I have a firewall box with four NIC cards, eth0 is connected to a fiber modem through which I connect to the ISP using pppoe and gets its static IP through dhcp, giving me ppp0, eth1 is my home network on 192.168.3/24, eth2 is my office network on 10.1.1/24, and eth3 is my dmz on 172.16.1/24 I am running a dhcp server for the 192.168.3/24 and 10.1.1/24 networks. I am runninf dansguardian/squid for the 192.168.3/24 network and squid for the 10.1.1/24 network. servers in the dmz have static IP addresses and are using proxyarp through shorewall. I also have a pptp vpn for outside access to the offic network. Here is my interfaces file: net ppp0 - norfc1918,blacklist home eth1 192.168.3.255 dhcp offic eth2 10.1.1.255 dhcp dmz eth3 172.16.1.255 offic ppp+ The problem I am seeing is that when is enable the shorewall rules to redirect the port 80 traffic from the home and offic zones through dansguardian on port 8080 and squid on port 3128 respectively, I cannot reach the web servers on the machines in the dmz from the outside world. The redirect rules are: REDIRECT home 8080 tcp http ACCEPT home fw tcp 8080 ACCEPT fw fw tcp 3128 # these rules are probably not needed # as the policy for net to fw is DROP DROP net fw tcp 8080 DROP net fw tcp 3128 REDIRECT offic 3128 tcp http ACCEPT offic fw tcp 3128 I have rules for the machines in the dmz to accept: ACCEPT net dmz:166.70.103.226 tcp ssh ACCEPT net dmz:166.70.103.226 tcp ftp,ftp-data ACCEPT net dmz:166.70.103.226 tcp http ACCEPT net dmz:166.70.103.226 tcp https # allow ping/traceroute Ping/ACCEPT net dmz:166.70.103.226 Trcrt/ACCEPT net dmz:166.70.103.226 ACCEPT net dmz:166.70.103.238 tcp ssh ACCEPT net dmz:166.70.103.238 tcp ftp,ftp-data ACCEPT net dmz:166.70.103.238 tcp domain ACCEPT net dmz:166.70.103.238 udp domain ACCEPT net dmz:166.70.103.238 tcp http ACCEPT net dmz:166.70.103.238 tcp https # allow ping/traceroute Ping/ACCEPT net dmz:166.70.103.238 Trcrt/ACCEPT net dmz:166.70.103.238 Traffic to the dmz machines works fine on the other ports, and when I disable the redirects for the outgoing port 80 traffic on the home and offic zones, incomming port 80 to the dmz machines works fine. Any help on what I am configuring wrong will be greatly appreciated. --Richard ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
rpyne@shopsite.com wrote:> I have a firewall box with four NIC cards, eth0 is connected to a > fiber modem through which I connect to the ISP using pppoe and gets > its static IP through dhcp, giving me ppp0, eth1 is my home network > on 192.168.3/24, eth2 is my office network on 10.1.1/24, and eth3 is > my dmz on 172.16.1/24 > > I am running a dhcp server for the 192.168.3/24 and 10.1.1/24 > networks. I am runninf dansguardian/squid for the 192.168.3/24 > network and squid for the 10.1.1/24 network. servers in the dmz have > static IP addresses and are using proxyarp through shorewall. I also > have a pptp vpn for outside access to the offic network. > > Here is my interfaces file:Please see http://www.shorewall.net/support.htm#Guidelines. Only the most boneheaded mistakes can be caught by looking at your configuration files. For this one, we need the output of "shorewall dump" collected and sent as described in the aforementioned URL.> The redirect rules are: > > REDIRECT home 8080 tcp http > ACCEPT home fw tcp 8080 > ACCEPT fw fw tcp 3128Shorewall always allows fw->fw traffic. Depending on the version of Shorewall you are running, a single fw->fw ACCEPT rule can cause all other fw->fw traffic to be rejected! Bottom line: fw->fw rules are a very bad idea. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
