Hello all, I have been putting together a shorewall firewall together for a couple of days, but have hit a bit of a dead end. I am using Shorewall 3.0.5 Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Extended Multi-port Match: Available Connection Tracking Match: Available Packet Type Match: Available Policy Match: Not available Physdev Match: Available IP range Match: Available Recent Match: Available Owner Match: Available Ipset Match: Available CONNMARK Target: Available Connmark Match: Available Raw Table: Available CLASSIFY Target: Available On to the question. I have a zone set up for DMZ, by default any user (eth2) which comes into that zone get their port 80 DNATed to the firewall''s port 80 which dishes out a logon to the network style page. This works. Once the user logs on, it adds the ip address and mac address to a IPSET list. This ipset is put into a dynamic zone called dyn. The two zones obviously over lap, so I followed the instructions on overlapping zones, ensuring order in the policy file (and also rules). So I have dyn net ACCEPT dmz net DROP in policy, ACCEPT dyn net tcp http,https,pop-3,smtp CONTINUE dyn net DNAT dmz fw:192.168.1.1 tcp 80 DROP dmz all In rules. Everything works, apart from port 80, so once the IPSET adding gets created you can ping through, open up SMTP on an email server on the Internet, but once created if you try to open a connection to a web server on the internet a connections fails. Note, before you add it to the IPSET the port forward to the local IP address works nicely. Any help would be appreciated. Regards Nick ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Tom Eastep
2006-Mar-13 15:04 UTC
Re: Dynamic Zones and IPSET (with a DNAT for good measure!)
On Monday 13 March 2006 02:52, Nick Knight wrote:> Hello all, > > I have been putting together a shorewall firewall together for a couple > of days, but have hit a bit of a dead end. > > I am using Shorewall 3.0.5 > > Shorewall has detected the following iptables/netfilter capabilities: > NAT: Available > Packet Mangling: Available > Multi-port Match: Available > Extended Multi-port Match: Available > Connection Tracking Match: Available > Packet Type Match: Available > Policy Match: Not available > Physdev Match: Available > IP range Match: Available > Recent Match: Available > Owner Match: Available > Ipset Match: Available > CONNMARK Target: Available > Connmark Match: Available > Raw Table: Available > CLASSIFY Target: Available > > On to the question. > > I have a zone set up for DMZ, by default any user (eth2) which comes > into that zone get their port 80 DNATed to the firewall''s port 80 which > dishes out a logon to the network style page. > > This works. > > Once the user logs on, it adds the ip address and mac address to a IPSET > list. This ipset is put into a dynamic zone called dyn. The two zones > obviously over lap, so I followed the instructions on overlapping zones, > ensuring order in the policy file (and also rules). > > So I have > > dyn net ACCEPT > dmz net DROP > > in policy, > > ACCEPT dyn net tcp > http,https,pop-3,smtp > CONTINUE dyn net >Before the next rule, you need: DNAT- dyn all tcp 80 Otherwise, dmz->net traffic on port 80 continues to be redirected to the firewall.> DNAT dmz fw:192.168.1.1 tcp 80 > DROP dmz all >That last rule is a policy! You should remove it and replace the second policy you show above with: dmz all DROP -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key