Here are some of the files.... thanks in advance
At 10:13 PM 1/8/2004, you wrote:
>That''s not all the files... zones, policy, rules, hosts,
interfaces,
>masq..
>Just parts of files doesn''t help either, could be just be the order
>that
>your entries are in any of the files. I don''t like to guess on what
is
>in
>the rest of the files, makes for bad advice
>
>Jerry
>
>----- Original Message -----
>From: "kfliong" <kfliong@wofs.com>
>To: <shorewall-users@lists.shorewall.net>
>Sent: Thursday, January 08, 2004 04:36
>Subject: Fwd: Re: [Shorewall-users] Separating ipaddresses to zones
>
>
> >
> >
> > Sorry, there''s actually 2 port for 2 servers 192.168.10.3 and
>192.168.10.2
> > with port 33334 and 33333 respectively.
> >
> >
> > Here is what I tried to do in the rules section :
> >
> >
> > DNAT net allaccess:192.168.10.2:33333 tcp 33333 -
> > DNAT net allaccess:192.168.10.3:33334 tcp 33334 -
> >
> >
> > allaccess is defined in host file as :
> >
> >
> > allaccess eth0:192.168.10.0/28
> >
> >
> > But it doesn''t work.
> >
> >
> > testing from another server outside of my LAN. That PC is actually
>my home
> > PC with dial-up connection.
> > my client (which is my home PC is connecting using direct IP
>address). This
> > ip (210.187.4.178) of mine is fixed for internet connection.
> >
> >
> > Thanks
> >
> >
> > >X-ClientAddr: 64.59.134.9
> > >Date: Wed, 07 Jan 2004 23:12:51 -0600
> > >From: Jerry Vonau <jvonau@shaw.ca>
> > >Subject: Re: [Shorewall-users] Separating ipaddresses to zones
> > >To: kfliong <kfliong@wofs.com>
> > >X-Mailer: Microsoft Outlook Express 5.50.4807.1700
> > >X-yoursite-MailScanner-Information: Please contact the ISP for
more
> > >information
> > >X-yoursite-MailScanner: Found to be clean
> > >
> > >
> > >Yea it''s called DNAT in the docs...
> > >The clients that your are testing from are where??
> > >On the internet?? On the private lan??
> > >Are your local client using a dns name to fine the server??
> > >And what does it resolve to??
> > >
> > >This rule does not state an interface to use like shorewall does,
> > >and would allow from the local lan, while shorewall would not
> > >without the routeback option set... in your case in the hosts
>file...
> > >
> > > > iptables -t nat -A PREROUTING -p tcp -d 210.187.4.178
--dport
> > >33334 -j DNAT
> > > > --to 192.168.10.2:33334
> > >The rule that you used below should work, except that it has a .3
> > >(?)....
> > >Can I have a look at the files you modified?
> > >
> > >Jerry
> > >
> > > >
> > > > As you can figured, my server''s internal ip is
192.168.10.2 and
>my
> > >internet
> > > > ip is 210.187.4.178. The internet is located on the same PC
as
>the
> > >firewall.
> > > >
> > > > Ah ha! I managed to get it to work by adding these lines
>manually
> > >into the
> > > > PREROUTING table. So, is it possible to put this into
shorewall
> > >interface?
> > > > I am sure this feature is supported by shorewall.
> > > >
> > > > Thanks again for the great help.
> > > >
> > > > At 10:13 PM 1/7/2004, you wrote:
> > > >
> > > > >At this point, your past the how can I....
> > > > >What service is this anyway??
> > > > >The order of what appears in the file is important....
> > > > >Can you post the info requested from:
> > > > >http://shorewall.net/support.htm
> > > > >
> > > > >I know that the interfaces are different in the
> > > > >hosts & interfaces examples I posted below.
> > > > >That was misleading, sorry.
