Hi, I am installing shorewall in an environment with multiple live IPs for the first time ever. LAN (loc zone) can access internet (net zone). However, I have several problems: 1. I can''t ping my DMZ from LAN, even I have specified rules for that. 2. I can''t DNAT incoming from internet to the DMZ. Situation: a. A mail server is in the LAN (planned to be move to DMZ, but currently stays in LAN). b. A web server is planned to be stationed in the DMZ. c. The web server has content (servlet) that points to 2 IP addrs: 202.3.93.93, and 202.3.93.92. Having read the shorewall instruction for multipe IP, I''d like to ask several questions: a. How can you tell if a set of IPs is routed or not? b. if I have the following IPs: 202.3.93.89 ADSL gateway 202.3.93.90 eth0 firewall 202.3.93.91 eth0:0 firewall 202.3.93.92 eth0:1 firewall 202.3.93.93 eth0:2 firewall 202.3.93.94 eth0:3 firewall Current domain name points to 202.7.93.93. Is it correct to set the masq as 202.7.93.93 for the LAN going to the internet? And for the masq of DMZ to internet (the web server) what I should masquerade as? c. Since I am setting the IP manually so that eth0 has several aliases, disregarding the setting of proxyarp file is correct, right? As to my understanding, proxyarp is set to avoid manually set up the aliases. Here''s some info that might help: ip addr show 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:02:44:32:91:69 brd ff:ff:ff:ff:ff:ff inet 202.7.93.90/29 brd 202.7.93.95 scope global eth0 inet 202.7.93.91/29 brd 202.7.93.95 scope global secondary eth0:0 inet 202.7.93.92/29 brd 202.7.93.95 scope global secondary eth0:1 inet 202.7.93.93/29 brd 202.7.93.95 scope global secondary eth0:2 inet 202.7.93.94/29 brd 202.7.93.95 scope global secondary eth0:3 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:02:44:6d:97:d1 brd ff:ff:ff:ff:ff:ff inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1 4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:40:05:a4:4c:db brd ff:ff:ff:ff:ff:ff inet 192.168.2.1/24 brd 192.168.2.255 scope global eth2 ip route show 202.7.93.88/29 dev eth0 scope link 192.168.2.0/24 dev eth2 scope link 192.168.1.0/24 dev eth1 scope link 127.0.0.0/8 dev lo scope link default via 202.7.93.89 dev eth0 /etc/shorewall/interfaces net eth0 detect tcpflags,routefilter,norfc1918 loc eth1 detect dmz eth2 detect /etc/shorewall/masq eth0 eth1 202.7.93.93 eth0 eth2 202.7.93.93 /etc/shorewall/policy loc net ACCEPT ULOG fw net ACCEPT ULOG fw loc ACCEPT ULOG net all REJECT ULOG all all REJECT ULOG /etc/shorewall/rules # ACCEPT fw net tcp 53 ACCEPT fw net udp 53 # Accept DNS connection from LAN to the firewall ACCEPT loc fw tcp 53 ACCEPT loc fw udp 53 # SSH ACCEPT loc fw tcp 22 ACCEPT loc dmz tcp 22 ACCEPT fw dmz tcp 22 ACCEPT fw loc tcp 22 # DMZ DNS access to the Internet ACCEPT dmz net tcp 53 ACCEPT dmz net udp 53 # Make ping work bi-directionally ACCEPT net fw icmp 8 ACCEPT loc fw icmp 8 ACCEPT dmz fw icmp 8 ACCEPT loc dmz icmp 8 ACCEPT dmz loc icmp 8 ACCEPT dmz net icmp 8 ACCEPT fw loc icmp 8 ACCEPT fw dmz icmp 8 # SMTP mail server (inside LAN) DNAT net loc:192.168.1.10 tcp 25 Thank you in advance for your help. To Tom Eastep, thank you very much for your previous help. It really stops me banging my head :) --Lito ------------------------------------------------- This mail sent through IMP: www-mail.usyd.edu.au
On Tue, 11 Nov 2003, Lito Kusnadi wrote:> Hi, I am installing shorewall in an environment with multiple live IPs for the > first time ever. LAN (loc zone) can access internet (net zone). > However, I have several problems: > 1. I can''t ping my DMZ from LAN, even I have specified rules for that. > 2. I can''t DNAT incoming from internet to the DMZ. > > Situation: > a. A mail server is in the LAN (planned to be move to DMZ, but currently stays > in LAN). > b. A web server is planned to be stationed in the DMZ. > c. The web server has content (servlet) that points to 2 IP addrs: 202.3.93.93, > and 202.3.93.92. > > Having read the shorewall instruction for multipe IP, I''d like to ask several > questions: > a. How can you tell if a set of IPs is routed or not?I''d consider asking my ISP if they are routing all of my IP addresses through a single address or not. Given that your external subnet appears to be a /29 and you have configured 5 IP addresses, I would think that your setup is routed through 192.168.93.90 or .94. 206.7.93.88 - Network Address 206.7.93.89 - ISP''s router 206.7.93.90-94 - Your IP addresses 206.7.93.95 - Broadcast This would be the setup for 206.7.93.88/29.