What changes would I need to make if there is a 4th interface that is going to a DMZ Thanks Gene
On Fri, 2004-11-19 at 15:00 -0600, Tuttle, Gene wrote:> What changes would I need to make if there is a 4th interface that is going > to a DMZIt depends on how you have configured the DMZ. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Fri, 2004-11-19 at 13:02 -0800, Tom Eastep wrote:> On Fri, 2004-11-19 at 15:00 -0600, Tuttle, Gene wrote: > > What changes would I need to make if there is a 4th interface that is going > > to a DMZ > > It depends on how you have configured the DMZ.If you masquerade your DMZ, you must add a record in /etc/shorewall/masq to masquerade out of the second interface. If you are using one-to-one NAT or Proxy ARP, then clearly servers in the DMZ will only be accessible from one ISP or the other unless you assign each server two IP addresses. You must also pay close attention to the part of FAQ 32 contributed by Martin Brown. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
eth0 is to isp1 eth1 is to isp2 eth2 is to dmz eth3 is to loc here is my masq file: eth0 eth3 eth1 eth3 eth0 eth2 eth1 eth2 I also use Dnat here is an example of the dnat entry DNAT net dmz:192.168.45.1 tcp 80 Do I need more than one dnat? one for each isp? if so what would that look like? -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Friday, November 19, 2004 3:18 PM To: Shorewall Users Subject: Re: [Shorewall-users] FAQ 32 On Fri, 2004-11-19 at 13:02 -0800, Tom Eastep wrote:> On Fri, 2004-11-19 at 15:00 -0600, Tuttle, Gene wrote: > > What changes would I need to make if there is a 4th interface that isgoing> > to a DMZ > > It depends on how you have configured the DMZ.If you masquerade your DMZ, you must add a record in /etc/shorewall/masq to masquerade out of the second interface. If you are using one-to-one NAT or Proxy ARP, then clearly servers in the DMZ will only be accessible from one ISP or the other unless you assign each server two IP addresses. You must also pay close attention to the part of FAQ 32 contributed by Martin Brown. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Fri, 2004-11-19 at 15:53 -0600, Tuttle, Gene wrote:> eth0 is to isp1 > eth1 is to isp2 > eth2 is to dmz > eth3 is to loc > > here is my masq file: > > eth0 eth3 > eth1 eth3 > eth0 eth2 > eth1 eth2 > > > I also use Dnat here is an example of the dnat entry > > DNAT net dmz:192.168.45.1 tcp 80 > > Do I need more than one dnat? one for each isp?No. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Fri, 2004-11-19 at 16:53, Tuttle, Gene wrote:> eth0 is to isp1 > eth1 is to isp2 > eth2 is to dmz > eth3 is to loc > > here is my masq file: > > eth0 eth3 > eth1 eth3 > eth0 eth2 > eth1 eth2 > > > I also use Dnat here is an example of the dnat entry > > DNAT net dmz:192.168.45.1 tcp 80 > > Do I need more than one dnat? one for each isp? > if so what would that look like? > > > -----Original Message----- > From: Tom Eastep [mailto:teastep@shorewall.net] > Sent: Friday, November 19, 2004 3:18 PM > To: Shorewall Users > Subject: Re: [Shorewall-users] FAQ 32 > > > On Fri, 2004-11-19 at 13:02 -0800, Tom Eastep wrote: > > On Fri, 2004-11-19 at 15:00 -0600, Tuttle, Gene wrote: > > > What changes would I need to make if there is a 4th interface that is > going > > > to a DMZ > > > > It depends on how you have configured the DMZ. > > If you masquerade your DMZ, you must add a record in /etc/shorewall/masq > to masquerade out of the second interface. If you are using one-to-one > NAT or Proxy ARP, then clearly servers in the DMZ will only be > accessible from one ISP or the other unless you assign each server two > IP addresses. > > You must also pay close attention to the part of FAQ 32 contributed by > Martin Brown. > > -TomI just read FAQ 32 because of a similar question. I have a PS2 at my home and i wanted all traffic that goes towards the PS2 to be allowed. is it possible to add a similar rule. DNAT net loc:192.168.1.10 ALL ALL Since the PS2 is not running any services that can be exploited. Im not extreme regarding the security regarding this rule set. Or am i looking at this the wrong way?
On Fri, 2004-11-19 at 17:13 -0500, Nick Sklav wrote:> I just read FAQ 32 because of a similar question. > > I have a PS2 at my home and i wanted all traffic that goes towards the > PS2 to be allowed. is it possible to add a similar rule. > > DNAT net loc:192.168.1.10 ALL ALLYes -- but "all" must be in lower case in the PROTO column and you should just leave the DEST PORT(S) column empty. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Fri, 2004-11-19 at 17:34, Tom Eastep wrote:> On Fri, 2004-11-19 at 17:13 -0500, Nick Sklav wrote: > > > I just read FAQ 32 because of a similar question. > > > > I have a PS2 at my home and i wanted all traffic that goes towards the > > PS2 to be allowed. is it possible to add a similar rule. > > > > DNAT net loc:192.168.1.10 ALL ALL > > Yes -- but "all" must be in lower case in the PROTO column and you > should just leave the DEST PORT(S) column empty. > > -TomI will also asssume that the webserver and other associated services that the firewall is directing will not be affected?
