Hi, I''m new here. I''ve enjoyed shorewall for quite some time, and have never had a problem. However, I find my self in a situation that I could not find the answer for in the documentation. So I''m hoping for help. The setup: { NET } | 150.228.X.X (net facing, external IP) | | +++++++++++ (Company Firewall, forwards www and ftp to shorewall) | | [172.30.12.150] (shorewall box, external) [172.30.13.150] (shorewall box, internal) | | +++++++++++ (dmz firewall-forwards ftp and www to 192.168.0.4 & 8) | | [192.168.0.8] (web / ftp server) -=-=-=- Essentially, I need everything that hits port 80 on the shorewall external interface to be forwarded to 192.168.0.8, masq''d with the shorewall internal ip address. Currently, tcpdump on the shorewall internal interface shows: 18:08:24.971441 IP 67.190.x.x.4923 > 192.168.0.8.http: S 1851698195:1851698195(0) win 5840 <mss 1380,sackOK,timestamp 1262400719 0,nop,wscale 2> 67.190.x.x being the ip address of the machine hitting it on the net. The dmz firewall will not route 67.190.x.x traffic. It will only route traffic from the 172.30.13.x network - which is why I need it forwarded using the 172.30.13.150 address instead of the 67.190.x.x address. I am able to telnet 192.168.0.8 80 , from the shorewall firewall. So From there back, there''s no problem. It just doesn''t like the source 67.190 address. Hope that makes sense... Here is my current config (which still passes off the traffic as coming from the 67.190 address) masq: ( this part is probably wrong.. same result with or without, though) #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC eth0 172.30.13.0/24 172.30.12.150 Interfaces: #ZONE INTERFACE BROADCAST OPTIONS ext eth0 172.30.12.255 int eth1 172.30.13.255 Zones: #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall int ipv4 ext ipv4 Policy: #SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL int fw ACCEPT info ext fw DROP info ext int DROP info all all REJECT info Rules: #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/# PORT PORT(S) DEST LIMIT GROUP#SECTION ESTABLISHED #SECTION RELATED SECTION NEW Web/DNAT ext int:192.168.0.8 FTP/DNAT ext int:192.168.0.8 ACCEPT fw int:192.168.0.8 tcp 80 ACCEPT fw int:192.168.0.8 tcp 443 ACCEPT fw int:192.168.0.8 tcp 21 ACCEPT int fw tcp 22 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE If anyone can help, I would be most appreciative. Thanks for your time! -Bill ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Monday 17 April 2006 16:35, kog@subfusion.net wrote:> Hi, > > I''m new here. I''ve enjoyed shorewall for quite some time, and have never > had a problem. However, I find my self in a situation that I could not > find the answer for in the documentation. So I''m hoping for help. > > The setup: > > { NET } > > 150.228.X.X (net facing, external IP) > > > +++++++++++ (Company Firewall, forwards www and ftp to shorewall) > > > [172.30.12.150] (shorewall box, external) > [172.30.13.150] (shorewall box, internal) > > > +++++++++++ (dmz firewall-forwards ftp and www to 192.168.0.4 & 8) > > > [192.168.0.8] (web / ftp server) > > > -=-=-=- > > Essentially, I need everything that hits port 80 on the shorewall external > interface to be forwarded to 192.168.0.8, masq''d with the shorewall > internal ip address. > > > Here is my current config (which still passes off the traffic as coming > from the 67.190 address) > > masq: > > ( this part is probably wrong.. same result with or without, though) > > #INTERFACE SUBNET ADDRESS PROTO PORT(S) > IPSEC > eth0 172.30.13.0/24 172.30.12.150 >Yes -- you want: #INTERFACE SUBNET ADDRESS PROTO PORT(S) eth0 0.0.0.0/0 172.30.12.150 tcp 80 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
This worked! Actually, with a minor modification.. instead of: #INTERFACE SUBNET ADDRESS PROTO PORT(S) eth0 0.0.0.0/0 172.30.12.150 tcp 80 I used: #INTERFACE SUBNET ADDRESS PROTO PORT(S) eth1 0.0.0.0/0 172.30.13.150 tcp 80 Since I needed to pass traffic to the inside masqing it as the internal interface''s IP. It now works perfectly. Thank you very much! -Bill Tom Eastep writes:> On Monday 17 April 2006 16:35, kog@subfusion.net wrote: >> Hi, >> >> I''m new here. I''ve enjoyed shorewall for quite some time, and have never >> had a problem. However, I find my self in a situation that I could not >> find the answer for in the documentation. So I''m hoping for help. >> >> The setup: >> >> { NET } >> >> 150.228.X.X (net facing, external IP) >> >> >> +++++++++++ (Company Firewall, forwards www and ftp to shorewall) >> >> >> [172.30.12.150] (shorewall box, external) >> [172.30.13.150] (shorewall box, internal) >> >> >> +++++++++++ (dmz firewall-forwards ftp and www to 192.168.0.4 & 8) >> >> >> [192.168.0.8] (web / ftp server) >> >> >> -=-=-=- >> >> Essentially, I need everything that hits port 80 on the shorewall external >> interface to be forwarded to 192.168.0.8, masq''d with the shorewall >> internal ip address. >> >> >> Here is my current config (which still passes off the traffic as coming >> from the 67.190 address) >> >> masq: >> >> ( this part is probably wrong.. same result with or without, though) >> >> #INTERFACE SUBNET ADDRESS PROTO PORT(S) >> IPSEC >> eth0 172.30.13.0/24 172.30.12.150 >> > > Yes -- you want: > > #INTERFACE SUBNET ADDRESS PROTO PORT(S) > eth0 0.0.0.0/0 172.30.12.150 tcp 80 > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Tuesday 18 April 2006 15:20, kog@subfusion.net wrote:> This worked! Actually, with a minor modification.. instead of: > > > #INTERFACE SUBNET ADDRESS PROTO PORT(S) > eth0 0.0.0.0/0 172.30.12.150 tcp 80 > > I used: > > #INTERFACE SUBNET ADDRESS PROTO PORT(S) > eth1 0.0.0.0/0 172.30.13.150 tcp 80 > > Since I needed to pass traffic to the inside masqing it as the internal > interface''s IP. It now works perfectly. >Yes -- I assumed that you could identify the correct SNAT interface. On second look, I see from your interfaces file that eth1 is the local interface even though your proposed rule referred to eth0. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Tuesday 18 April 2006 18:47, Tom Eastep wrote:> > Yes -- I assumed that you could identify the correct SNAT interface. On > second look, I see from your interfaces file that eth1 is the local > interface even though your proposed rule referred to eth0. >And I add my apologies for the oversight. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key