> > b. if I have the following IPs: > 202.3.93.89 ADSL gateway > 202.3.93.90 eth0 firewall > 202.3.93.91 eth0:0 firewall > 202.3.93.92 eth0:1 firewall > 202.3.93.93 eth0:2 firewall > 202.3.93.94 eth0:3 firewall > Current domain name points to 202.7.93.93. Is it correct to set the masq as > 202.7.93.93 for the LAN going to the internet? And for the masq of DMZ to > internet (the web server) what I should masquerade as?Why are you masquerading at all? If your setup is routed, you don''t need to use proxy ARP OR define the extra IP addresses on your external interface.> > c. Since I am setting the IP manually so that eth0 has several aliases, > disregarding the setting of proxyarp file is correct, right? As to my > understanding, proxyarp is set to avoid manually set up the aliases. >Again, you don''t need to do either if your ISP is routing your other 4 IP addresses through one of the 5. On the other hand, if you want to place hosts with public IP addresses in your DMZ then Shorewall Proxy ARP will work ok for you to set up the host routes; just place "No" in the "HAVE ROUTE" column. You need to determine the configuration of your assigned addresses first regarding routed/non-routed. And I suggest that you read the Setup Guide again because you obviously missed a bit the first time. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom: Thank your for your prompt reply. Have checked and the IP class I was assigned to is "routed". Your example from the multiple IP documentation mentioned about using Live IP in the internal LAN with the "routed" IP. And I learned in the SNAT section for the "non-route" is using RFC1918 classes. I think my setup is lots simpler than the example: a. LAN IP: 192.168.1.0/24 b. Internet addr: 202.7.93.90 (eth0, routed through here) 202.7.93.91 (eth0:0) 202.7.93.92 (eth0:1) 202.7.93.93 (eth0:2) 202.7.93.94 (eth0:3) c. DMZ: 192.168.2.0/24 As you see, it is something in between the "routed" and "non-routed" example. So as a start, I am adopting the example of 3 interfaces for shorewall. And as you suggested, I tried without masquerade, my LAN can''t even browse the internet. So conclusion: I need the masquerade set. QUESTION: What I don''t understand is why the DMZ can''t be connected (ie. ping) from LAN or from the internet via DNAT? I have tried: a. DNAT net dmz:192.168.2.2 tcp www, when telnet to port 80 from outside, it said "connection refused". b. ACCEPT loc dmz icmp 8, it doesn''t give any reply when ping from LAN. c. put: loc dmz ACCEPT ULOG, in the policy, try to ping from LAN, still doesn''t work. Here''s what works so far: a. DNAT from internet to LAN, working. b. Open port in firewall (ie telnet) to internet or LAN, working. c. ping DMZ from firewall. Thank you. ip addr show 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:02:44:32:91:69 brd ff:ff:ff:ff:ff:ff inet 202.7.93.90/29 brd 202.7.93.95 scope global eth0 inet 202.7.93.91/29 brd 202.7.93.95 scope global secondary eth0:0 inet 202.7.93.92/29 brd 202.7.93.95 scope global secondary eth0:1 inet 202.7.93.93/29 brd 202.7.93.95 scope global secondary eth0:2 inet 202.7.93.94/29 brd 202.7.93.95 scope global secondary eth0:3 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:02:44:6d:97:d1 brd ff:ff:ff:ff:ff:ff inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1 4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:40:05:a4:4c:db brd ff:ff:ff:ff:ff:ff inet 192.168.2.1/24 brd 192.168.2.255 scope global eth2 ip route show 202.7.93.88/29 dev eth0 scope link 192.168.2.0/24 dev eth2 scope link 192.168.1.0/24 dev eth1 scope link 127.0.0.0/8 dev lo scope link default via 202.7.93.89 dev eth0 /etc/shorewall/interfaces net eth0 detect tcpflags,routefilter,norfc1918 loc eth1 detect dmz eth2 detect /etc/shorewall/masq eth0 eth1 202.7.93.93 eth0 eth2 202.7.93.93 /etc/shorewall/policy loc net ACCEPT ULOG fw net ACCEPT ULOG fw loc ACCEPT ULOG net all REJECT ULOG all all REJECT ULOG /etc/shorewall/rules # ACCEPT fw net tcp 53 ACCEPT fw net udp 53 # Accept DNS connection from LAN to the firewall ACCEPT loc fw tcp 53 ACCEPT loc fw udp 53 # SSH ACCEPT loc fw tcp 22 ACCEPT loc dmz tcp 22 ACCEPT fw dmz tcp 22 ACCEPT fw loc tcp 22 # DMZ DNS access to the Internet ACCEPT dmz net tcp 53 ACCEPT dmz net udp 53 # Make ping work bi-directionally ACCEPT net fw icmp 8 ACCEPT loc fw icmp 8 ACCEPT dmz fw icmp 8 ACCEPT loc dmz icmp 8 ACCEPT dmz loc icmp 8 ACCEPT dmz net icmp 8 ACCEPT fw loc icmp 8 ACCEPT fw dmz icmp 8 # SMTP mail server (inside LAN) DNAT net loc:192.168.1.10 tcp 25 -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: Tuesday, November 11, 2003 5:48 PM To: Shorewall Users Mailing List Subject: Re: [Shorewall-users] Multiple