Shorewall users - Jul 2004 - Shorewall Problem

Dear Mr. Tom and all,
 
I am using shorewall 1.3.14a
My Config is : 
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
   Net Zone: eth0:0.0.0.0/0
   Local Zone: eth1:0.0.0.0/0
   Warning: Zone dmz is empty
Processing /etc/shorewall/init ...
Deleting user chains...
Creating input Chains...
Configuring Proxy ARP
   Host 203.77.202.84 connected to eth1 added to ARP on eth0
   Host 203.77.202.85 connected to eth1 added to ARP on eth0
   Host 203.77.202.82 connected to eth1 added to ARP on eth0
Setting up NAT...
Adding Common Rules
Adding rules for DHCP
IP Forwarding Enabled
Processing /etc/shorewall/tunnels...
Processing /etc/shorewall/rules...
 Rule "ACCEPT loc fw tcp 21" added.
   Rule "ACCEPT loc fw tcp 22" added.
   Rule "ACCEPT net fw tcp smtp" added.
   Rule "ACCEPT net fw tcp 110" added.
   Rule "ACCEPT fw net tcp smtp" added.
    Rule "ACCEPT net loc:203.77.202.84 tcp 103" added.
   Rule "ACCEPT net loc:203.77.202.84 tcp 80" added.
   Rule "ACCEPT net loc:203.77.202.82 tcp 80" added.
   Rule "DROP net loc:203.77.202.84 tcp 25" added.
   Rule "DROP net loc:203.77.202.84 tcp smtp" added.
   Rule "ACCEPT net loc:203.77.202.85 tcp 5900" added.
   Rule "ACCEPT net loc:203.77.202.85 udp 5060" added.
   Rule "ACCEPT net loc:203.77.202.85 udp 5061" added.
   Rule "REJECT loc net:209.25.164.137 tcp 80" added.
Processing /etc/shorewall/policy...
   Policy REJECT for fw to net using chain all2all
   Policy REJECT for fw to loc using chain all2all
   Policy DROP for net to fw using chain net2all
   Policy DROP for net to loc using chain net2all
   Policy ACCEPT for loc to fw using chain loc2fw
   Policy ACCEPT for loc to net using chain loc2net
Masqueraded Subnets and Hosts:
   To 0.0.0.0/0 from 192.168.0.0/24 through eth0 using 203.77.202.86
Processing /etc/shorewall/tos...
   Rule "all all tcp - ssh 16" added.
   Rule "all all tcp ssh - 16" added.
   Rule "all all tcp - ftp 16" added.
   Rule "all all tcp ftp - 16" added.
   Rule "all all tcp ftp-data - 8" added.
   Rule "all all tcp - ftp-data 8" added.
Activating Rules...
Processing /etc/shorewall/start ...
Shorewall Restarted

Policy :
loc             net             ACCEPT
net             all              DROP              info
all              all              REJECT          info
loc             fw              ACCEPT

ProxyARP:
203.77.202.84          eth1            eth0            No
 203.77.202.85          eth1            eth0            No
 203.77.202.82          eth1            eth0            No
 

 
 
I configured  webserver behind firewall which is have two IP :
LocalIP:192.168.0.25 and real IP : 203.77.202.84
I can access 203.77.202.84 from Outside my network but i cannot access it within
my network using real IP  , I have to use 192.168.0.25. I want to use Real IP
from My network to access it. So tell me where to change settings. Please help
me.I search in archive but couldnot find excat match.
 
My Setup is 
 
eth0 connect to direct to Internet : eth1 connected in switch and other systems
including REAL IP/Local IP once connected in switch.
 
 
Thanks in Advance
Amit


 

		
---------------------------------
Do you Yahoo!?
Vote for the stars of Yahoo!''s next ad campaign!

