Hi, I`m running shorewall (# shorewall version 1.4.8) in a redhat 7.3. The
firewall does a port forwarding to a DMZ server, from eth0.
Now I have to forward the smtp port , from another public ip that to another
server in the DMZ.
The primary is filtered like you can see in the rules file in this mail.
When I config the secondary ip over eth0, (eth0:0)the ip cannot be recognized
for shorewall, I can ping, and do anything from outside over this ip. The
message log don`t register any action.
I follow de intructions for this faq(
http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html), but I`cannot
forward the unique port that I need.
TO make the job, I do NAT over the secondary Ip, and when I modified the file
NAT , shorewall start to recognize the secondary Ip.
NAT work, but I need forward only one port , and I can`t.
In the rules file now I`comment the specific rule that I try.
Thanks for your help.
Marcelo
# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:04:75:d6:f9:c6 brd ff:ff:ff:ff:ff:ff
inet 200.61.163.217/29 brd 200.61.163.223 scope global eth0
inet 200.61.163.218/29 brd 200.61.163.223 scope global secondary eth0:0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:04:75:86:13:53 brd ff:ff:ff:ff:ff:ff
inet 172.16.1.7/24 brd 172.16.1.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:04:75:d6:f9:53 brd ff:ff:ff:ff:ff:ff
# ip route show
172.16.1.0/24 dev eth1 scope link
127.0.0.0/8 dev lo scope link
default via 200.61.163.222 dev eth0
FILE ZONES
#ZONE DISPLAY COMMENTS
net Net Internet
dmz DMZ Demilitarized zone
loc Local Local networks
FILE INTERFACES
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 -
dmz eth1 - routeback
FILE NAT
#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
200.61.163.218 eth0:0 172.16.1.11 yes no
FILE MASQ
eth0 eth1
FILE RULES
# Acepto DNS
ACCEPT $FW net udp 53 -
ACCEPT dmz net udp 53 -
ACCEPT dmz $FW udp 53 -
ACCEPT dmz $FW:200.61.163.217 icmp - -
ACCEPT $FW net tcp - -
ACCEPT dmz $FW tcp 22
ACCEPT dmz $FW udp 22 -
#Forward puerto 143,993,110,995,81,135,80
ACCEPT net $FW:200.61.163.217 tcp ,143,993,110,995,81,135,80 -
DNAT net dmz:172.16.1.15 tcp 143,993,110,995,81,135,80 -
ACCEPT net $FW:200.61.163.217 udp 143,993,110,995,81,135,80 -
DNAT net dmz:172.16.1.15 tcp 143,993,110,995,81,135,80 -
#Forward puerto 25
#ACCEPT net $FW:200.61.163.218 tcp 25 -
#DNAT net dmz:172.16.1.11 tcp 25 - 200.61.163.218
#ACCEPT net $FW:200.61.163.218 udp 25 -
#DNAT net dmz:172.16.1.11 udp 25 -
FILE POLICY
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
dmz net ACCEPT -
dmz $FW ACCEPT -
$FW net ACCEPT -
$FW dmz ACCEPT -
net all REJECT info
net $FW REJECT info
all all REJECT info
Hello,
Ok. I think you need to start over here. I am sure you spent time with the
documentation, but may have missed some stuff.
Mainly, I think you should investigate proxyarp more closely.
If you have a specific reason for not using proxyarp, let me know and I will
help sort out the configuration you have shown below. There are many errors in
your configs below for a port-forwarding type setup.
As I am saying, I would use proxy arp so that the hosts in the dmz have public
ips. This way you do not have to screw with port forwarding, as proxyarp will
make this transparent simply using ACCEPT rules. To use this, you assign a
public ip to each of the dmz hosts themselves, then using
/etc/shorewall/proxyarp, you instruct the firewall to forward traffic to the
proxyarp''ed addresses from its external public interface to the dmz
interface.
Read this:
http://www.shorewall.net/shorewall_setup_guide.htm#ProxyARP
This is great, makes for MUCH simpler configuration.
I would start with a FRESH shorewall install, following the three interface
guide:
http://www.shorewall.net/three-interface.htm
And using the three interface sample files:
http://www.shorewall.net/pub/shorewall/Samples/samples-1.4.8/three-interfaces.tgz
Leave the default policy that this guide uses in place.
NOTE that the three interface guide is based on ONE public ip.
This means that you will need to modify /etc/shorewall/masq so that your dmz
interface is not masqueraded.
Also, you need to add the appropriate /etc/shorewall/proxyarp entries.