live IP, can''t access DMZ? On Tue, 11 Nov 2003, Lito Kusnadi wrote:> Hi, I am installing shorewall in an environment with multiple live IPsfor the> first time ever. LAN (loc zone) can access internet (net zone). > However, I have several problems: > 1. I can''t ping my DMZ from LAN, even I have specified rules for that. > 2. I can''t DNAT incoming from internet to the DMZ. > > Situation: > a. A mail server is in the LAN (planned to be move to DMZ, butcurrently stays> in LAN). > b. A web server is planned to be stationed in the DMZ. > c. The web server has content (servlet) that points to 2 IP addrs:202.3.93.93,> and 202.3.93.92. > > Having read the shorewall instruction for multipe IP, I''d like to askseveral> questions: > a. How can you tell if a set of IPs is routed or not?I''d consider asking my ISP if they are routing all of my IP addresses through a single address or not. Given that your external subnet appears to be a /29 and you have configured 5 IP addresses, I would think that your setup is routed through 192.168.93.90 or .94. 206.7.93.88 - Network Address 206.7.93.89 - ISP''s router 206.7.93.90-94 - Your IP addresses 206.7.93.95 - Broadcast This would be the setup for 206.7.93.88/29.> > b. if I have the following IPs: > 202.3.93.89 ADSL gateway > 202.3.93.90 eth0 firewall > 202.3.93.91 eth0:0 firewall > 202.3.93.92 eth0:1 firewall > 202.3.93.93 eth0:2 firewall > 202.3.93.94 eth0:3 firewall > Current domain name points to 202.7.93.93. Is it correct to set themasq as> 202.7.93.93 for the LAN going to the internet? And for the masq ofDMZ to> internet (the web server) what I should masquerade as?Why are you masquerading at all? If your setup is routed, you don''t need to use proxy ARP OR define the extra IP addresses on your external interface.> > c. Since I am setting the IP manually so that eth0 has severalaliases,> disregarding the setting of proxyarp file is correct, right? As tomy> understanding, proxyarp is set to avoid manually set up thealiases.>Again, you don''t need to do either if your ISP is routing your other 4 IP addresses through one of the 5. On the other hand, if you want to place hosts with public IP addresses in your DMZ then Shorewall Proxy ARP will work ok for you to set up the host routes; just place "No" in the "HAVE ROUTE" column. You need to determine the configuration of your assigned addresses first regarding routed/non-routed. And I suggest that you read the Setup Guide again because you obviously missed a bit the first time. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Tue, 11 Nov 2003, Lito Kusnadi wrote:> Tom: > Thank your for your prompt reply. > Have checked and the IP class I was assigned to is "routed". > > Your example from the multiple IP documentation mentioned about using > Live IP in the internal LAN with the "routed" IP. And I learned in the > SNAT section for the "non-route" is using RFC1918 classes. >The documentation also talks about static NAT and Proxy ARP -- you should have also paid attention to those sections.> I think my setup is lots simpler than the example: > a. LAN IP: 192.168.1.0/24 > b. Internet addr: 202.7.93.90 (eth0, routed through here) > 202.7.93.91 (eth0:0) > 202.7.93.92 (eth0:1) > 202.7.93.93 (eth0:2) > 202.7.93.94 (eth0:3) > c. DMZ: 192.168.2.0/24 >Well, if you are bound and determined to keep that configuration, then you are probably going to have to use static NAT for your DMZ. The thing is that is is totally unnecessary to add .91-.94 as aliased interfaces on your external interface; all traffic to those addresses will be sent to your firewall/router by your ISP''s router without those addresses being present. With the addresses there, it forces you to use RFC 1918 addresses in both the local LAN and the DMZ.> As you see, it is something in between the "routed" and "non-routed" > example.What you have is an IP configuration that really doesn''t make sense and now you are trying to coerse Shorewall into fitting the way that you have configured your firewall''s IP interfaces. Again, static NAT is the only sensible way to do that I believe. You will want to put "Yes" in the ALL INTERFACES column so that your local systems can access DMZ servers using their external IP address.> > So as a start, I am adopting the example of 3 interfaces for shorewall.Which gets you off on exactly the wrong foot because that example is for people with ONE public IP address and you have just told us that you have 5. The three-interface example uses SNAT/MASQ (/etc/shorewall/masq) on the DMZ which is probably NOT what you want I personally would ignore the fact that the network is routed because a /29 is too small to effectively subdivide and I would set up the network just like the Shorewall Setup Guide advocates for 5 IP addresses. The ARP cache entries added by Proxy ARP won''t be necessary but they won''t get in your way like the aliased interfaces that you currently have are. MY two sense worth. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Tue, 11 Nov 2003, Lito Kusnadi wrote:> browse the internet. So conclusion: I need the masquerade set. > > QUESTION: What I don''t understand is why the DMZ can''t be connected (ie. > ping) from LAN or from the internet via DNAT? >> I have tried: > a. DNAT net dmz:192.168.2.2 tcp www, when telnet to port 80 from > outside, > it said "connection refused". > b. ACCEPT loc dmz icmp 8, it > doesn''t > give any reply when ping from LAN. > c. put: loc dmz ACCEPT ULOG, in the policy, try to ping from LAN, still > doesn''t work.If you "shorewall clear" can your local net connect to the DMZ host? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
I still can''t ping host in the DMZ from the LAN when "shorewall clear" is executed. My approach is probably wrong with the public interface, however the setting between LAN zone and DMZ zone should not be affected by that, should it? I have done a 3-interface example with ONE live IP, and it works well (especially in relation to LAN can ping DMZ). I mimic the LAN-DMZ rule from this to the multiple live IP. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: Wednesday, November 12, 2003 1:31 AM To: litomail@yahoo.com; Shorewall Users Mailing List Subject: RE: [Shorewall-users] Multiple live IP, can''t access DMZ? On Tue, 11 Nov 2003, Lito Kusnadi wrote:> browse the internet. So conclusion: I need the masquerade set. > > QUESTION: What I don''t understand is why the DMZ can''t be connected(ie.> ping) from LAN or from the internet via DNAT? >> I have tried: > a. DNAT net dmz:192.168.2.2 tcp www, when telnet to port 80 from > outside, > it said "connection refused". > b. ACCEPT loc dmz icmp 8, it > doesn''t > give any reply when ping from LAN. > c. put: loc dmz ACCEPT ULOG, in the policy, try to ping from LAN,still> doesn''t work.If you "shorewall clear" can your local net connect to the DMZ host? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Tom: Sorry to cause a hassle. I found out what the problem is. The host in the DMZ network doesn''t have a correct gateway setting. The setting between LAN and DMZ has been always correct. I will try the SNAT approach. Thank you. -Lito -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Lito Kusnadi Sent: Wednesday, November 12, 2003 8:55 AM To: ''Shorewall Users Mailing List'' Subject: RE: [Shorewall-users] Multiple live IP, can''t access DMZ? I still can''t ping host in the DMZ from the LAN when "shorewall clear" is executed. My approach is probably wrong with the public interface, however the setting between LAN zone and DMZ zone should not be affected by that, should it? I have done a 3-interface example with ONE live IP, and it works well (especially in relation to LAN can ping DMZ). I mimic the LAN-DMZ rule from this to the multiple live IP. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: Wednesday, November 12, 2003 1:31 AM To: litomail@yahoo.com; Shorewall Users Mailing List Subject: RE: [Shorewall-users] Multiple live IP, can''t access DMZ? On Tue, 11 Nov 2003, Lito Kusnadi wrote:> browse the internet. So conclusion: I need the masquerade set. > > QUESTION: What I don''t understand is why the DMZ can''t be connected(ie.> ping) from LAN or from the internet via DNAT? >> I have tried: > a. DNAT net dmz:192.168.2.2 tcp www, when telnet to port 80 from > outside, > it said "connection refused". > b. ACCEPT loc dmz icmp 8, it > doesn''t > give any reply when ping from LAN. > c. put: loc dmz ACCEPT ULOG, in the policy, try to ping from LAN,still> doesn''t work.If you "shorewall clear" can your local net connect to the DMZ host? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
> Tom: > Sorry to cause a hassle. > I found out what the problem is. The host in the DMZ network doesn''t > have a correct gateway setting. The setting between LAN and DMZ has been > always correct. > I will try the SNAT approach. > Thank you. >It''s always good to keep in mind that not all connection problems are Shorewall configuration problems. "shorewall clear" totally removes Shorewall from the picture so when you still couldn''t ping after "shorewall clear", that should have given you a clue (which apparently it did). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline \ http://www.shorewall.net Washington, USA \ teastep@shorewall.net