Amit Patel wrote:
> Dear Mr. Tom and all,
>  
Please do NOT copy me directly on Shorewall problem reports.
> 
>  
>  
> I configured  webserver behind firewall which is have two IP :
LocalIP:192.168.0.25 and real IP : 203.77.202.84
> I can access 203.77.202.84 from Outside my network but i cannot access it
within my network using real IP  , I have to use 192.168.0.25. I want to use
Real IP from My network to access it. So tell me where to change settings.
Please help me.I search in archive but couldnot find excat match.
>  
Although the setup is slightly different, the solution is given is FAQ #2.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:
> Amit Patel wrote:
> 
>> Dear Mr. Tom and all,
>>  
> 
> 
> Please do NOT copy me directly on Shorewall problem reports.
> 
>>
>>  
>>  
>> I configured  webserver behind firewall which is have two IP : 
>> LocalIP:192.168.0.25 and real IP : 203.77.202.84
>> I can access 203.77.202.84 from Outside my network but i cannot access 
>> it within my network using real IP  , I have to use 192.168.0.25. I 
>> want to use Real IP from My network to access it. So tell me where to 
>> change settings. Please help me.I search in archive but couldnot find 
>> excat match.
>>  
> 
> 
> Although the setup is slightly different, the solution is given is FAQ #2.
> 
Now that I''ve had my morning coffee, here''s a better answer --
try
specifying ''routeback'' on your internal interface (eth1) in 
/etc/shorewall/interfaces and see if that doesn''t do the job. If you 
still have problems, set ''newnotsyn'' on that interface as
well.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Respected Mr. Tom,
 
I applied rule in interface and got errror :(
 
 
1. Validating interfaces file...
   Warning: Invalid option (routeback) in record "loc eth1 192.168.0.255
routeback"


2.Validating interfaces file...
   Warning: Invalid option (newnotsyn) in record "loc eth1 192.168.0.255
newnotsyn"

 

Tom Eastep <teastep@shorewall.net> wrote:
Tom Eastep wrote:
> Amit Patel wrote:
> 
>> Dear Mr. Tom and all,
>> 
> 
> 
> Please do NOT copy me directly on Shorewall problem reports.
> 
>>
>> 
>> 
>> I configured webserver behind firewall which is have two IP : 
>> LocalIP:192.168.0.25 and real IP : 203.77.202.84
>> I can access 203.77.202.84 from Outside my network but i cannot access 
>> it within my network using real IP , I have to use 192.168.0.25. I 
>> want to use Real IP from My network to access it. So tell me where to 
>> change settings. Please help me.I search in archive but couldnot find 
>> excat match.
>> 
> 
> 
> Although the setup is slightly different, the solution is given is FAQ #2.
> 
Now that I''ve had my morning coffee, here''s a better answer --
try
specifying ''routeback'' on your internal interface (eth1) in 
/etc/shorewall/interfaces and see if that doesn''t do the job. If you 
still have problems, set ''newnotsyn'' on that interface as
well.

-Tom
-- 
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net


		
---------------------------------
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!

Amit Patel wrote:
> Respected Mr. Tom,
>  
> I applied rule in interface and got errror :(
>  
>  
> 1. Validating interfaces file...
>    Warning: Invalid option (routeback) in record "loc eth1
192.168.0.255 routeback"
> 
> 
> 2.Validating interfaces file...
>    Warning: Invalid option (newnotsyn) in record "loc eth1
192.168.0.255 newnotsyn"
> 
>  
Sorry -- I just noticed that you are running 1.3. Support for Shorewall 
1.3 ended with the release of Shorewall 2.0 (March 14 of this year) so 
you are pretty much on your own.

You will probably have to set the ''multi'' option for eth1 and
add a
loc->loc rule for the traffic that you want to pass to the server but 
that''s about all I remember about how this would work under 1.3.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Copy of reply sent to the mailing list.

Amit Patel wrote:
> Respected Mr. Tom,
>  
> I applied rule in interface and got errror :(
>  
>  
> 1. Validating interfaces file...
>    Warning: Invalid option (routeback) in record "loc eth1
192.168.0.255 routeback"
> 
> 
> 2.Validating interfaces file...
>    Warning: Invalid option (newnotsyn) in record "loc eth1
192.168.0.255 newnotsyn"
> 
>  
Sorry -- I just noticed that you are running 1.3. Support for Shorewall
1.3 ended with the release of Shorewall 2.0 (March 14 of this year) so
you are pretty much on your own.

You will probably have to set the ''multi'' option for eth1 and
add a
loc->loc rule for the traffic that you want to pass to the server but
that''s about all I remember about how this would work under 1.3.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Amit Patel wrote:
> Respected Sir,
>  
> Thank you very much for your propmt reply  I applied rules as below 
>  
> Interface :
>  net    eth0            203.77.202.87
>  loc    eth1            192.168.0.255   multi
>  
> Rules:-
> ACCEPT loc               loc:203.77.202.84       tcp    80
>  
> and Got error :
>  
> Jul 20 20:15:06 mail kernel: Shorewall:all2all:REJECT:IN=eth1 OUT=eth1
SRC=192.168.0.55 DST=203.77.202.84 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=41143 DF
PROTO=TCP SPT=2584 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0
> 
> now what to do??  
> 
Upgrade to a supported release and we''ll try to help you.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net