On Fri, 2004-11-19 at 17:34, Tom Eastep wrote: Lest i forget Great Job Tom i would be reading iptables howto if it wasnt for shorewall''s simplicity and well documented FAQ and associated material.
On Fri, 2004-11-19 at 17:41 -0500, Nick Sklav wrote:> On Fri, 2004-11-19 at 17:34, Tom Eastep wrote: > > On Fri, 2004-11-19 at 17:13 -0500, Nick Sklav wrote: > > > > > I just read FAQ 32 because of a similar question. > > > > > > I have a PS2 at my home and i wanted all traffic that goes towards the > > > PS2 to be allowed. is it possible to add a similar rule. > > > > > > DNAT net loc:192.168.1.10 ALL ALL > > > > Yes -- but "all" must be in lower case in the PROTO column and you > > should just leave the DEST PORT(S) column empty. > > > > -Tom > > I will also asssume that the webserver and other associated services > that the firewall is directing will not be affected?So long as you put the above rule last. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Fri, 2004-11-19 at 17:42, Tom Eastep wrote:> On Fri, 2004-11-19 at 17:41 -0500, Nick Sklav wrote: > > On Fri, 2004-11-19 at 17:34, Tom Eastep wrote: > > > On Fri, 2004-11-19 at 17:13 -0500, Nick Sklav wrote: > > > > > > > I just read FAQ 32 because of a similar question. > > > > > > > > I have a PS2 at my home and i wanted all traffic that goes towards the > > > > PS2 to be allowed. is it possible to add a similar rule. > > > > > > > > DNAT net loc:192.168.1.10 ALL ALL > > > > > > Yes -- but "all" must be in lower case in the PROTO column and you > > > should just leave the DEST PORT(S) column empty. > > > > > > -Tom > > > > I will also asssume that the webserver and other associated services > > that the firewall is directing will not be affected? > > So long as you put the above rule last. > > -TomThen i consider myself extremely lucky as the rule is last ;) Thanks again Tom for your prompt reply. Nick Sklavenitis
On Fri, 2004-11-19 at 17:45 -0500, Nick Sklav wrote:> > > > > > I will also asssume that the webserver and other associated services > > > that the firewall is directing will not be affected? > > > > So long as you put the above rule last. > > > > -Tom > > Then i consider myself extremely lucky as the rule is last ;) > Thanks again Tom for your prompt reply.You''re welcome. One more thing; if you have any "ACCEPT net fw" rules, you will need to change them to "ACCEPT+ net fw". Otherwise, the connections that you want to go to your firewall will end up going to the PS2 instead. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
I tried testing my set up today but it does not work
-------------isp1---- -----------Network
/ \ /
internet Linux/Shorewall
\ / \
-------------isp2----- -----------DMZ
I can get out to the internet from the network
I can ping from Linux box to the internet using either network cards
ie: traceroute -i eth1 www.sears.com traceroute -i eth0 www.sears.com
I cannot however get from the internet to DMZ or even to sendmail running on
the firewall.
I can telnet from Linux to the smtp port ... telnet <eth0 ipaddress> 25
and telnet <eth1 ipaddress> 25
I have 8 Ip addresses from each isp. I cannot telnet from one of these
address to the linux/shorwall on port 25 even with shorewall stopped.
can you help?
here is my routing information I changed the ip address to protect the
innocent
export ATT=eth0
export ATT_IP=99.99.99.2
export ATT_NET=99.99.99.0
export ATT_GW=99.99.99.1
export QWEST=eth1
export QWEST_IP=88.88.88.92
export QWEST_NET=88.88.88.88
export QWEST_GW=88.88.88.94
export LAN=eth2
export LAN_IP=77.77.77.16
export LAN_NET=77.77.77.0
export LAN_GW=77.77.77.1
export DMZ=eth3
export DMZ_IP=66.66.66.253
export DMZ_NET=66.66.66.0
export DMZ_GW=66.66.66.253
ip route add $ATT_NET dev $ATT src $ATT_IP table T1
ip route add default via $ATT_GW table T1
ip route add $QWEST_NET dev $QWEST src $QWEST_IP table T2
ip route add default via $QWEST_GW table T2
ip route add $ATT_NET dev $ATT src $ATT_IP
ip route add $QWEST_NET dev $QWEST src $QWEST_IP
ip route add default via $ATT_GW
ip rule add from $ATT_IP table T1
ip rule add from $QWEST_IP table T2
ip route add $LAN_NET dev $LAN table T1
ip route add $QWEST_NET dev $QWEST table T1
ip route add 127.0.0.0/8 dev lo table T1
ip route add $LAN_NET dev $LAN table T2
ip route add $ATT_NET dev $ATT table T2
ip route add 127.0.0.0/8 dev lo table T2
ip route add default scope global nexthop via $ATT_GW dev $ATT weight 1
nexthop via $QWEST_GW dev $QWEST weight 1
-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net]
Sent: Friday, November 19, 2004 3:57 PM
To: Shorewall Users
Subject: RE: [Shorewall-users] FAQ 32
On Fri, 2004-11-19 at 15:53 -0600, Tuttle, Gene wrote:> eth0 is to isp1
> eth1 is to isp2
> eth2 is to dmz
> eth3 is to loc
>
> here is my masq file:
>
> eth0 eth3
> eth1 eth3
> eth0 eth2
> eth1 eth2
>
>
> I also use Dnat here is an example of the dnat entry
>
> DNAT net dmz:192.168.45.1 tcp 80
>
> Do I need more than one dnat? one for each isp?
No.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm
I have this rules for DNAT for this type of configuration # first ISP DNAT:info net loc:192.168.121.2:10006 tcp 443 - 200.7.11.5 # Second ISP to the same pc DNAT:info net loc:192.168.121.2:10006 tcp 443 - 200.6.16.82 Tuttle, Gene wrote:>I tried testing my set up today but it does not work > > -------------isp1---- -----------Network > / \ / >internet Linux/Shorewall > \ / \ > -------------isp2----- -----------DMZ > >I can get out to the internet from the network >I can ping from Linux box to the internet using either network cards >ie: traceroute -i eth1 www.sears.com traceroute -i eth0 www.sears.com > >I cannot however get from the internet to DMZ or even to sendmail running on >the firewall. >I can telnet from Linux to the smtp port ... telnet <eth0 ipaddress> 25 >and telnet <eth1 ipaddress> 25 >I have 8 Ip addresses from each isp. I cannot telnet from one of these >address to the linux/shorwall on port 25 even with shorewall stopped. >can you help? > >here is my routing information I changed the ip address to protect the >innocent > > >export ATT=eth0 >export ATT_IP=99.99.99.2 >export ATT_NET=99.99.99.0 >export ATT_GW=99.99.99.1 > >export QWEST=eth1 >export QWEST_IP=88.88.88.92 >export QWEST_NET=88.88.88.88 >export QWEST_GW=88.88.88.94 > >export LAN=eth2 >export LAN_IP=77.77.77.16 >export LAN_NET=77.77.77.0 >export LAN_GW=77.77.77.1 > >export DMZ=eth3 >export DMZ_IP=66.66.66.253 >export DMZ_NET=66.66.66.0 >export DMZ_GW=66.66.66.253 > > >ip route add $ATT_NET dev $ATT src $ATT_IP table T1 >ip route add default via $ATT_GW table T1 >ip route add $QWEST_NET dev $QWEST src $QWEST_IP table T2 >ip route add default via $QWEST_GW table T2 > >ip route add $ATT_NET dev $ATT src $ATT_IP >ip route add $QWEST_NET dev $QWEST src $QWEST_IP > >ip route add default via $ATT_GW > >ip rule add from $ATT_IP table T1 >ip rule add from $QWEST_IP table T2 > >ip route add $LAN_NET dev $LAN table T1 >ip route add $QWEST_NET dev $QWEST table T1 >ip route add 127.0.0.0/8 dev lo table T1 > >ip route add $LAN_NET dev $LAN table T2 >ip route add $ATT_NET dev $ATT table T2 >ip route add 127.0.0.0/8 dev lo table T2 > > >ip route add default scope global nexthop via $ATT_GW dev $ATT weight 1 >nexthop via $QWEST_GW dev $QWEST weight 1 > >-----Original Message----- >From: Tom Eastep [mailto:teastep@shorewall.net] >Sent: Friday, November 19, 2004 3:57 PM >To: Shorewall Users >Subject: RE: [Shorewall-users] FAQ 32 > > >On Fri, 2004-11-19 at 15:53 -0600, Tuttle, Gene wrote: > > >>eth0 is to isp1 >>eth1 is to isp2 >>eth2 is to dmz >>eth3 is to loc >> >>here is my masq file: >> >>eth0 eth3 >>eth1 eth3 >>eth0 eth2 >>eth1 eth2 >> >> >>I also use Dnat here is an example of the dnat entry >> >>DNAT net dmz:192.168.45.1 tcp 80 >> >>Do I need more than one dnat? one for each isp? >> >> > >No. > >-Tom > >
On Wed, 2004-11-24 at 11:18 -0600, Tuttle, Gene wrote:> I have 8 Ip addresses from each isp. I cannot telnet from one of these > address to the linux/shorwall on port 25 even with shorewall stopped. > can you help?I can''t personally. a) You have given us none of the information that we ask for to help solve connection problems. b) In these cases, the devil is in the details and you have obfuscated the facts; it is my experience that, except in the most trivial of cases, if someone know enough to accurately disguise his or her network information without losing the essence of the problem being reporting then the person also know enough to solve the problem in the first place. c) FAQ 32 clearly asks that if there are problems or questions relating to the use of the routing information presented there then the appropriate source of help is the LARTC list. I don''t believe that I can give very good support in this area without having set up and used one of these configurations myself and I can''t justify paying for a second Internet connection for the sole purpose of being able to give better free help for a free product. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key