Hi, One very quick question for anyone: As mentioned earlier, 5 live IP available, using static NAT with shorewall. A webserver (192.168.2.2) is in DMZ A mail server (192.168.1.10) is in LAN (weird, but that''s how it is set.) A domain name: www.abcd.net points to 202.7.93.93 (one of the 5 live IPs) An MX record also points to 202.7.93.93. Now, the web server has a servlet running, and there''s a link that uses the URL http:202.7.93.92/servlet/ww0.b.b.c.Go?=demo. As you see 202.7.93.92 is one of the 5 live IP as well. Question: Using static NAT, in masq file: Eth0 192.168.1.0/24 202.7.93.93 Eth0 192.168.2.2/32 202.7.93.93 Eth0 192.168.2.2/32 202.7.93.92 Note the first and second entries. Will they clash? And also the second and third entries, will they clash as well? Thanks. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: Wednesday, November 12, 2003 12:53 AM To: litomail@yahoo.com; Shorewall Users Mailing List Subject: RE: [Shorewall-users] Multiple live IP, can''t access DMZ? On Tue, 11 Nov 2003, Lito Kusnadi wrote:> Tom: > Thank your for your prompt reply. > Have checked and the IP class I was assigned to is "routed". > > Your example from the multiple IP documentation mentioned about using > Live IP in the internal LAN with the "routed" IP. And I learned in the > SNAT section for the "non-route" is using RFC1918 classes. >The documentation also talks about static NAT and Proxy ARP -- you should have also paid attention to those sections.> I think my setup is lots simpler than the example: > a. LAN IP: 192.168.1.0/24 > b. Internet addr: 202.7.93.90 (eth0, routed through here) > 202.7.93.91 (eth0:0) > 202.7.93.92 (eth0:1) > 202.7.93.93 (eth0:2) > 202.7.93.94 (eth0:3) > c. DMZ: 192.168.2.0/24 >Well, if you are bound and determined to keep that configuration, then you are probably going to have to use static NAT for your DMZ. The thing is that is is totally unnecessary to add .91-.94 as aliased interfaces on your external interface; all traffic to those addresses will be sent to your firewall/router by your ISP''s router without those addresses being present. With the addresses there, it forces you to use RFC 1918 addresses in both the local LAN and the DMZ.> As you see, it is something in between the "routed" and "non-routed" > example.What you have is an IP configuration that really doesn''t make sense and now you are trying to coerse Shorewall into fitting the way that you have configured your firewall''s IP interfaces. Again, static NAT is the only sensible way to do that I believe. You will want to put "Yes" in the ALL INTERFACES column so that your local systems can access DMZ servers using their external IP address.> > So as a start, I am adopting the example of 3 interfaces forshorewall. Which gets you off on exactly the wrong foot because that example is for people with ONE public IP address and you have just told us that you have 5. The three-interface example uses SNAT/MASQ (/etc/shorewall/masq) on the DMZ which is probably NOT what you want I personally would ignore the fact that the network is routed because a /29 is too small to effectively subdivide and I would set up the network just like the Shorewall Setup Guide advocates for 5 IP addresses. The ARP cache entries added by Proxy ARP won''t be necessary but they won''t get in your way like the aliased interfaces that you currently have are. MY two sense worth. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Thu, 13 Nov 2003, Lito Kusnadi wrote:> Hi, > > One very quick question for anyone: > > As mentioned earlier, 5 live IP available, using static NAT with > shorewall. > > Question: > Using static NAT, in masq file: > Eth0 192.168.1.0/24 202.7.93.93 > Eth0 192.168.2.2/32 202.7.93.93 > Eth0 192.168.2.2/32 202.7.93.92 > > Note the first and second entries. Will they clash? And also the second > and third entries, will they clash as well? >Er -- static NAT doesn''t use the /etc/shorewall/masq file; it uses the /etc/shorewall/nat file. Entries in /etc/shorewall/nat override conflicting entries in /etc/shorewall/masq. One more time: Please read http://shorewall.net/shorewall_setup_guide.htm and notice that SNAT does *not* mean "static NAT" but rather means "Source NAT" and that there are separate entries in the index for these two facilities. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Thanks again Tom. Static NAT .. SNAT, very subtle naming. :) Anyway, got that set up, with Static NAT this time. Everything works well. Got little problem. Servlet on web server doesn''t work. It has been confirmed the servlet uses port 8034 and 8035. The web server when requested will produce a homepage that will trigger a servlet load on the browser. The server automatic load address is: http://202.7.93.92/servlet/ww0.da.da.da As you can see the web server in the DMZ is calling live IP. As a test, I can''t, for example, from the dmz telnet port 8034/8035 to 202.7.93.93 or telnet port 8034/8035 of 202.7.93.9. So I think this might be the problem. (by the way, there''s not many people uses servlet behind shorewall as I can''t find any faq from mailing list for that. Or may be mine is the only one doesn''t work :) Anyway, I already gave the rule to allow DMZ to go to the internet (see below, the *** sign) What rule I should give to allow DMZ to contact the live IP of the firewall (202.7.93.92 and 202.7.93.93), especially port 8034 and 8035? I also have tried: DNAT dmz dmz:192.168.2.2 tcp 80 DNAT dmz dmz:192.168.2.2 tcp 8034 DNAT dmz dmz:192.168.2.2 tcp 8035 But to no avail. And sounds weird too. By the way, with the transparent proxy rule I defined, DMZ contacting the internet shouldn''t be passed through the proxy, right? It will go straight to the internet. Here''s the rule I have given: /etc/shorewall/rules # Allow rule configured with Static NAT ACCEPT net loc:192.168.1.10 tcp 80 ACCEPT net loc:192.168.1.10 tcp 8034 ACCEPT net loc:192.168.1.10 tcp 8035 ACCEPT net dmz:192.168.2.2 tcp 80 ACCEPT net dmz:192.168.2.2 tcp 8034 ACCEPT net dmz:192.168.2.2 tcp 8035 # *** SHOULD GIVE DMZ ACCESS TO INTERNET BUT CONNECTION ALWAYS REFUSED ACCEPT dmz:192.168.2.2 net tcp 8034 ACCEPT dmz:192.168.2.2 net tcp 8035 # Help LAN to view dmz web server DNAT loc dmz:192.168.2.2 tcp 80 - 202.7.93.92,202.7.93.93 DNAT loc dmz:192.168.2.2 tcp 8034 - 202.7.93.92 DNAT loc dmz:192.168.2.2 tcp 8035 - 202.7.93.92 # DNS ACCEPT fw net tcp 53 ACCEPT fw net udp 53 ACCEPT loc fw tcp 53 ACCEPT loc fw udp 53 ACCEPT dmz fw tcp 53 ACCEPT dmz fw udp 53 # Ping ACCEPT loc fw icmp 8 ACCEPT dmz fw icmp 8 ACCEPT loc dmz icmp 8 ACCEPT dmz loc icmp 8 ACCEPT dmz net icmp 8 ACCEPT fw loc icmp 8 ACCEPT fw dmz icmp 8 # Transparent proxy REDIRECT loc 3128 tcp www - !202.7.93.93 /etc/shorewall/policy loc net ACCEPT ULOG loc dmz ACCEPT ULOG fw net ACCEPT ULOG fw loc ACCEPT ULOG net all DROP ULOG all all REJECT ULOG /etc/shorewall/nat 202.7.93.93 eth0 192.168.1.10 No No 202.7.93.92 eth0 192.168.2.2 No No 202.7.93.91 eth0 192.168.1.5 No No /etc/shorewall/masq eth0 192.168.1.0/24 202.7.93.90 /etc/shorewall/start #Extra exclusion rule for transparent proxy run_iptables -t nat -I loc_dnat -p tcp --dport www -d 202.7.93.92 -j RETURN ip addr show 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:02:44:32:91:69 brd ff:ff:ff:ff:ff:ff inet 202.7.93.90/29 brd 202.7.93.95 scope global eth0 inet 202.7.93.93/29 brd 202.7.93.95 scope global secondary eth0 inet 202.7.93.92/29 brd 202.7.93.95 scope global secondary eth0 inet 202.7.93.91/29 brd 202.7.93.95 scope global secondary eth0 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:02:44:6d:97:d1 brd ff:ff:ff:ff:ff:ff inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1 4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:40:05:a4:4c:db brd ff:ff:ff:ff:ff:ff inet 192.168.2.1/24 brd 192.168.2.255 scope global eth2 ip route show 202.7.93.88/29 dev eth0 scope link 192.168.2.0/24 dev eth2 scope link 192.168.1.0/24 dev eth1 scope link 127.0.0.0/8 dev lo scope link default via 202.7.93.89 dev eth0 Thanks a million for your help. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: Thursday, November 13, 2003 9:14 PM To: litomail@yahoo.com; Shorewall Users Mailing List Subject: RE: [Shorewall-users] Multiple live IP, can''t access DMZ? On Thu, 13 Nov 2003, Lito Kusnadi wrote:> Hi, > > One very quick question for anyone: > > As mentioned earlier, 5 live IP available, using static NAT with > shorewall. > > Question: > Using static NAT, in masq file: > Eth0 192.168.1.0/24 202.7.93.93 > Eth0 192.168.2.2/32 202.7.93.93 > Eth0 192.168.2.2/32 202.7.93.92 > > Note the first and second entries. Will they clash? And also thesecond> and third entries, will they clash as well? >Er -- static NAT doesn''t use the /etc/shorewall/masq file; it uses the /etc/shorewall/nat file. Entries in /etc/shorewall/nat override conflicting entries in /etc/shorewall/masq. One more time: Please read http://shorewall.net/shorewall_setup_guide.htm and notice that SNAT does *not* mean "static NAT" but rather means "Source NAT" and that there are separate entries in the index for these two facilities. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Fri, 14 Nov 2003, Lito Kusnadi wrote:> Got little problem. Servlet on web server doesn''t work. > It has been confirmed the servlet uses port 8034 and 8035. > The web server when requested will produce a homepage that will trigger > a servlet load on the browser. > The server automatic load address is: > http://202.7.93.92/servlet/ww0.da.da.da > As you can see the web server in the DMZ is calling live IP. >All of this would have worked properly if you had followed my initial advice and used Proxy ARP. You didn''t follow my advice and now you are seeing one of the many problems associated with NAT.> As a test, I can''t, for example, from the dmz telnet port 8034/8035 to > 202.7.93.93 or telnet port 8034/8035 of 202.7.93.9. So I think this > might be the problem. (by the way, there''s not many people uses servlet > behind shorewall as I can''t find any faq from mailing list for that. Or > may be mine is the only one doesn''t work :) > > Anyway, I already gave the rule to allow DMZ to go to the internet (see > below, the *** sign) > > What rule I should give to allow DMZ to contact the live IP of the > firewall (202.7.93.92 and 202.7.93.93), especially port 8034 and 8035? > > I also have tried: > DNAT dmz dmz:192.168.2.2 tcp 80 > DNAT dmz dmz:192.168.2.2 tcp 8034 > DNAT dmz dmz:192.168.2.2 tcp 8035 > But to no avail. And sounds weird too.You have to insert the horrible hack described in FAQ #2 (that FAQ describes this same situation only with the ''loc'' zone rather than the ''dmz''.> > By the way, with the transparent proxy rule I defined, DMZ contacting > the internet shouldn''t be passed through the proxy, right? It will go > straight to the internet. >Correct. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom: I am sorry that I might be missing the point you suggested. What you meant by your previous advice is to use: a. Static nat b. Proxy arp Please correct me if I am wrong. However due to the circumstance that I can''t change the network layout (i.e. dmz must be 192.168.2.x, lan: 192.168.1.x), I learnt that proxy arp is not the way for me. In the documentation, proxy arp is used if I address the host in dmz with one of the live IPs. But in this case, dmz must be 192.168.2.x. (sorry if it sounds silly and coercing, but it''s just the thing that happens in life). By the way, when you mentioned about "one of nat problems", here''s the interesting thing: I did a static nat to 2 hosts: 202.7.93.92 -----> 192.168.2.2 (dmz) 202.7.93.93 -----> 192.168.1.10 (lan) I am able to telnet to the firewall public IP from lan (even from 192.168.1.10). I can''t do that from the dmz. Below are the log file: Nov 14 08:19:17 rock Shorewall:all2all:REJECT: IN=eth2 OUTMAC=00:40:05:a4:4c:db:00:a0:24:56:9d:36:08:00 SRC=192.168.2.2 DST=202.7.93.93 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=36432 DF PROTO=TCP SPT=1092 DPT=80 SEQ=3511677117 ACK=0 WINDOW=5840 SYN URGP=0 I am trying to analyze what''s the difference. Both are natted. One works, the other doesn''t. PS. For simplicity, I have changed the policy so that: Dmz net ACCEPT ULOG as to conform with: lan net ACCEPT ULOG Thank you for your help and time. -----Original Message----- From: shorewall-users-bounces+lkus9013=mail.usyd.edu.au@lists.shorewall.net [mailto:shorewall-users-bounces+lkus9013=mail.usyd.edu.au@lists.shorewal l.net] On Behalf Of Tom Eastep Sent: Friday, November 14, 2003 1:56 AM To: litomail@yahoo.com; Shorewall Users Mailing List Subject: RE: [Shorewall-users] Multiple live IP, can''t access DMZ? On Fri, 14 Nov 2003, Lito Kusnadi wrote:> Got little problem. Servlet on web server doesn''t work. > It has been confirmed the servlet uses port 8034 and 8035. > The web server when requested will produce a homepage that willtrigger> a servlet load on the browser. > The server automatic load address is: > http://202.7.93.92/servlet/ww0.da.da.da > As you can see the web server in the DMZ is calling live IP. >All of this would have worked properly if you had followed my initial advice and used Proxy ARP. You didn''t follow my advice and now you are seeing one of the many problems associated with NAT.> As a test, I can''t, for example, from the dmz telnet port 8034/8035 to > 202.7.93.93 or telnet port 8034/8035 of 202.7.93.9. So I think this > might be the problem. (by the way, there''s not many people usesservlet> behind shorewall as I can''t find any faq from mailing list for that.Or> may be mine is the only one doesn''t work :) > > Anyway, I already gave the rule to allow DMZ to go to the internet(see> below, the *** sign) > > What rule I should give to allow DMZ to contact the live IP of the > firewall (202.7.93.92 and 202.7.93.93), especially port 8034 and 8035? > > I also have tried: > DNAT dmz dmz:192.168.2.2 tcp 80 > DNAT dmz dmz:192.168.2.2 tcp 8034 > DNAT dmz dmz:192.168.2.2 tcp 8035 > But to no avail. And sounds weird too.You have to insert the horrible hack described in FAQ #2 (that FAQ describes this same situation only with the ''loc'' zone rather than the ''dmz''.> > By the way, with the transparent proxy rule I defined, DMZ contacting > the internet shouldn''t be passed through the proxy, right? It will go > straight to the internet. >Correct. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Fri, 14 Nov 2003, Lito Kusnadi wrote:> Tom: > I am sorry that I might be missing the point you suggested. > > What you meant by your previous advice is to use: > a. Static nat > b. Proxy arp > Please correct me if I am wrong. >I said that if you persisted with defining all of your IPs as addresses on your external interface then your only real choice was static (one-to-one) NAT. I advocated Proxy ARP because there are many fewer problems associated with in and there was a much better chance of your getting it to work.> However due to the circumstance that I can''t change the network layout > (i.e. dmz must be 192.168.2.x, lan: 192.168.1.x), I learnt that proxy > arp is not the way for me. > > In the documentation, proxy arp is used if I address the host in dmz > with one of the live IPs. But in this case, dmz must be 192.168.2.x. > (sorry if it sounds silly and coercing, but it''s just the thing that > happens in life). >Then FAQ #2 (In particular FAQ #2a) covers your situation.> By the way, when you mentioned about "one of nat problems", here''s the > interesting thing: > I did a static nat to 2 hosts: > 202.7.93.92 -----> 192.168.2.2 (dmz) > 202.7.93.93 -----> 192.168.1.10 (lan) > > I am able to telnet to the firewall public IP from lan (even from > 192.168.1.10). I can''t do that from the dmz. Below are the log file: > > Nov 14 08:19:17 rock Shorewall:all2all:REJECT: IN=eth2 OUT> MAC=00:40:05:a4:4c:db:00:a0:24:56:9d:36:08:00 SRC=192.168.2.2 > DST=202.7.93.93 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=36432 DF PROTO=TCP > SPT=1092 DPT=80 SEQ=3511677117 ACK=0 WINDOW=5840 SYN URGP=0 > > I am trying to analyze what''s the difference. Both are natted. One > works, the other doesn''t.This has nothing to do with NAT -- you don''t have a rule for allowing port 80 from the dmz to the firewall. If you are trying to redirect requests from the DMZ to 202.7.93.93 back to the DMZ then that is what FAQ #2 is all about. The solution in FAQ #2 is a horrible evil hack. The ''real'' solution involves setting up two views via DNS such that internal clients resolve host names to internal addresses and external clients resolve to the external addresses. -Tom
On Fri, 14 Nov 2003, Tom Eastep wrote:> > Nov 14 08:19:17 rock Shorewall:all2all:REJECT: IN=eth2 OUT> > MAC=00:40:05:a4:4c:db:00:a0:24:56:9d:36:08:00 SRC=192.168.2.2 > > DST=202.7.93.93 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=36432 DF PROTO=TCP > > SPT=1092 DPT=80 SEQ=3511677117 ACK=0 WINDOW=5840 SYN URGP=0 > > > > I am trying to analyze what''s the difference. Both are natted. One > > works, the other doesn''t. > > This has nothing to do with NAT -- you don''t have a rule for allowing port > 80 from the dmz to the firewall.It is *your* expectation that NAT is going to work from the DMZ back to the DMZ -- it won''t. The result is that the above packet is being treated as a dmz->fw connection request. a) By default, Shorewall doesn''t set up infrastructure to handle traffic coming in on one <interface>:<network> back out to that same <interface>:<network> (eth2:0.0.0.0/0 in your case). In 99.99% of cases, that infrastructure isn''t needed. The ''routeback'' interface and hosts options instruct Shorewall to create that infrastructure. b) Even if the ''routeback'' option is set for eth2, NAT won''t work without taking the additional steps outlined in FAQ #2. The reason for that is that response packets won''t go through the firewall where they can have their IP headers altered back the way that the original requester expects. The hack in FAQ #2 makes the redirected packet look like they originated from the firewall so that responses will be directed back to the firewall where that header rewriting can occur. So if you implement this hack, please don''t post to the list complaining that now all redirected connections are being logged as coming from the firewall rather than from the DMZ host that actually initiated them. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net