rpyne@shopsite.com wrote:> I have a firewall box with four NIC cards, eth0 is connected to a > fiber modem through which I connect to the ISP using pppoe and gets > its static IP through dhcp, giving me ppp0, eth1 is my home network > on 192.168.3/24, eth2 is my office network on 10.1.1/24, and eth3 is > my dmz on 172.16.1/24 > > I am running a dhcp server for the 192.168.3/24 and 10.1.1/24 > networks. I am runninf dansguardian/squid for the 192.168.3/24 > network and squid for the 10.1.1/24 network. servers in the dmz have > static IP addresses and are using proxyarp through shorewall. I also > have a pptp vpn for outside access to the offic network. > > Here is my interfaces file: > > net ppp0 - norfc1918,blacklist > home eth1 192.168.3.255 dhcp > offic eth2 10.1.1.255 dhcp > dmz eth3 172.16.1.255 > offic ppp+In the ''boneheaded'' category, here''s one possibility: You have ''net'' defined as ''ppp0'' and ''offic'' defined to include ''ppp+''. Given that ppp0 is included in ''ppp+'', the order of the zones in /etc/shorewall/zones is important in determining if the zones are disjoint or if net is a sub-zone of offic. You want ''net'' first! Otherwise, your REDIRECT rule for offic will also redirect requests from the net. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
On 9 Jan 2008 at 11:01, Tom Eastep wrote:> rpyne@shopsite.com wrote: > > I have a firewall box with four NIC cards, eth0 is connected to a > > fiber modem through which I connect to the ISP using pppoe and gets > > its static IP through dhcp, giving me ppp0, eth1 is my home network > > on 192.168.3/24, eth2 is my office network on 10.1.1/24, and eth3 is > > my dmz on 172.16.1/24 > > > > I am running a dhcp server for the 192.168.3/24 and 10.1.1/24 > > networks. I am runninf dansguardian/squid for the 192.168.3/24 > > network and squid for the 10.1.1/24 network. servers in the dmz have > > static IP addresses and are using proxyarp through shorewall. I also > > have a pptp vpn for outside access to the offic network. > > > > Here is my interfaces file: > > > > net ppp0 - norfc1918,blacklist > > home eth1 192.168.3.255 dhcp offic > > eth2 10.1.1.255 dhcp dmz eth3 > > 172.16.1.255 offic ppp+ > > In the ''boneheaded'' category, here''s one possibility: > > You have ''net'' defined as ''ppp0'' and ''offic'' defined to include > ''ppp+''. Given that ppp0 is included in ''ppp+'', the order of the zones > in /etc/shorewall/zones is important in determining if the zones are > disjoint or if net is a sub-zone of offic. You want ''net'' first! > Otherwise, your REDIRECT rule for offic will also redirect requests > from the net.Thanks, Tom. My zone file contents are: #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 home ipv4 offic ipv4 dmz ipv4 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE --Richard ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
rpyne@shopsite.com wrote:> On 9 Jan 2008 at 11:01, Tom Eastep wrote: > >> rpyne@shopsite.com wrote: >>> I have a firewall box with four NIC cards, eth0 is connected to a >>> fiber modem through which I connect to the ISP using pppoe and gets >>> its static IP through dhcp, giving me ppp0, eth1 is my home network >>> on 192.168.3/24, eth2 is my office network on 10.1.1/24, and eth3 is >>> my dmz on 172.16.1/24 >>> >>> I am running a dhcp server for the 192.168.3/24 and 10.1.1/24 >>> networks. I am runninf dansguardian/squid for the 192.168.3/24 >>> network and squid for the 10.1.1/24 network. servers in the dmz have >>> static IP addresses and are using proxyarp through shorewall. I also >>> have a pptp vpn for outside access to the offic network. >>> >>> Here is my interfaces file: >>> >>> net ppp0 - norfc1918,blacklist >>> home eth1 192.168.3.255 dhcp offic >>> eth2 10.1.1.255 dhcp dmz eth3 >>> 172.16.1.255 offic ppp+ >> In the ''boneheaded'' category, here''s one possibility: >> >> You have ''net'' defined as ''ppp0'' and ''offic'' defined to include >> ''ppp+''. Given that ppp0 is included in ''ppp+'', the order of the zones >> in /etc/shorewall/zones is important in determining if the zones are >> disjoint or if net is a sub-zone of offic. You want ''net'' first! >> Otherwise, your REDIRECT rule for offic will also redirect requests >> from the net. > > Thanks, Tom. My zone file contents are: > > #ZONE TYPE OPTIONS IN OUT > # OPTIONS > OPTIONS > fw firewall > net ipv4 > home ipv4 > offic ipv4 > dmz ipv4 > #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVEThat looks ok -- so we''ll need the information I requested in my other post. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
On 9 Jan 2008 at 13:27, Tom Eastep wrote:> rpyne@shopsite.com wrote: > > On 9 Jan 2008 at 11:01, Tom Eastep wrote: > > > >> rpyne@shopsite.com wrote: > >>> I have a firewall box with four NIC cards, eth0 is connected to a > >>> fiber modem through which I connect to the ISP using pppoe and > >>> gets its static IP through dhcp, giving me ppp0, eth1 is my home > >>> network on 192.168.3/24, eth2 is my office network on 10.1.1/24, > >>> and eth3 is my dmz on 172.16.1/24 > >>> > >>> I am running a dhcp server for the 192.168.3/24 and 10.1.1/24 > >>> networks. I am runninf dansguardian/squid for the 192.168.3/24 > >>> network and squid for the 10.1.1/24 network. servers in the dmz > >>> have static IP addresses and are using proxyarp through shorewall. > >>> I also have a pptp vpn for outside access to the offic network. > >>> > >>> Here is my interfaces file: > >>> > >>> net ppp0 - > >>> norfc1918,blacklist home eth1 192.168.3.255 > >>> dhcp offic eth2 10.1.1.255 dhcp dmz > >>> eth3 172.16.1.255 offic ppp+ > >> In the ''boneheaded'' category, here''s one possibility: > >> > >> You have ''net'' defined as ''ppp0'' and ''offic'' defined to include > >> ''ppp+''. Given that ppp0 is included in ''ppp+'', the order of the > >> zones in /etc/shorewall/zones is important in determining if the > >> zones are disjoint or if net is a sub-zone of offic. You want ''net'' > >> first! Otherwise, your REDIRECT rule for offic will also redirect > >> requests from the net. > > > > Thanks, Tom. My zone file contents are: > > > > #ZONE TYPE OPTIONS IN OUT > > # OPTIONS > > OPTIONS > > fw firewall > > net ipv4 > > home ipv4 > > offic ipv4 > > dmz ipv4 > > #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE > > That looks ok -- so we''ll need the information I requested in my other > post. > > -TomI sent that in another post, but I got a message that it was being help for the moderator because it was too big. Thanks. --Richard ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
rpyne@shopsite.com wrote:> On 9 Jan 2008 at 13:27, Tom Eastep wrote: > >> rpyne@shopsite.com wrote: >>> On 9 Jan 2008 at 11:01, Tom Eastep wrote: >>> >>>> rpyne@shopsite.com wrote: >>>>> I have a firewall box with four NIC cards, eth0 is connected to a >>>>> fiber modem through which I connect to the ISP using pppoe and >>>>> gets its static IP through dhcp, giving me ppp0, eth1 is my home >>>>> network on 192.168.3/24, eth2 is my office network on 10.1.1/24, >>>>> and eth3 is my dmz on 172.16.1/24 >>>>> >>>>> I am running a dhcp server for the 192.168.3/24 and 10.1.1/24 >>>>> networks. I am runninf dansguardian/squid for the 192.168.3/24 >>>>> network and squid for the 10.1.1/24 network. servers in the dmz >>>>> have static IP addresses and are using proxyarp through shorewall. >>>>> I also have a pptp vpn for outside access to the offic network. >>>>> >>>>> Here is my interfaces file: >>>>> >>>>> net ppp0 - >>>>> norfc1918,blacklist home eth1 192.168.3.255 >>>>> dhcp offic eth2 10.1.1.255 dhcp dmz >>>>> eth3 172.16.1.255 offic ppp+ >>>> In the ''boneheaded'' category, here''s one possibility: >>>> >>>> You have ''net'' defined as ''ppp0'' and ''offic'' defined to include >>>> ''ppp+''. