Hello all, my first post so be gentle.... I was asked to restructure a few things here at work... after some consideration and no budget... i came up with this that i thought was good... I have a Linux box named Megs. This box has 4 public IPs on it(one main and 3 aliases) and on one NIC I then have 2(what i call front end servers, Peter & Lois) also with one NIC and one NFS server(Joe) with one NIC, what i do is, everyone''s domain has the same entries like this.. domain.com xxx.xxx.xxx.148 used for web services domain.com''s MX xxx.xxx.xxx.147 for mail services now Megs has both those IPs, plus its own ip of xxx.xxx.xxx.146 My plan was this, have everything go to Megs and then redirect to other servers(all on the same network, but not using 2 nics or NAT as it made it hard to fix remotely if something broke, and that is important here, being able to do everything remotely. So i use Shorewall on all servers and block everything except certain ports for certain machines(Peter, Lois, Joe).... IE only Peter will accept http request from Megs and no where else.... I figure this was not a bad set up for them at this time.... So now i have this sort of working, but i am using another program named rinetd, to do the port redirections, and this works great for http, smtp, pop and imap. Now i figured Shorewall can do redirect too, however when it was setup i did not think of this at the time.... But now i ran into a problem rinetd does not do ftp, so now i have to allow some users directly over to the NFS server directly for now... So now my questions are... Can Shorewall do the redirects using only one NIC on Megs? So i can get rid of rinetd? Would i need to radically change my below configs to do this.... See below for my configs... I Thank everyone for being patient with me.... Thanks again and have a great day! RUles files # This is used so all on our local lan is accepted ACCEPT net:xxx.xxx.xxx.145/28 $FW # Reject Ping from the "bad" net zone.. and prevent your log from being flooded.. Ping/ACCEPT net:xxx.xxx.xxx.145/28, xxx.xxx.xxx.163 $FW # Permit all ICMP traffic FROM the firewall TO the net zone ACCEPT $FW net icmp # For ssh connections ACCEPT net:xxx.xxx.xxx164, xxx.xxx.xxx.182, xxx.xxx.xxx.163,xxx.xxx.xxx.145/28, 192.168.2.0/24 $FW tcp 22 # Mail connections ACCEPT net $FW tcp 25 ACCEPT net $FW tcp 110 ACCEPT net $FW tcp 143 # DNS connections #ACCEPT net $FW udp 53 # web connections ACCEPT net $FW tcp 80 FTP/ACCEPT net $FW Policy file #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST $FW net ACCEPT net $FW DROP info net all DROP info # The FOLLOWING POLICY MUST BE LAST all all REJECT info Zones file #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 Interfaces file #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect norfc1918,routefilter,dhcp,tcpflags,logmartians,nosmurfs -- Rob Morin Director of Technologies Dido Internet Inc. Montreal,Canada http://www.dido.ca 514-990-4444 ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Rob Morin wrote:> > So now my questions are... > > Can Shorewall do the redirects using only one NIC on Megs? So i can get > rid of rinetd?Yes -- see Shorewall FAQ 2 (replace ''loc'' in that faq by ''net'').> Would i need to radically change my below configs to do this.... >See Shorewall FAQ 2. But note that using the FAQ 2 hack will have the same limitation as rinetd; namely that the real servers'' logs don''t reflect the actual client IP address but rather make the redirected requests appear to originate on ''megs''. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Right i see, so lets say for example, we stats will always seem like the client is Megs.... i guess bad if you want to know where hits are coming from..... So how would one get around this, in any situation mine or another setup? Just wondering then... Rob Morin Director of Technologies Dido Internet Inc. Montreal,Canada http://www.dido.ca 514-990-4444 Tom Eastep wrote:> Rob Morin wrote: > > >> So now my questions are... >> >> Can Shorewall do the redirects using only one NIC on Megs? So i can get >> rid of rinetd? >> > > Yes -- see Shorewall FAQ 2 (replace ''loc'' in that faq by ''net''). > > >> Would i need to radically change my below configs to do this.... >> >> > > See Shorewall FAQ 2. But note that using the FAQ 2 hack will have the same > limitation as rinetd; namely that the real servers'' logs don''t reflect the > actual client IP address but rather make the redirected requests appear to > originate on ''megs''. > > -Tom > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
On Tue, Oct 30, 2007 at 11:45:19AM -0700, Tom Eastep wrote:> > Would i need to radically change my below configs to do this.... > > > > See Shorewall FAQ 2. But note that using the FAQ 2 hack will have the same > limitation as rinetd; namely that the real servers'' logs don''t reflect the > actual client IP address but rather make the redirected requests appear to > originate on ''megs''.And it''s all completely unnecessary because you have enough public IP addresses to do this without any kind of NAT redirection. Just assign one address to each of the hosts, and route the traffic through the firewall. Life is always easier without NAT. ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Rob Morin wrote:> Right i see, so lets say for example, we stats will always seem like the > client is Megs.... i guess bad if you want to know where hits are coming > from..... > > So how would one get around this, in any situation mine or another setup? > > Just wondering then...Do it right -- use a conventional two-interface firewall/gateway. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
