Hello, I have installed Shorewall 2.0b with three interfaces and squid-proxy. Also, I have internal DNS server running in the same server where I have my web page. Connections from internet can view my web pages but not my internal users if I configure the browser to use squid. Without squid everything it''s ok. Here is my shorewall configuration: /etc/shorewall/rules: REDIRECT loc 8080 tcp www - - DNAT net dmz:192.168.1.136 tcp 3000 - - DNAT loc dmz:192.168.1.136 tcp 3000 - - # Accept DNS connections from the firewall to the Internet # ACCEPT fw net tcp 53 ACCEPT fw net udp 53 # Accept SSH connections from the local network to the firewall and DMZ # ACCEPT loc fw tcp 22 #ACCEPT loc dmz tcp 22 # # DMZ DNS access to the Internet # ACCEPT dmz net tcp 53 ACCEPT dmz net udp 53 # # Make ping work bi-directionally between the dmz, net, Firewall and local zone # (assumes that the loc-> net policy is ACCEPT). # ACCEPT net fw icmp 8 ACCEPT loc fw icmp 8 ACCEPT dmz fw icmp 8 ACCEPT loc dmz icmp 8 ACCEPT dmz loc icmp 8 ACCEPT dmz net icmp 8 ACCEPT fw loc icmp 8 ACCEPT fw dmz icmp 8 ACCEPT net dmz icmp 8 /etc/shorewall/policy loc net ACCEPT loc fw ACCEPT loc loc ACCEPT # If you want open access to the Internet from your Firewall # remove the comment from the following line. fw net ACCEPT fw dmz ACCEPT fw loc ACCEPT # Also If You Wish To Open Up DMZ Access To The Internet # remove the comment from the following line. dmz net ACCEPT dmz fw ACCEPT dmz loc ACCEPT net all DROP info all all REJECT info Can anyone tell me what I doing wrong? Thank you.
On 23 Mar 2004 at 18:09, Javier Pardo wrote:> > > Hello, I have installed Shorewall 2.0b with three interfaces and > squid-proxy. > > Also, I have internal DNS server running in the same server where I > have my web page. > > > > Connections from internet can view my web pages but not my internal > users if I configure the browser to use squid. Without squid > everything it''s ok.Did you try Faq # 2 on the Shorewall site??? -- ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386 ._______________________________________ John S. Andersen NORCOM mailto:JAndersen@norcomsoftware.com Juneau, Alaska http://www.screenio.com/
Javier Pardo wrote:> > > > Can anyone tell me what I doing wrong? >You need to enable www connections from your firewall to the local server. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Yes, I have tried it but don''t work. -----Mensaje original----- De: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] En nombre de John S. Andersen Enviado el: martes, 23 de marzo de 2004 20:47 Para: Mailing List for Shorewall Users Asunto: Re: [Shorewall-users] RV: cannot view internal webs On 23 Mar 2004 at 18:09, Javier Pardo wrote:> > > Hello, I have installed Shorewall 2.0b with three interfaces and > squid-proxy. > > Also, I have internal DNS server running in the same server where I > have my web page. > > > > Connections from internet can view my web pages but not my internal > users if I configure the browser to use squid. Without squid > everything it''s ok.Did you try Faq # 2 on the Shorewall site??? -- ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386 ._______________________________________ John S. Andersen NORCOM mailto:JAndersen@norcomsoftware.com Juneau, Alaska http://www.screenio.com/ _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Javier Pardo wrote:> Yes, I have tried it but don''t work. >Javier, We''re going to need more information than ''don''t work'' if you want our help. a) What zone is the local web server in? b) From the firewall, when resolving the DNS name for this server is the firewall''s external interface IP address returned or is it the local IP address of the server? c) From the set of rules and policies you sent, it is very unclear to me how external clients can view your web site since I see no way for connections to port 80 to be allowed from the net zone. Is your web server listening on port 3000? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hello, a)local web server is in dmz d)external interface IP address c)Yes, my web server is listening on port 3000 Thanks a lot. -----Mensaje original----- De: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] En nombre de Tom Eastep Enviado el: miƩrcoles, 24 de marzo de 2004 16:05 Para: Mailing List for Shorewall Users Asunto: Re: [Shorewall-users] RV: cannot view internal webs Javier Pardo wrote:> Yes, I have tried it but don''t work. >Javier, We''re going to need more information than ''don''t work'' if you want our help. a) What zone is the local web server in? b) From the firewall, when resolving the DNS name for this server is the firewall''s external interface IP address returned or is it the local IP address of the server? c) From the set of rules and policies you sent, it is very unclear to me how external clients can view your web site since I see no way for connections to port 80 to be allowed from the net zone. Is your web server listening on port 3000? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Javier Pardo wrote:> Hello, > > a)local web server is in dmz > d)external interface IP address > c)Yes, my web server is listening on port 3000 >So from the local zone, your clients are attempting to connect to http://www.yourdomain.com:3000 ?? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Yes, but I have solved the problem installing a DNS server in my web server. Thanks a lot. -----Mensaje original----- De: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] En nombre de Tom Eastep Enviado el: miƩrcoles, 24 de marzo de 2004 16:58 Para: Mailing List for Shorewall Users Asunto: Re: [Shorewall-users] RV: cannot view internal webs Javier Pardo wrote:> Hello, > > a)local web server is in dmz > d)external interface IP address > c)Yes, my web server is listening on port 3000 >So from the local zone, your clients are attempting to connect to http://www.yourdomain.com:3000 ?? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Javier Pardo wrote:> Yes, but I have solved the problem installing a DNS server in my web server. >You could have also placed this rule: DNAT loc dmz:192.168.1.136:3000 tcp 80 - <your external ip> before your REDIRECT rule. That way, your internal clients can connect to port 80 using the external IP address. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On 24 Mar 2004 at 8:50, Tom Eastep wrote:> Javier Pardo wrote: > > Yes, but I have solved the problem installing a DNS server in my web > > server. > > > > You could have also placed this rule: > > DNAT loc dmz:192.168.1.136:3000 tcp 80 - <your external ip> > > before your REDIRECT rule. That way, your internal clients canconnect> to port 80 using the external IP address.Tom: Is this in addition to or in place of routeback? -- ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386 ._______________________________________ John S. Andersen NORCOM mailto:JAndersen@norcomsoftware.com Juneau, Alaska http://www.screenio.com/
John S. Andersen wrote:> On 24 Mar 2004 at 8:50, Tom Eastep wrote: > > >>Javier Pardo wrote: >> >>>Yes, but I have solved the problem installing a DNS server in my web >>>server. >>> >> >>You could have also placed this rule: >> >>DNAT loc dmz:192.168.1.136:3000 tcp 80 - <your external ip> >> >>before your REDIRECT rule. That way, your internal clients can > > connect > >>to port 80 using the external IP address. > > > Tom: Is this in addition to or in place of routeback? >Javier''s server is in the dmz zone so there is no routeback involved. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net