Shorewall users - Oct 2003 - Firewall with 3 nic (newbie question)

Hello,
I have a question for you.
In my company we have a firewall with 3 nic : one goes to an adsl modem, one to
our lan and the last goes to an another lan (my old ISP)
I was able to set-up the firewall to connect our lan to internet via the adsl
modem and to run squid as a transparent proxy, but I have a problem.
We need to reach a ftp and a mail server connect to our old isp gateway but I
don''t know how to configure shorewall.


OUR LAN
192.168.7.xxx
|
|
|
|
|
192.168.7.1
ETH0
|
FIREWALL - ETH1 192.168.0.142 - - - - - 192.168.0.200 (old isp gateway) - - - -
212.131.x.x (mail and ftp server)
|
192.168.1.254
ETH2
|
|
|
|
ADSL Modem


So how can I tell shorewall to redirect all the traffic for 212.131.x.x through
ETH1 and our old isp gateway?
I tried to set-up a rule for FTP like : DNAT  LOC  EXT:192.168.0.200  TCP  FTP 
-  212.131.x.x
but it doesn''t work.


The version of shorewall I use is 1.3.14 and the zones are LOCal on ETH0,
EXTernal on ETH1 and NETwork on ETH2


Thank''s a lot for any answer and excuse me if this is a stupid question
but I''m new to this kind of stuf.


Fabio Mecchia

Hello,
I have a question for you.
In my company we have a firewall with 3 nic : one goes to an adsl modem, one
to our lan and the last goes to an another lan (my old ISP)
I was able to set-up the firewall to connect our lan to internet via the
adsl modem and to run squid as a transparent proxy, but I have a problem.
We need to reach a ftp and a mail server connect to our old isp gateway but
I don''t know how to configure shorewall.


OUR LAN
192.168.7.xxx
|
|
|
|
|
192.168.7.1
ETH0
|
FIREWALL - ETH1 192.168.0.142 - - - - - 192.168.0.200 (old isp
gateway) - - - - 212.131.x.x (mail and ftp server)
|
192.168.1.254
ETH2
|
|
|
|
ADSL Modem


So how can I tell shorewall to redirect all the traffic for 212.131.x.x
through ETH1 and our old isp gateway?
I tried to set-up a rule for FTP like : DNAT  LOC  EXT:192.168.0.200  TCP
FTP  -  212.131.x.x
but it doesn''t work.


The version of shorewall I use is 1.3.14 and the zones are LOCal on ETH0,
EXTernal on ETH1 and NETwork on ETH2


Thank''s a lot for any answer and excuse me if this is a stupid question
but
I''m new to this kind of stuf.


Fabio Mecchia

On Sat, 2003-10-25 at 04:36, Fabio Mecchia wrote:
> 
> 
> So how can I tell shorewall to redirect all the traffic for 212.131.x.x
> through ETH1 and our old isp gateway?
You don''t. Shorewall is for packet filtering/rewriting/mangling and not
for routing.
> I tried to set-up a rule for FTP like : DNAT  LOC  EXT:192.168.0.200  TCP
> FTP  -  212.131.x.x
> but it doesn''t work.
> 
> 
> The version of shorewall I use is 1.3.14 and the zones are LOCal on ETH0,
> EXTernal on ETH1 and NETwork on ETH2
> 
> 
> Thank''s a lot for any answer and excuse me if this is a stupid
question but
> I''m new to this kind of stuf.
You need to look at the Linux Advanced Routing and Traffic Control
(LARTC) HowTo. There is a link from the "Useful Links" page on the
Shorewall site. There is also a mailing list there that is probably a
better place to post your question than on this list.

The only thing you need to do in Shorewall is to allow FTP traffic from
the LOC zone to the EXT zone and to masquerade/SNAT that traffic.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Hi,
I can telnet the mail server port 25 via adsl modem not through the correct
nic but I can ping correctly the old-gateway .

Here are my config files and the result of ip route ls

Thank''s a lot

Fabio Mecchia

>Fabio:
>
>Can you telnet to the mail server''s port 25, from the
>shorewall box, or the lan??
>If not, what does the routing table look like? (ip route
>ls).
>You may need add some routing to reach your old isp''s
>servers.
>Can you post your shorewall config files? Make this much
>quicker to fix
>
>Jerry Vonau
-------------- next part --------------
A non-text attachment was scrubbed...
Name: zones
Type: application/octet-stream
Size: 356 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20031025/9a8ffb2f/zones-0001.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ip-route
Type: application/octet-stream
Size: 177 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20031025/9a8ffb2f/ip-route-0001.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: masq
Type: application/octet-stream
Size: 3193 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20031025/9a8ffb2f/masq-0001.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: policy
Type: application/octet-stream
Size: 2154 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20031025/9a8ffb2f/policy-0001.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rules
Type: application/octet-stream
Size: 8331 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20031025/9a8ffb2f/rules-0001.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: interfaces
Type: application/octet-stream
Size: 5171 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20031025/9a8ffb2f/interfaces-0001.obj

> Hi,
> I can telnet the mail server port 25 via adsl modem not
through the correct
> nic but I can ping correctly the old-gateway .
Yea, you have no route using that nic. The ping is most
likely accoss the adsl modem.
Hoping I understood your setup correctly...

test with "ping -I  192.168.0.142  212.131.x.x"

the -I forces ping to use 192.168.0.142  as the source
>From the artwork, which is on your old isp''s lan.
Give this a spin add, a host route to your mail server
stating the gateway ie:
"ip route add 212.131.x.x via 192.168.0.200 dev eth1"

With the host route in place, it should work, retest with
ping -I
I had to do the samething at work a while ago, when we
changed isp''s

Jerry Vonau
> Here are my config files and the result of ip route ls
>
> Thank''s a lot
>
> Fabio Mecchia
>
>
> >Fabio:
> >
> >Can you telnet to the mail server''s port 25, from the
> >shorewall box, or the lan??
> >If not, what does the routing table look like? (ip route
> >ls).
> >You may need add some routing to reach your old isp''s
> >servers.
> >Can you post your shorewall config files? Make this much
> >quicker to fix
> >
> >Jerry Vonau
>
>