Also, using proxyarp, you DO NOT add ip aliases to the public firewall
interface. Shorewall takes care of this by proxying arp requests, again read
about proxyarp.
Then, using proxyarp, to accept port 25 to one dmz server, and say http traffic
to another dmz server, you use rules like:
ACCEPT net dmz:(dmz_server1_public_ip) tcp 25
ACCEPT net dmz:(dmz_server2_public_ip) tcp 80
No more confusing nat.
One more thing, I think that some of your rules are confused. For example, for
DNS service,
you allow tcp AND (probably) udp traffic on port 53.
For ssh, you only need to accept tcp port 22. Not udp 22 as well. Etc.
See http://www.shorewall.net/ports.htm
Again, let me know if proxyarp is not a viable solution for you, and I will help
you sort out the port forwarding setup.
If you want to continue with the port forwarding setup, take a look at this:
http://www.shorewall.net/CorpNetwork.htm
It has some examples for proper /etc/shorewall/nat entries, etc, that would
correct some errors you have made. Also has a proxyarp example. Also, it uses
one-to-one nat, with no DNAT rules, which is what you need to do if you use port
forwarding and not proxyarp.
Please let me know where you are at, as I would like to learn from your
progress.
Thanks,
Alex Martin
http://www.rettc.com
----- Original Message -----
From: "Marcelo Mujica" <mfmujic@eit.com.ar>
To: <shorewall-users@lists.shorewall.net>
Sent: Tuesday, December 02, 2003 7:39 PM
Subject: [Shorewall-users] Ip aliasing
Hi, I`m running shorewall (# shorewall version 1.4.8) in a redhat 7.3. The
firewall does a port forwarding to a DMZ server, from eth0.
Now I have to forward the smtp port , from another public ip that to another
server in the DMZ.
The primary is filtered like you can see in the rules file in this mail.
When I config the secondary ip over eth0, (eth0:0)the ip cannot be recognized
for shorewall, I can ping, and do anything from outside over this ip. The
message log don`t register any action.
I follow de intructions for this faq(
http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html), but I`cannot
forward the unique port that I need.
TO make the job, I do NAT over the secondary Ip, and when I modified the file
NAT , shorewall start to recognize the secondary Ip.
NAT work, but I need forward only one port , and I can`t.
In the rules file now I`comment the specific rule that I try.
Thanks for your help.
Marcelo
# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:04:75:d6:f9:c6 brd ff:ff:ff:ff:ff:ff
inet 200.61.163.217/29 brd 200.61.163.223 scope global eth0
inet 200.61.163.218/29 brd 200.61.163.223 scope global secondary eth0:0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:04:75:86:13:53 brd ff:ff:ff:ff:ff:ff
inet 172.16.1.7/24 brd 172.16.1.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:04:75:d6:f9:53 brd ff:ff:ff:ff:ff:ff
# ip route show
172.16.1.0/24 dev eth1 scope link
127.0.0.0/8 dev lo scope link
default via 200.61.163.222 dev eth0
FILE ZONES
#ZONE DISPLAY COMMENTS
net Net Internet
dmz DMZ Demilitarized zone
loc Local Local networks
FILE INTERFACES
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 -
dmz eth1 - routeback
FILE NAT
#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
200.61.163.218 eth0:0 172.16.1.11 yes no
FILE MASQ
eth0 eth1
FILE RULES
# Acepto DNS
ACCEPT $FW net udp 53 -
ACCEPT dmz net udp 53 -
ACCEPT dmz $FW udp 53 -
ACCEPT dmz $FW:200.61.163.217 icmp - -
ACCEPT $FW net tcp - -
ACCEPT dmz $FW tcp 22
ACCEPT dmz $FW udp 22 -
#Forward puerto 143,993,110,995,81,135,80
ACCEPT net $FW:200.61.163.217 tcp ,143,993,110,995,81,135,80 -
DNAT net dmz:172.16.1.15 tcp 143,993,110,995,81,135,80 -
ACCEPT net $FW:200.61.163.217 udp 143,993,110,995,81,135,80 -
DNAT net dmz:172.16.1.15 tcp 143,993,110,995,81,135,80 -
#Forward puerto 25
#ACCEPT net $FW:200.61.163.218 tcp 25 -
#DNAT net dmz:172.16.1.11 tcp 25 - 200.61.163.218
#ACCEPT net $FW:200.61.163.218 udp 25 -
#DNAT net dmz:172.16.1.11 udp 25 -
FILE POLICY
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
dmz net ACCEPT -
dmz $FW ACCEPT -
$FW net ACCEPT -
$FW dmz ACCEPT -
net all REJECT info
net $FW REJECT info
all all REJECT info
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm
Alex, thanks for your response. I`m talking about use proxy arp with publics address in the DMZ but I got some resistence..., because I said, before, that with prot forwarding are the better option and now I have to change the config. In other order, maybe I like to know how do port forwarding in the correct way(not with the errors that you detect). To learn I apreciate if you want correct me. In other way I go to try proxy arp in another test server. Again, thanks for your quickly reponse. Marcelo _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Thu, 2003-12-04 at 10:26, Marcelo Mujica wrote:> Alex, thanks for your response. > I`m talking about use proxy arp with publics address in the DMZ but I got some resistence..., because I said, before, that with prot forwarding are the better option and now I have to change the config. > In other order, maybe I like to know how do port forwarding in the correct way(not with the errors that you detect). To learn I apreciate if you want correct me. > In other way I go to try proxy arp in another test server. >To forward just one port, you will have to create the alias manually then just use a DNAT rule. DNAT net dmz:<internal ip> <proto> <port> - <alias addr> But of course that is described on the page that you already referred to: http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Hi Tom, I saw a hint on the website about round robin of services and aliased interfaces but it is not clear whether that hint covers my question. I need to distribute client requests for a particular service on one interface say eth0 to a number of servers on the other side of the firewall in a round robin fashion. I''d appreciate more light. Thank you Ama> On Thu, 2003-12-04 at 10:26, Marcelo Mujica wrote: > > Alex, thanks for your response. > > I`m talking about use proxy arp with publics address in the DMZ but I got some resistence..., because I said, before, that with prot forwarding are the better option and now I have to change the config. > > In other order, maybe I like to know how do port forwarding in the correct way(not with the errors that you detect). To learn I apreciate if you want correct me. > > In other way I go to try proxy arp in another test server. > > > > To forward just one port, you will have to create the alias manually > then just use a DNAT rule. > > DNAT net dmz:<internal ip> <proto> <port> - <alias addr> > > But of course that is described on the page that you already referred > to: > > http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm_______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Thu, 2003-12-04 at 11:22, Ama Kalu wrote:> Hi Tom, > > I saw a hint on the website about round robin of services and aliased interfaces but it is not clear whether that hint covers my question. > > I need to distribute client requests for a particular service on one interface say eth0 to a number of servers on the other side of the firewall in a round robin fashion. I''d appreciate more light. >DNAT net loc:<server list> <proto> <port> The <server list> is a comma-separated list of IP ranges and/or host IP addresses. There is a minimum version of Shorewall required (1.4.7 or 1.4.8 -- I don''t recall; check the News Archive). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Thanks a lot, I''ll try this out shortly Ama> On Thu, 2003-12-04 at 11:22, Ama Kalu wrote: > > Hi Tom, > > > > I saw a hint on the website about round robin of services and aliased interfaces but it is not clear whether that hint covers my question. > > > > I need to distribute client requests for a particular service on one interface say eth0 to a number of servers on the other side of the firewall in a round robin fashion. I''d appreciate more light. > > > > DNAT net loc:<server list> <proto> <port> > > The <server list> is a comma-separated list of IP ranges and/or host IP > addresses. > > There is a minimum version of Shorewall required (1.4.7 or 1.4.8 -- I > don''t recall; check the News Archive). > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm_______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Ok. For starters,
/etc/shorewall/nat does not need an entry if you are only port forwarding. I
think you should look into one-to-one nat, to at least understand the difference
between this and port forwarding. See:
http://www.shorewall.net/Documentation.htm#NAT
/etc/shorewall/masq is masquerading your eth1 interface, which you
don''t want to
do, unless you have hosts you want to masquerade other than just the two
addresses you are trying to port forward to. You have labeled this zone dmz, so
I by definition think that you have only these two hosts, but I could be wrong.
/etc/shorewall/rules: one thing is that you are accepting traffic to the
firewall before dnat''ing to the hosts you want to port forward to. This
is not
necessary (unless you really want to provide access to all those services on
your firewall from the net). The dnat rule takes care of the firewall''s
acceptance of traffic.
Also, the dnat rules need an entry in the ''original
destination'' column. This is
important!
Last, look at this: http://www.shorewall.net/ports.htm
You have some extra upd allowances in some cases, and you probably want to add
udp allowances in other cases.
/etc/shorewall/policy: You added a bunch of stuff (probably to try to get things
to work). This is killing many log entries you would see normally. I would start
with a fresh copy of the policy file and leave it in its default state. In most
cases, the policy need not be changed from the default policy for whatever setup
guide you are following.
