Hi, i''ve used shorewall as classic firewall without any problem, but
now
i must transfer my server from my office to oter server farm and i need
to use shorewall to redirect web and email call from old adress to the
new one.
i''ve a pc with one nic, i''ve readed the documentation but
nothing..
The config:
zone:
fuori ipv4
net ipv4
fw firewall
interfaces
net eth0 detect routeback
hosts
fuori eth0:2.2.2.0/24 routeback
Rules
SECTION NEW
DNAT:info net fuori:2.2.2.10 all - - 1.1.1.11
Policy:
fw net ACCEPT
net fw DROP info
fw fuori DROP info
fuori fw DROP info
net fuori DROP info
fuori net DROP info
ifconfig:
eth0 Link encap:Ethernet HWaddr 00:10:A7:13:8B:3F
inet addr:1.1.1.254 Bcast:1.1.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:172570 errors:0 dropped:0 overruns:0 frame:0
TX packets:7111 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:11876546 (11.3 MiB) TX bytes:3215960 (3.0 MiB)
Interrupt:5 Base address:0xc000
eth0:1 Link encap:Ethernet HWaddr 00:10:A7:13:8B:3F
inet addr:1.1.1.11 Bcast:1.1.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:5 Base address:0xc000
Logwatch say:
Oct 23 07:48:52 net_dnat:DNAT:IN=eth0 OUT= SRC=20.20.20.20 DST=1.1.1.11
LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=46360 DF PROTO=TCP SPT=41873 DPT=80
WINDOW=5840 RES=0x00 SYN URGP=0
--
Roberto Tagliaferri
Responsabile Progettazione & Produzione
TosNet s.r.l. - Internet Service Provider
r.tagliaferri@tosnet.it
www.tosnet.it
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Roberto Tagliaferri wrote:> > > Logwatch say: > > Oct 23 07:48:52 net_dnat:DNAT:IN=eth0 OUT= SRC=20.20.20.20 DST=1.1.1.11 > LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=46360 DF PROTO=TCP SPT=41873 DPT=80 > WINDOW=5840 RES=0x00 SYN URGP=0So draw yourself a picture. a) 20.20.20.20 connects to 1.1.1.11. b) The connection is redirected to 2.2.2.10 c) 2.2.2.10 replies to the request d) 20.20.20.20 receives the reply from 2.2.2.10 What do you suppose 20.20.20.20 does with that reply? It throws it away, of course, because it has sent no requests to 2.2.2.10. This is Shorewall FAQ 2 applied to the net zone rather than the loc zone. And the same kludgy hack is required to make it work (you must make all redirected requests look as if they came from 1.1.1.11 (or 1.1.1.254). Without seeing your /etc/shorewall/masq file, I can''t tell you the best way to do that. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep ha scritto:> Without seeing your /etc/shorewall/masq file, I can''t tell you the best way to > do that. > > -Tom >I leave masw file empty :-( Now it''s ok: #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC eth0 eth0:1 1.1.1.11 thank''s -- Roberto Tagliaferri Responsabile Progettazione & Produzione TosNet s.r.l. - Internet Service Provider r.tagliaferri@tosnet.it www.tosnet.it ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Roberto Tagliaferri wrote:> Tom Eastep ha scritto: >> Without seeing your /etc/shorewall/masq file, I can''t tell you the best way to >> do that. >> >> -Tom >> > I leave masw file empty :-( > > Now it''s ok: > > #INTERFACE SUBNET ADDRESS PROTO PORT(S) > IPSEC > eth0 eth0:1 1.1.1.11I very much doubt that the rule you show above does what you really want. In your case, I would have something like: eth0 !<local systems> 1.1.1.11 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep ha scritto:> Roberto Tagliaferri wrote: > >> Tom Eastep ha scritto: >> >>> Without seeing your /etc/shorewall/masq file, I can''t tell you the best way to >>> do that. >>> >>> -Tom >>> >>> >> I leave masw file empty :-( >> >> Now it''s ok: >> >> #INTERFACE SUBNET ADDRESS PROTO PORT(S) >> IPSEC >> eth0 eth0:1 1.1.1.11 >> > > I very much doubt that the rule you show above does what you really want. > > In your case, I would have something like: > > eth0 !<local systems> 1.1.1.11 > > -Tom > >:-) it''s true.,.. Now (with !<local>) work fine for external ip and with eth0 <local systems> 1.1.1.11 work for internal address; on the remote server the client is 1.1.1.11 Many many thank''s -- Roberto Tagliaferri Responsabile Progettazione & Produzione TosNet s.r.l. - Internet Service Provider r.tagliaferri@tosnet.it www.tosnet.it ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Roberto Tagliaferri wrote:> Tom Eastep ha scritto: >> Roberto Tagliaferri wrote: >> >>> Tom Eastep ha scritto: >>> >>>> Without seeing your /etc/shorewall/masq file, I can''t tell you the best way to >>>> do that. >>>> >>>> -Tom >>>> >>>> >>> I leave masw file empty :-( >>> >>> Now it''s ok: >>> >>> #INTERFACE SUBNET ADDRESS PROTO PORT(S) >>> IPSEC >>> eth0 eth0:1 1.1.1.11 >>> >> >> I very much doubt that the rule you show above does what you really want. >> >> In your case, I would have something like: >> >> eth0 !<local systems> 1.1.1.11 >> >> -Tom >> >> > :-) it''s true.,.. > Now (with !<local>) work fine for external ip and with > > eth0 <local systems> 1.1.1.11 > work for internal address; on the remote server the client is 1.1.1.11 > > Many many thank''sNote that you could make your masq rules even tighter: eth0:2.2.2.10 .... That way, only traffic destined for 2.2.2.10 would have the source IP rewritten. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep ha scritto:> Roberto Tagliaferri wrote: > >> Tom Eastep ha scritto: >> >>> Roberto Tagliaferri wrote: >>> >>> >>>> Tom Eastep ha scritto: >>>> >>>> >>>>> Without seeing your /etc/shorewall/masq file, I can''t tell you the best way to >>>>> do that. >>>>> >>>>> -Tom >>>>> >>>>> >>>>> >>>> I leave masw file empty :-( >>>> >>>> Now it''s ok: >>>> >>>> #INTERFACE SUBNET ADDRESS PROTO PORT(S) >>>> IPSEC >>>> eth0 eth0:1 1.1.1.11 >>>> >>>> >>> I very much doubt that the rule you show above does what you really want. >>> >>> In your case, I would have something like: >>> >>> eth0 !<local systems> 1.1.1.11 >>> >>> -Tom >>> >>> >>> >> :-) it''s true.,.. >> Now (with !<local>) work fine for external ip and with >> >> eth0 <local systems> 1.1.1.11 >> work for internal address; on the remote server the client is 1.1.1.11 >> >> Many many thank''s >> > > Note that you could make your masq rules even tighter: > > eth0:2.2.2.10 .... > > That way, only traffic destined for 2.2.2.10 would have the source IP rewritten. > > -Tom > >Yes, for every server tha i move form my location to the new webfarm i add the old ip as alias to "bridge" pc; when dns is propagated the traffic move from old ip to the new -- Roberto Tagliaferri Responsabile Progettazione & Produzione TosNet s.r.l. - Internet Service Provider r.tagliaferri@tosnet.it www.tosnet.it ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642