> > > > >
> > > > >Jerry Vonau
> > > > >
> > > > >
> > > > >----- Original Message -----
> > > > >From: "kfliong" <kfliong@wofs.com>
> > > > >To: <shorewall-users@lists.shorewall.net>
> > > > >Sent: Wednesday, January 07, 2004 03:50
> > > > >Subject: Re: [Shorewall-users] Separating ipaddresses to
zones
> > > > >
> > > > >
> > > > > > Thanks for the reply. Your reply really helped me
to
>configure
> > >the
> > > > >firewall.
> > > > > >
> > > > > > But I am now stuck with port forwarding.
> > > > > >
> > > > > > I can''t seems to forward them correctly.
Here is what i did.
> > > > > >
> > > > > > under rules
> > > > > >
> > > > > > DNAT net allaccess:192.168.10.3 tcp
33334 -
> > > > > >
> > > > > >
> > > > > >
> > > > > > i want to forward port 33334 to 192.168.10.3 of
allaccess
> > >interface.
> > > > > >
> > > > > > allaccess is defined in hosts as
eth0:192.168.10.0/28
> > > > > >
> > > > > > should i put this instead?
> > > > > >
> > > > > > DNAT net allaccess:192.168.10.3:33334 tcp
> 33334 -
> > > > > >
> > > > > > If yes, then what about ports with range like
this?
> > > > > >
> > > > > > DNAT net allaccess:192.168.10.3 tcp
> 33334:33344 -
> > > > > >
> > > > > >
> > > > > >
> > > > > > As usual, please remember to reply to
kfliong@wofs.com.
> > > > > >
> > > > > > Thanks in advance.
> > > > > >
> > > > > > >X-ClientAddr: 64.59.134.9
> > > > > > >Date: Tue, 06 Jan 2004 23:54:37 -0600
> > > > > > >From: Jerry Vonau <jvonau@shaw.ca>
> > > > > > >Subject: Re: [Shorewall-users] Separating
ipaddresses to
>zones
> > > > > > >To: kfliong@wofs.com
> > > > > > >X-Mailer: Microsoft Outlook Express
5.50.4807.1700
> > > > > > >X-yoursite-MailScanner-Information: Please
contact the ISP
>for
> > >more
> > > > > > >information
> > > > > > >X-yoursite-MailScanner: Found to be clean
> > > > > > >
> > > > > > >
> > > > > > >Off the top of my head...
> > > > > > >http://shorewall.net/Multiple_Zones.html
> > > > > > >then see: Parallel Zones
> > > > > > >
> > > > > > >Create 2 local zones... say loc and loc1 in
the zones
>file..
> > > > > > >
> > > > > > >Say your local interface is eth1...
> > > > > > >- eth1 192.168.10.255
> > > > > > >
> > > > > > >Set the policy for the zones in the policy
file.
> > > > > > >
> > > > > > >To bad you have 1-16...
> > > > > > >In the hosts file define your zones...
> > > > > > >loc eth2:192.168.10.0/28
> > > > > > >loc eth2:192.168.10.16
> > > > > > >loc1 eth2:192.168.10.17
> > > > > > >loc1 eth2:192.168.10.18
> > > > > > >loc1 eth2:192.168.10.19
> > > > > > >loc1 eth2:192.168.10.20
> > > > > > >loc1 eth2:192.168.10.21
> > > > > > >loc1 eth2:192.168.10.22
> > > > > > >loc1 eth2:192.168.10.23
> > > > > > >loc1 eth2:192.168.10.24
> > > > > > >loc1 eth2:192.168.10.25
> > > > > > >loc1 eth2:192.168.10.26
> > > > > > >loc1 eth2:192.168.10.27
> > > > > > >loc1 eth2:192.168.10.28
> > > > > > >loc1 eth2:192.168.10.29
> > > > > > >loc1 eth2:192.168.10.30
> > > > > > >loc1 eth2:192.168.10.31
> > > > > > >loc1 eth2:192.168.10.32/27
> > > > > > >loc1 eth2:192.168.10.64/26
> > > > > > >loc1 eth2:192.168.10.128/25
> > > > > > >
> > > > > > >Then write your rules in the rules file...