Have a go at this and tell me what you find out.
Alex Martin
http://www.rettc.com
----- Original Message -----
From: "Marcelo Mujica" <mfmujic@eit.com.ar>
To: <shorewall-users@lists.shorewall.net>
Sent: Tuesday, December 02, 2003 7:39 PM
Subject: [Shorewall-users] Ip aliasing
Hi, I`m running shorewall (# shorewall version 1.4.8) in a redhat 7.3. The
firewall does a port forwarding to a DMZ server, from eth0.
Now I have to forward the smtp port , from another public ip that to another
server in the DMZ.
The primary is filtered like you can see in the rules file in this mail.
When I config the secondary ip over eth0, (eth0:0)the ip cannot be recognized
for shorewall, I can ping, and do anything from outside over this ip. The
message log don`t register any action.
I follow de intructions for this faq(
http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html), but I`cannot
forward the unique port that I need.
TO make the job, I do NAT over the secondary Ip, and when I modified the file
NAT , shorewall start to recognize the secondary Ip.
NAT work, but I need forward only one port , and I can`t.
In the rules file now I`comment the specific rule that I try.
Thanks for your help.
Marcelo
# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:04:75:d6:f9:c6 brd ff:ff:ff:ff:ff:ff
inet 200.61.163.217/29 brd 200.61.163.223 scope global eth0
inet 200.61.163.218/29 brd 200.61.163.223 scope global secondary eth0:0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:04:75:86:13:53 brd ff:ff:ff:ff:ff:ff
inet 172.16.1.7/24 brd 172.16.1.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:04:75:d6:f9:53 brd ff:ff:ff:ff:ff:ff
# ip route show
172.16.1.0/24 dev eth1 scope link
127.0.0.0/8 dev lo scope link
default via 200.61.163.222 dev eth0
FILE ZONES
#ZONE DISPLAY COMMENTS
net Net Internet
dmz DMZ Demilitarized zone
loc Local Local networks
FILE INTERFACES
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 -
dmz eth1 - routeback
FILE NAT
#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
200.61.163.218 eth0:0 172.16.1.11 yes no
FILE MASQ
eth0 eth1
FILE RULES
# Acepto DNS
ACCEPT $FW net udp 53 -
ACCEPT dmz net udp 53 -
ACCEPT dmz $FW udp 53 -
ACCEPT dmz $FW:200.61.163.217 icmp - -
ACCEPT $FW net tcp - -
ACCEPT dmz $FW tcp 22
ACCEPT dmz $FW udp 22 -
#Forward puerto 143,993,110,995,81,135,80
ACCEPT net $FW:200.61.163.217 tcp ,143,993,110,995,81,135,80 -
DNAT net dmz:172.16.1.15 tcp 143,993,110,995,81,135,80 -
ACCEPT net $FW:200.61.163.217 udp 143,993,110,995,81,135,80 -
DNAT net dmz:172.16.1.15 tcp 143,993,110,995,81,135,80 -
#Forward puerto 25
#ACCEPT net $FW:200.61.163.218 tcp 25 -
#DNAT net dmz:172.16.1.11 tcp 25 - 200.61.163.218
#ACCEPT net $FW:200.61.163.218 udp 25 -
#DNAT net dmz:172.16.1.11 udp 25 -
FILE POLICY
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
dmz net ACCEPT -
dmz $FW ACCEPT -
$FW net ACCEPT -
$FW dmz ACCEPT -
net all REJECT info
net $FW REJECT info
all all REJECT info
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm
This isn''t a Shorewall issue, but I was talking to a friend who has been using this anti-spam method called "graylisting." Basically, it''s a middle way between blacklisting and whitelisting. He said he has gotten one spam in the past three weeks. It''s also been discussed on the Austin PERL Mongers list. Here is a link to a paper discussing it. It sounds very workable. I know you''re busy, but it''s certainly worth looking into. We''re all in the spam war together. http://projects.puremagic.com/greylisting/ ===================================================Chris Baker -- technical specialist 614-839-2447x108 cbaker@bbbscentralohio.org www.bbbscentralohio.org Big Brothers Big Sisters of Central Ohio Opinions expressed in this e-mail are solely my own. The document(s) accompanying or within this email transmission may contain confidential information belonging to Big Brothers Big Sisters of Central Ohio, which is legally privileged for the entity named above. If you are not the intended recipient, you are hereby cautioned that any disclosure, copying, distribution, or the taking of any action in reliance on the contents of this email information is strictly prohibited. If you receive this email in error, please notify us immediately by fax (614-839-5437) or phone (614-839-2447) to advise of the error.