Shorewall users - Dec 2006 - Single IP, multiple servers, servers in DMZ not behaving properly

Dear Friends:

I am very new to shorewall stuff. I am trying to create (obviously for
the first time) a home datacenter with a setup like below:




                      +--------+
                      | ADSL   |
                      | Modem  |
                      +---+----+
                          |
                   eth0: 81.216.202.218
                   +------+--------+
                   | OpenVZ box w  |____DMZ connected
                   | HN as firewall|      |with xover
                   +-and VPSes   --+      |cable
      LOC                 |         eth2: 192.168.1.254
      eth1: 192.168.0.254 |         +-----+---+
      +------..............         |         |
      |local router+gw              192.168.1.250
      +--+---+                      +---------+
      192.168.2.254
         |
     |___|_______+
     |           |
     |           |
     |           |
  +-----+    +---+---+
  |     |    |       |
  +-----+    +-------+
  192.168.2.0/24


I want to make the 192.168.1.250 (a trixbox voip server) as well as
other webservers in the firewall+router cum OpenVZ box with several
virtual servers in the DMZ zone accessible to the world and vice
versa.

I did everything I could in the rules and policy. When I port
forwarded dmz:192.168.1.250 in rules, the rest in DMZ including $FW
itself became unavailable. On the other hand the voip server could
connect to the remote voip terminator, but could not pass through the
audio. I tried to separately port forward the necessary ports (namely
udp 5060-5088 for sip, udp 8000-20000 for rtp and 4569 for iax and tcp
25 and 110 for smtp and pop respectively. But none worked.

I shall be obliged if any of the shorewall gurus could help me how to
host several servers (voip and webserver with VPSes inside).

Kindly guide me. Please let me inform you that it is Centos4.4 based
machines with Shorewall 3.0.7 and the output of some of the commands
are below:

# ip addr show
2: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:50:8b:90:16:21 brd ff:ff:ff:ff:ff:ff
    inet 81.216.202.218/27 brd 81.216.202.223 scope global eth0
6: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:e0:4c:39:25:2c brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.254/24 brd 192.168.0.255 scope global eth1
8: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:01:02:f0:c1:52 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.254/24 brd 192.168.1.255 scope global eth2
1: venet0: <BROADCAST,POINTOPOINT,NOARP,UP> mtu 1500 qdisc noqueue
    link/void



# ip route show
81.216.202.192/27 dev eth0  proto kernel  scope link  src 81.216.202.218
192.168.1.0/24 dev eth2  proto kernel  scope link  src 192.168.1.254
192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.254
169.254.0.0/16 dev eth2  scope link
default via 81.216.202.193 dev eth0


Kindly let me know if I need to furnish any more information to get my
home network running. Thank you.

With best regards,
GT

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Garby Trash wrote:
> Dear Friends:
> 
> I am very new to shorewall stuff. I am trying to create (obviously for
> the first time) a home datacenter with a setup like below:
> 
> 
> 
> 
>                       +--------+
>                       | ADSL   |
>                       | Modem  |
>                       +---+----+
>                           |
>                    eth0: 81.216.202.218
>                    +------+--------+
>                    | OpenVZ box w  |____DMZ connected
>                    | HN as firewall|      |with xover
>                    +-and VPSes   --+      |cable
>       LOC                 |         eth2: 192.168.1.254
>       eth1: 192.168.0.254 |         +-----+---+
>       +------..............         |         |
>       |local router+gw              192.168.1.250
>       +--+---+                      +---------+
>       192.168.2.254
>          |
>      |___|_______+
>      |           |
>      |           |
>      |           |
>   +-----+    +---+---+
>   |     |    |       |
>   +-----+    +-------+
>   192.168.2.0/24
> 
> 
> I want to make the 192.168.1.250 (a trixbox voip server) as well as
> other webservers in the firewall+router cum OpenVZ box with several
> virtual servers in the DMZ zone accessible to the world and vice
> versa.
Given that you have only one IP address, the webserver solution has nothing to
do with Shorewall. You need to run an HTTP proxy on the Shorewall box that can
route requests based on host name. Apache can offer this type of service and I
believe that Squid can also.
> 
> I did everything I could in the rules and policy. When I port
> forwarded dmz:192.168.1.250 in rules, the rest in DMZ including $FW
> itself became unavailable.
That''s expected. Each connection to a particular (protocol,port) pair
can either
be sent to exactly one place or it can be spread among several destinations in
round-robin or random fashion (Shorewall only supports round-robin). Using an
IP-only solution like Netfilter/Shorewall, those are your only choices. So if
you forward connections for (tcp,80) to 192.168.1.250, all HTTP connections will
go there.
> On the other hand the voip server could
> connect to the remote voip terminator, but could not pass through the
> audio. I tried to separately port forward the necessary ports (namely
> udp 5060-5088 for sip, udp 8000-20000 for rtp and 4569 for iax and tcp
> 25 and 110 for smtp and pop respectively. But none worked.
"It didn''t work" isn''t a problem report. We need to
see the information asked
for in http://www.shorewall.net/support.htm#Guidelines. But before you send
that, you may want to spend a little time with
http://www.shorewall.net/troubleshoot.htm.

Also for the VOIP issue, I suggest that you look in the mailing list archives --
I believe that Paul Gear posted definitive instructions a while back.
> 
> I shall be obliged if any of the shorewall gurus could help me how to
> host several servers (voip and webserver with VPSes inside).
Again -- using an IP-only solution, all of your webservers would need to have
the same content since you can''t determine in advance which server is
going to
handle a given connection (unless you use non-standard port numbers to access
some of your servers). You might also take a look at the port-forwarding
troubleshooting tips in Shorewall FAQs 1a and 1b.

I very much suspect that you are the first Shorewall user to even attempt to use
OpenVZ. Seems like virtualization products are multiplying like rabbits these
days. Anyone else used this with Shorewall? I notice that the installation
instructions specifically instruct the user to disable the RedHat/Fedora
firewall on the HN.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Tom Eastep wrote:
> Garby Trash wrote:
> 
>> On the other hand the voip server could
>> connect to the remote voip terminator, but could not pass through the
>> audio. I tried to separately port forward the necessary ports (namely
>> udp 5060-5088 for sip, udp 8000-20000 for rtp and 4569 for iax and tcp
>> 25 and 110 for smtp and pop respectively. But none worked.
> 
> "It didn''t work" isn''t a problem report. We
need to see the information asked
> for in http://www.shorewall.net/support.htm#Guidelines. But before you send
> that, you may want to spend a little time with
> http://www.shorewall.net/troubleshoot.htm.
> 
> Also for the VOIP issue, I suggest that you look in the mailing list
archives --
> I believe that Paul Gear posted definitive instructions a while back.
Paul''s post covered SIP only and was posted on 7/17/2006 (the current
SF mailing
list archives issues won''t prevent you from finding it).

If Shorewall is blocking any requests, then they should be showing up in your
log.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV