thr3ads.net - Shorewall users - Re: Shorewall-users Digest, Vol 31, Issue 48 [Jun 2005]

If this information is useful, please help other people find it:
Share via:

Derek Vincent

2005-Jun-26 03:02 UTC

Re: Shorewall-users Digest, Vol 31, Issue 48

On Friday 24 June 2005 20:57, Derek Vincent wrote:
>>Hello all,
>>
>>I have shorewall setup with 3 SNAT entries for external IP
address''s to
>>a single IP internal address. I am wondering how to limit access based
>>on the source IP address.
>>ex.
>> EXT IP 1 access only to port 25
>> EXT IP 2 access only to port 443
>> EXT IP 3 access only to port 80
>>
>>I have the SNAT setup correctly and I have 3 accept line in the rules
>>file (25,80,443) but I can hit all the services from all 3 external IP
>>address (as expected).
>>
>>I though about using DNAT instead of ACCEPT but I am not sure if you can
>>or are supposed to mix the DNAT and SNAT.
>>    
>>
>
>Hi Derek,
>
>I can only guess, because I don''t really understand the way you
implemented
>the SNAT (MASQ?)/Accept combination.
>
>But I think the correct way would be DNAT. Something like this in the rules 
>file:
>
>DNAT net:$EXT_IP1 loc:$INT_IP:PORT PROTO PORTS ORIG_DEST
>
>e.g.:
>DNAT net:212.185.120.194 dmz:192.168.40.2 tcp http,https -   194.231.186.177
>
>See the examples on top of the rules file and read FAQ30 
>http://www.shorewall.net/FAQ.htm#faq30
>
>HTH,
>Alex
>
>  
> 
Apologies, I am not using SNAT for this.

What I have setup is just entries in the NAT table and the ACCEPTS in 
the rule file.

snipit from NAT file:
## .132 == webmail.clockwork.ca
207.35.34.132   eth0:0          192.168.111.17  no                      no
## .134 == mail.clockwork.ca
207.35.34.134   eth0:2          192.168.111.17  no                      no
## .135 == exposed.clockwork.ca (www)
207.35.34.135   eth0:3          192.168.111.17  no                      no

And the following are the ACCEPT entries from RULES:
ACCEPT  net             loc:192.168.111.17      tcp     443     -
ACCEPT  net             loc:192.168.111.17      tcp     25      -
ACCEPT  net             loc:192.168.111.17      tcp     80      -

So what I am looking for is a way to control access to specific ports 
based on the external nated address.

 Cheers,
   Derek

Alexander Wilms

2005-Jun-26 10:43 UTC

head link

Re: Re: Shorewall-users Digest, Vol 31, Issue 48

On Sunday 26 June 2005 05:02, Derek Vincent wrote:> On Friday 24 June 2005 20:57, Derek Vincent wrote:
> >>Hello all,
> >>
> >>I have shorewall setup with 3 SNAT entries for external IP
address''s to
> >>a single IP internal address. I am wondering how to limit access
based
> >>on the source IP address.
> >>ex.
> >> EXT IP 1 access only to port 25
> >> EXT IP 2 access only to port 443
> >> EXT IP 3 access only to port 80
> >>
> >>I have the SNAT setup correctly and I have 3 accept line in the
rules
> >>file (25,80,443) but I can hit all the services from all 3 external
IP
> >>address (as expected).
> >>
> >>I though about using DNAT instead of ACCEPT but I am not sure if
you can
> >>or are supposed to mix the DNAT and SNAT.
> >
> >Hi Derek,
> >
> >I can only guess, because I don''t really understand the way
you
> > implemented the SNAT (MASQ?)/Accept combination.
> >
> >But I think the correct way would be DNAT. Something like this in the
> > rules file:
> >
> >DNAT net:$EXT_IP1 loc:$INT_IP:PORT PROTO PORTS ORIG_DEST
> >
> >e.g.:
> >DNAT net:212.185.120.194 dmz:192.168.40.2 tcp http,https -  
> > 194.231.186.177
> >
> >See the examples on top of the rules file and read FAQ30
> >http://www.shorewall.net/FAQ.htm#faq30
> >
> >HTH,
> >Alex
>
> Apologies, I am not using SNAT for this.
>
> What I have setup is just entries in the NAT table and the ACCEPTS in
> the rule file.
>
> snipit from NAT file:
> ## .132 == webmail.clockwork.ca
> 207.35.34.132   eth0:0          192.168.111.17  no                      no
> ## .134 == mail.clockwork.ca
> 207.35.34.134   eth0:2          192.168.111.17  no                      no
> ## .135 == exposed.clockwork.ca (www)
> 207.35.34.135   eth0:3          192.168.111.17  no                      no
>
> And the following are the ACCEPT entries from RULES:
> ACCEPT  net             loc:192.168.111.17      tcp     443     -
> ACCEPT  net             loc:192.168.111.17      tcp     25      -
> ACCEPT  net             loc:192.168.111.17      tcp     80      -
>
> So what I am looking for is a way to control access to specific ports
> based on the external nated address.
Then your access rule should be something like this (Orig Destination column):

ACCEPT  net             loc:192.168.111.17      tcp     80      207.35.34.135

I haven''t used one-to-one NAT by myself yet, so I''m not 100%
sure.

Just a hint:
I would have used proxy-arp instead of one-to-one NAT for this kind of setup.



HTH,
Alex

Possibly Parallel Threads

Search for more seemingly similar threads

Shorewall users - Jun 2005 - Re: Shorewall-users Digest, Vol 31, Issue 48

Re: Shorewall-users Digest, Vol 31, Issue 48

Re: Re: Shorewall-users Digest, Vol 31, Issue 48

Possibly Parallel Threads