> > > > > > >ACCEPT loc net tcp
www
> > > > > > >
> > > > > > >Depending on where the proxy is, the method
varies see...
> > > > > >
>http://shorewall.net/Shorewall_Squid_Usage.html
> > > > > > >
> > > > > > >Changing the loc zone in the examples to
loc1....
> > > > > > >
> > > > > > >Jerry Vonau
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >----- Original Message -----
> > > > > > >From: "kfliong"
<kfliong@wofs.com>
> > > > > > >To:
<shorewall-users@lists.shorewall.net>
> > > > > > >Sent: Tuesday, January 06, 2004 21:14
> > > > > > >Subject: [Shorewall-users] Separating
ipaddresses to zones
> > > > > > >
> > > > > > >
> > > > > > > > Hi,
> > > > > > > >
> > > > > > > > I am new to using shorewall. I have
problem trying to
> > >configure
> > > > >it
> > > > > > >to me
> > > > > > > > specified needs. You see, currently I
have iptables
> > >configured
> > > > >such
> > > > > > >that my
> > > > > > > > users are divided into a few
"zone". We are using ip of
> > > > >192.168.10.x
> > > > > > > > (255.255.255.0). So I seperate the users
to 3 category.
> > >Those
> > > > >with
> > > > > > >ip from
> > > > > > > > 192.168.10.1 to .16 will be able to
access everything.
>Those
> > > > >with
> > > > > > >.17 to
> > > > > > > > .255 will have their direct connections
closed and can
>only
> > > > >access
> > > > > > >internet
> > > > > > > > from the proxy server.
> > > > > > > >
> > > > > > > > So, can I know how to put this into
shorewall. I have
>looked
> > >in
> > > > >the
> > > > > > >docs
> > > > > > > > but can''t seems to find
anything that describe this. The
> > >closest
> > > > > > >that I can
> > > > > > > > find is something to do with using
something like this
> > >eth1:1
> > > > >and
> > > > > > >eth1:2
> > > > > > > > but i can''t figure out what
it''s about.
> > > > > > > >
> > > > > > > > I would appreciate any help and
suggestions.
> > > > > > > >
> > > > > > > > BTW, I am not listed in the mailing
list. So please make
> > >sure I
> > > > >get
> > > > > > >your
> > > > > > > > kind reply.
> > > > > > > >
> > > > > > > > Thanks in advance.
> > > > > > > >
> > > > > > > >
> > > > > > > >
_______________________________________________
> > > > > > > > Shorewall-users mailing list
> > > > > > > > Post:
Shorewall-users@lists.shorewall.net
> > > > > > > > Subscribe/Unsubscribe:
> > > > > >
> >https://lists.shorewall.net/mailman/listinfo/shorewall-users
> > > > > > > > Support:
http://www.shorewall.net/support.htm
> > > > > > > > FAQ: http://www.shorewall.net/FAQ.htm
> > > > > >
> > > > > > thanks
> > > > > >
> > > > > >
> > > > > > _______________________________________________
> > > > > > Shorewall-users mailing list
> > > > > > Post: Shorewall-users@lists.shorewall.net
> > > > > > Subscribe/Unsubscribe:
> > > >
>https://lists.shorewall.net/mailman/listinfo/shorewall-users
> > > > > > Support: http://www.shorewall.net/support.htm
> > > > > > FAQ: http://www.shorewall.net/FAQ.htm
> > > >
> > > > thanks
> > > >
> > > >
> >
> > thanks
> >
> >
> > _______________________________________________
> > Shorewall-users mailing list
> > Post: Shorewall-users@lists.shorewall.net
> > Subscribe/Unsubscribe:
>https://lists.shorewall.net/mailman/listinfo/shorewall-users
> > Support: http://www.shorewall.net/support.htm
> > FAQ: http://www.shorewall.net/FAQ.htm
thanks