I have an access-IProm my isp that I configured my eth0 with.
And I also have an IP-range assigned from my ISP that will be used on my servers
connected to eth1. The IP-range is routed thru the access-IP.
This is how my configfiles look like. Internal everything seems to work but not
external.
/etc/shorewall/proxyarp
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
213.115.134.1 eth1 eth0 No
213.115.134.2 eth1 eth0 No
213.115.134.3 eth1 eth0 No
213.115.134.4 eth1 eth0 No
/etc/shorewall/interface
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect norfc1918
dmz eth1 detect
/etc/shorewall/masq
#INTERFACE SUBNET ADDRESS PROTO PORT(S)
eth0 eth1
/etc/shorewall/policy
#SOURCE DEST POLICY LOG LIMIT:BURST
fw net ACCEPT
fw dmz ACCEPT
net dmz REJECT info
net fw REJECT info
dmz fw ACCEPT
dmz net REJECT
/etc/shorewall/proxyarp
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
213.115.134.1 eth1 eth0 No
213.115.134.2 eth1 eth0 No
213.115.134.3 eth1 eth0 No
213.115.134.4 eth1 eth0 No
/etc/shorewall/rules
ACCEPT net dmz:213.115.134.4 tcp
smtp,domain,http,pop3,143,vnc,1000,47110
ACCEPT net dmz:213.115.134.1 tcp domain
ACCEPT net dmz:213.115.134.1 udp domain
ACCEPT net dmz:213.115.134.2 tcp domain
ACCEPT net dmz:213.115.134.2 udp domain
### ICMP Handling Rules ###
ACCEPT net dmz icmp 8
ACCEPT net fw icmp 8
ACCEPT dmz net icmp 8
/etc/shorewall/zones
#ZONE DISPLAY COMMENTS
net Net Internet
#loc Local Local networks
dmz DMZ Demilitarized zone
[root@ucsfw02 shorewall]# shorewall version
2.1.3
[root@ucsfw02 shorewall]# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
inet6 ff02::1/128 scope global
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:50:22:39:02:1d brd ff:ff:ff:ff:ff:ff
inet 213.115.252.92/29 brd 213.115.252.95 scope global eth0
inet6 fe80::250:22ff:fe39:21d/64 scope link
valid_lft forever preferred_lft forever
inet6 ff02::1:ff39:21d/128 scope global
valid_lft forever preferred_lft forever
inet6 ff02::1/128 scope global
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:50:22:39:02:16 brd ff:ff:ff:ff:ff:ff
inet 213.115.134.30/27 brd 213.115.134.31 scope global eth1
inet6 fe80::250:22ff:fe39:216/64 scope link
valid_lft forever preferred_lft forever
inet6 ff02::1:ff39:216/128 scope global
valid_lft forever preferred_lft forever
inet6 ff02::1/128 scope global
valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:50:22:c8:88:9d brd ff:ff:ff:ff:ff:ff
inet 192.168.4.253/24 brd 192.168.4.255 scope global eth2
inet6 fe80::250:22ff:fec8:889d/64 scope link
valid_lft forever preferred_lft forever
inet6 ff02::1:ffc8:889d/128 scope global
valid_lft forever preferred_lft forever
inet6 ff02::1/128 scope global
valid_lft forever preferred_lft forever
5: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
[root@ucsfw02 shorewall]# ip route show
213.115.134.1 dev eth1 scope link
213.115.134.2 dev eth1 scope link
213.115.134.3 dev eth1 scope link
213.115.134.4 dev eth1 scope link
213.115.252.88/29 dev eth0 scope link
213.115.134.0/27 dev eth1 scope link
192.168.4.0/24 dev eth2 scope link
127.0.0.0/8 dev lo scope link
default via 213.115.252.92 dev eth0
=================================Joakim Hellström
Chief System Engineer
United Computer Systems Scandinavia AB
Klostergatan 56
S-582 23 Linköping, SWEDEN
Phone 1: +46 (0)13 13 97 92
Phone 2: +46 (0)13 13 96 00 (recep.)
Fax: +46 (0)13 13 97 35
GSM: +46 (0)708 13 97 35
URL: http://www.ucs.se <http://www.ucs.se/>
This e-mail is intended for the addressee(s) named above only. As this e-mail
may contain confidential or privileged information, if you are not the named
addressee(s) or the person responsible for delivering the message to the named
addressee(s), please telephone us immediately. The contents of this e-mail
should not be disclosed to any other person nor copies taken.
Hellström, Joakim wrote:> I have an access-IProm my isp that I configured my eth0 with. > > And I also have an IP-range assigned from my ISP that will be used on my servers connected to eth1. The IP-range is routed thru the access-IP. > > > > This is how my configfiles look like. Internal everything seems to work but not external.Have you verified that you don''t have a stale arp cache in the upstream router?> > > > /etc/shorewall/proxyarp > > #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT > > 213.115.134.1 eth1 eth0 No > > 213.115.134.2 eth1 eth0 No > > 213.115.134.3 eth1 eth0 No > > 213.115.134.4 eth1 eth0 No > > > > /etc/shorewall/interface > > #ZONE INTERFACE BROADCAST OPTIONS > > net eth0 detect norfc1918 > > dmz eth1 detect > > > > /etc/shorewall/masq > > #INTERFACE SUBNET ADDRESS PROTO PORT(S) > > eth0 eth1No! -- You don''t masquerade AND use Proxy ARP at the same time!!!! -Tom PS -- If you insist on running the development version of Shorewall, please post your questions on the development list. -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:>> >> /etc/shorewall/masq >> >> #INTERFACE SUBNET ADDRESS PROTO PORT(S) >> >> eth0 eth1 > > > No! -- You don''t masquerade AND use Proxy ARP at the same time!!!! >Actually, that''s not quite true. You *can* use Proxy ARP and Masquerade at the same time but you need to ensure that Masquerade doesn''t get applied to the Proxy ARP hosts. If your local network is 192.168.1.0/24, you would then have this in /etc/shorewall/masq: eth0 192.168.1.0/24 That way, you exclude your hosts in the local network that have public IP addresses. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hellström, Joakim wrote:> > /etc/shorewall/policy > > #SOURCE DEST POLICY LOG LIMIT:BURST > > fw net ACCEPT > > fw dmz ACCEPT > > > > net dmz REJECT info > > net fw REJECT info > > > > dmz fw ACCEPT > > dmz net REJECT > > > > > /etc/shorewall/rules > > ACCEPT net dmz:213.115.134.4 tcp smtp,domain,http,pop3,143,vnc,1000,47110Why is tcp DNS allowed to this host but not UDP DNS?> > > > ACCEPT net dmz:213.115.134.1 tcp domain > > ACCEPT net dmz:213.115.134.1 udp domain > > > > ACCEPT net dmz:213.115.134.2 tcp domain > > ACCEPT net dmz:213.115.134.2 udp domain > > > > ### ICMP Handling Rules ### > > ACCEPT net dmz icmp 8 > > ACCEPT net fw icmp 8 > > ACCEPT dmz net icmp 8 > > > > /etc/shorewall/zones > > #ZONE DISPLAY COMMENTS > > net Net Internet > > #loc Local Local networks > > dmz DMZ Demilitarized zoneIt also appears that your DMZ has no internet access for DNS lookup against domains for which you are not authoritative. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key