I have a senario I hope one can help me out with... I have a range of Public IP Address 203,xxx.59.106-114 I have 4 internet servers that need to communicate to internal servers/clients 172.16.x.x/24 using port 80. These are Windows2000 servers (no software firewall solution) I have a 2nic shorewall device at present and ,as you know, I can only NAT 80 to one internal server. My immiediate solution is to have 2nics in each 2k server. External NIC 203.xxx.59.106,7,8,9. Have internal NICs in a private subnet 192.168.1.0/24. And of course a 3rd NIC in the shorewall. I''m not sure if this can be done within shorewall....any one??? I (basically) only want to allow 80 traffic coming from 172.16.15.x (my servers) into my network (reject the rest)
Try this page... http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html On Thursday 03 June 2004 02:41 pm, shakim@optusnet.com.au wrote:> I have a senario I hope one can help me out > with... > > I have a range of Public IP Address > 203,xxx.59.106-114 > I have 4 internet servers that need to > communicate to internal servers/clients > 172.16.x.x/24 using port 80. These are > Windows2000 servers (no software firewall > solution) > > I have a 2nic shorewall device at present and > ,as you know, I can only NAT 80 to one > internal server. > > My immiediate solution is to have 2nics in > each 2k server. External NIC > 203.xxx.59.106,7,8,9. Have internal NICs in a > private subnet 192.168.1.0/24. And of course > a 3rd NIC in the shorewall. > I''m not sure if this can be done within > shorewall....any one??? > > I (basically) only want to allow 80 traffic > coming from 172.16.15.x (my servers) into my > network (reject the rest) > > > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm-- John Andersen - NORCOM http://www.norcomsoftware.com/
shakim@optusnet.com.au wrote:> I''m not sure if this can be done within > shorewall....any one??? > > I (basically) only want to allow 80 traffic > coming from 172.16.15.x (my servers) into my > network (reject the rest) >I''ve read your report several times and I''m still lost as to what problem you are describing. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
> I''m not sure if this can be done within > shorewall....any one???I would just use ProxyARP in shorewall, and filter to those endpoints. Or do a NAT between public/privat IP. Take your pick, both setup works fine.
On Thu, 2004-06-03 at 21:38, Tom Eastep wrote:> shakim@optusnet.com.au wrote: > > > > I''m not sure if this can be done within > > shorewall....any one??? > > > > I (basically) only want to allow 80 traffic > > coming from 172.16.15.x (my servers) into my > > network (reject the rest) > >Hi Tom I think he means he only wants to allow traffic coming in to his network on port 80 (http) if that is the case, the rule is the following. Add the following in the /etc/shorewall/rules file ACCEPT net fw tcp 80 and remove most of the other rul;es you might have, Also this is pretty simple and its in the FAQ. And by default i believe shorewall rejects anything else not in the file. I think that answers your question Nick Sklav
Nick Sklav wrote:> > Hi Tom > > I think he means he only wants to allow traffic coming in to his network > on port 80 (http) if that is the case, the rule is the following. > > Add the following in the /etc/shorewall/rules file > > ACCEPT net fw tcp 80 >Nick, You recommend opening TCP port 80 from the net to the firewall; J2 says that the original poster should consider Proxy ARP and John Anderson recommends aliased interfaces. Given this diversity of opinion, I stand by my assessment that the original post didn''t define a problem clearly enough for any of us to solve it. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net