output of route** [root@cleversystemname etc]# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 * 255.255.255.0 U 0 0 0 eth2 12.221.132.0 * 255.255.252.0 U 0 0 0 eth0 #Campus LAN 10.176.0.0 10.176.1.1 255.255.0.0 UG 0 0 0 eth1 10.176.0.0 * 255.255.0.0 U 0 0 0 eth1 169.254.0.0 * 255.255.0.0 U 0 0 0 eth2 127.0.0.0 * 255.0.0.0 U 0 0 0 lo #Cable Modem -- default default 12-221-132-1.cl 0.0.0.0 UG 0 0 0 eth0 **the TCRULES file** #MARK SOURCE DEST PROTO PORT(S) CLIENT PORT(S) 1 eth2 10.0.0.0/0 all ~ 2 eth2 ????? http 80 80 As I understand it, I can''t just say "any" for the destination, but I obviously won''t know the destination of all http traffic that''s going to be generated. Also, how do I handle routing these "marked" packets to those interfaces? I mean, they''re marked, but I''m failing to see the next step. Thanks for any help -Tom
On Wed, 10 Sep 2003, Thomas Sweatt wrote:> > > As I understand it, I can''t just say "any" for the destination, but I > obviously won''t know the destination of all http traffic that''s going to > be generated. Also, how do I handle routing these "marked" packets to > those interfaces? I mean, they''re marked, but I''m failing to see the > next step. > > Thanks for any help >Look at http://shorewall.net/Shorewall_Squid_Usage.html -- the routing for transparent proxying is exactly what you need. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net