Hi,
I''m new here. I''ve enjoyed shorewall for quite some time, and
have never
had a problem. However, I find my self in a situation that I could not
find the answer for in the documentation. So I''m hoping for help.
The setup:
{ NET }
|
150.228.X.X (net facing, external IP)
|
|
+++++++++++ (Company Firewall, forwards www and ftp to shorewall)
|
|
[172.30.12.150] (shorewall box, external)
[172.30.13.150] (shorewall box, internal)
|
|
+++++++++++ (dmz firewall-forwards ftp and www to 192.168.0.4 & 8)
|
|
[192.168.0.8] (web / ftp server)
-=-=-=-
Essentially, I need everything that hits port 80 on the shorewall external
interface to be forwarded to 192.168.0.8, masq''d with the shorewall
internal ip address.
Currently,
tcpdump on the shorewall internal interface shows:
18:08:24.971441 IP 67.190.x.x.4923 > 192.168.0.8.http: S
1851698195:1851698195(0) win 5840 <mss 1380,sackOK,timestamp 1262400719
0,nop,wscale 2>
67.190.x.x being the ip address of the machine hitting it on the net.
The dmz firewall will not route 67.190.x.x traffic. It will only route
traffic from the 172.30.13.x network - which is why I need it forwarded
using the 172.30.13.150 address instead of the 67.190.x.x address.
I am able to telnet 192.168.0.8 80 , from the shorewall firewall. So From
there back, there''s no problem. It just doesn''t like the
source 67.190
address.
Hope that makes sense...
Here is my current config (which still passes off the traffic as coming
from the 67.190 address)
masq:
( this part is probably wrong.. same result with or without, though)
#INTERFACE SUBNET ADDRESS PROTO PORT(S)
IPSEC
eth0 172.30.13.0/24 172.30.12.150
Interfaces:
#ZONE INTERFACE BROADCAST OPTIONS
ext eth0 172.30.12.255
int eth1 172.30.13.255
Zones:
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
int ipv4
ext ipv4
Policy:
#SOURCE DEST POLICY LOG
LIMIT:BURST
# LEVEL
int fw ACCEPT info
ext fw DROP info
ext int DROP info
all all REJECT info
Rules:
#ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL RATE USER/#
PORT PORT(S) DEST LIMIT GROUP#SECTION
ESTABLISHED
#SECTION RELATED
SECTION NEW
Web/DNAT ext int:192.168.0.8
FTP/DNAT ext int:192.168.0.8
ACCEPT fw int:192.168.0.8 tcp 80
ACCEPT fw int:192.168.0.8 tcp 443
ACCEPT fw int:192.168.0.8 tcp 21
ACCEPT int fw tcp 22
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
If anyone can help, I would be most appreciative. Thanks for your time!
-Bill
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Monday 17 April 2006 16:35, kog@subfusion.net wrote:> Hi, > > I''m new here. I''ve enjoyed shorewall for quite some time, and have never > had a problem. However, I find my self in a situation that I could not > find the answer for in the documentation. So I''m hoping for help. > > The setup: > > { NET } > > 150.228.X.X (net facing, external IP) > > > +++++++++++ (Company Firewall, forwards www and ftp to shorewall) > > > [172.30.12.150] (shorewall box, external) > [172.30.13.150] (shorewall box, internal) > > > +++++++++++ (dmz firewall-forwards ftp and www to 192.168.0.4 & 8) > > > [192.168.0.8] (web / ftp server) > > > -=-=-=- > > Essentially, I need everything that hits port 80 on the shorewall external > interface to be forwarded to 192.168.0.8, masq''d with the shorewall > internal ip address. > > > Here is my current config (which still passes off the traffic as coming > from the 67.190 address) > > masq: > > ( this part is probably wrong.. same result with or without, though) > > #INTERFACE SUBNET ADDRESS PROTO PORT(S) > IPSEC > eth0 172.30.13.0/24 172.30.12.150 >Yes -- you want: #INTERFACE SUBNET ADDRESS PROTO PORT(S) eth0 0.0.0.0/0 172.30.12.150 tcp 80 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
This worked! Actually, with a minor modification.. instead of: #INTERFACE SUBNET ADDRESS PROTO PORT(S) eth0 0.0.0.0/0 172.30.12.150 tcp 80 I used: #INTERFACE SUBNET ADDRESS PROTO PORT(S) eth1 0.0.0.0/0 172.30.13.150 tcp 80 Since I needed to pass traffic to the inside masqing it as the internal interface''s IP. It now works perfectly. Thank you very much! -Bill Tom Eastep writes:> On Monday 17 April 2006 16:35, kog@subfusion.net wrote: >> Hi, >> >> I''m new here. I''ve enjoyed shorewall for quite some time, and have never >> had a problem. However, I find my self in a situation that I could not >> find the answer for in the documentation. So I''m hoping for help. >> >> The setup: >> >> { NET } >> >> 150.228.X.X (net facing, external IP) >> >> >> +++++++++++ (Company Firewall, forwards www and ftp to shorewall) >> >> >> [172.30.12.150] (shorewall box, external) >> [172.30.13.150] (shorewall box, internal) >> >> >> +++++++++++ (dmz firewall-forwards ftp and www to 192.168.0.4 & 8) >> >> >> [192.168.0.8] (web / ftp server) >> >> >> -=-=-=- >> >> Essentially, I need everything that hits port 80 on the shorewall external >> interface to be forwarded to 192.168.0.8, masq''d with the shorewall >> internal ip address. >> >> >> Here is my current config (which still passes off the traffic as coming >> from the 67.190 address) >> >> masq: >> >> ( this part is probably wrong.. same result with or without, though) >> >> #INTERFACE SUBNET ADDRESS PROTO PORT(S) >> IPSEC >> eth0 172.30.13.0/24 172.30.12.150 >> > > Yes -- you want: > > #INTERFACE SUBNET ADDRESS PROTO PORT(S) > eth0 0.0.0.0/0 172.30.12.150 tcp 80 > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Tuesday 18 April 2006 15:20, kog@subfusion.net wrote:> This worked! Actually, with a minor modification.. instead of: > > > #INTERFACE SUBNET ADDRESS PROTO PORT(S) > eth0 0.0.0.0/0 172.30.12.150 tcp 80 > > I used: > > #INTERFACE SUBNET ADDRESS PROTO PORT(S) > eth1 0.0.0.0/0 172.30.13.150 tcp 80 > > Since I needed to pass traffic to the inside masqing it as the internal > interface''s IP. It now works perfectly. >Yes -- I assumed that you could identify the correct SNAT interface. On second look, I see from your interfaces file that eth1 is the local interface even though your proposed rule referred to eth0. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Tuesday 18 April 2006 18:47, Tom Eastep wrote:> > Yes -- I assumed that you could identify the correct SNAT interface. On > second look, I see from your interfaces file that eth1 is the local > interface even though your proposed rule referred to eth0. >And I add my apologies for the oversight. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key