On Tue, Oct 30, 2007 at 12:12:19PM -0700, Tom Eastep wrote:> Rob Morin wrote: > > Right i see, so lets say for example, we stats will always seem like the > > client is Megs.... i guess bad if you want to know where hits are coming > > from..... > > > > So how would one get around this, in any situation mine or another setup? > > > > Just wondering then... > > Do it right -- use a conventional two-interface firewall/gateway.With enough public addresses for every host and suitable routing on the inbound path, you don''t even need a two-interface host. Although it''s still a good idea to use one, so that it''s a proper firewall. ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Andrew Suffield wrote:> On Tue, Oct 30, 2007 at 12:12:19PM -0700, Tom Eastep wrote: >> Rob Morin wrote: >>> Right i see, so lets say for example, we stats will always seem like the >>> client is Megs.... i guess bad if you want to know where hits are coming >>> from..... >>> >>> So how would one get around this, in any situation mine or another setup? >>> >>> Just wondering then... >> Do it right -- use a conventional two-interface firewall/gateway. > > With enough public addresses for every host and suitable routing on > the inbound path, you don''t even need a two-interface host. Although > it''s still a good idea to use one, so that it''s a proper firewall.And if inbound routing is through a single IP address, Proxy ARP is easy to use if a two-interface firewall is to be used. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Tom Eastep wrote:> Andrew Suffield wrote: >> On Tue, Oct 30, 2007 at 12:12:19PM -0700, Tom Eastep wrote: >>> Rob Morin wrote: >>>> Right i see, so lets say for example, we stats will always seem like the >>>> client is Megs.... i guess bad if you want to know where hits are coming >>>> from..... >>>> >>>> So how would one get around this, in any situation mine or another setup? >>>> >>>> Just wondering then... >>> Do it right -- use a conventional two-interface firewall/gateway. >> With enough public addresses for every host and suitable routing on >> the inbound path, you don''t even need a two-interface host. Although >> it''s still a good idea to use one, so that it''s a proper firewall. > > And if inbound routing is through a single IP address, Proxy ARP is easy > to use if a two-interface firewall is to be used.Make that: And if inbound routing is _not_ through a single IP address, Proxy ARP is easy to use if a two-interface firewall is to be used. -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
yes i agree, i rather not use NAT, but how do i configure Megs to redirect http traffic to another host on the same network with one NIC? Sorry i am new to Shorewall... However i also want to use either PEN, Pound or Balance for load balancing too, between the 2 front end servers... Rob Morin Director of Technologies Dido Internet Inc. Montreal,Canada http://www.dido.ca 514-990-4444 Andrew Suffield wrote:> On Tue, Oct 30, 2007 at 11:45:19AM -0700, Tom Eastep wrote: > >>> Would i need to radically change my below configs to do this.... >>> >>> >> See Shorewall FAQ 2. But note that using the FAQ 2 hack will have the same >> limitation as rinetd; namely that the real servers'' logs don''t reflect the >> actual client IP address but rather make the redirected requests appear to >> originate on ''megs''. >> > > And it''s all completely unnecessary because you have enough public IP > addresses to do this without any kind of NAT redirection. Just assign > one address to each of the hosts, and route the traffic through the > firewall. Life is always easier without NAT. > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
On Tue, Oct 30, 2007 at 03:34:49PM -0400, Rob Morin wrote:> yes i agree, i rather not use NAT, but how do i configure Megs to > redirect http traffic to another host on the same network with one NIC?You don''t. You use the internet like it was originally designed to be used, and route all traffic to that http server''s public address to that server. No redirection involved, just normal routing. You only need NAT or some other form of redirection when you don''t have enough addresses, or need to remap port numbers, neither of which is the case here. You simply have to remove all the aliased addresses, give each address to the host that is supposed to receive traffic to that address, and insert the relevant entries in the routing tables. You may also need to do something with proxy arp if the inbound routing is not sane. ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Rob Morin wrote:> yes i agree, i rather not use NAT, but how do i configure Megs to > redirect http traffic to another host on the same network with one NIC?We''ve already told you how to do that. You follow Shorewall FAQ 2 but rather than use the ''loc'' zone as described in the FAQ, you use the ''net'' zone. Summary: a) Set the ''routeback'' interface option on the one NIC in /etc/shorewall/interfaces. b) Add the appropriate DNAT rules to redirect the traffic. c) Add an entry to /etc/shorewall/masq that sets the source IP address on all outgoing traffic (on the one NIC) that doesn''t originate from one of the firewall''s IP addresses (Hint: Place !ip1,ip2,... in the SOURCE column. Hopefully you are using a recent enough Shorewall release that it isn''t called the SUBNET column in your file). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
HHmmm........ i used HAProxy to forward HTTP requests to my backend servers... it also forwards the originating IP address, it took 10 mins to set up.... However i still have the dilemma of mail originating ips pop3, imap, smtp... Thanks to all who replied.... Have a great day! Rob Morin Director of Technologies Dido Internet Inc. Montreal,Canada http://www.dido.ca 514-990-4444 Tom Eastep wrote:> Rob Morin wrote: > >> yes i agree, i rather not use NAT, but how do i configure Megs to >> redirect http traffic to another host on the same network with one NIC? >> > > We''ve already told you how to do that. You follow Shorewall FAQ 2 but rather > than use the ''loc'' zone as described in the FAQ, you use the ''net'' zone. > > Summary: > > a) Set the ''routeback'' interface option on the one NIC in > /etc/shorewall/interfaces. > b) Add the appropriate DNAT rules to redirect the traffic. > c) Add an entry to /etc/shorewall/masq that sets the source IP address on > all outgoing traffic (on the one NIC) that doesn''t originate from one of the > firewall''s IP addresses (Hint: Place !ip1,ip2,... in the SOURCE column. > Hopefully you are using a recent enough Shorewall release that it isn''t > called the SUBNET column in your file). > > -Tom > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/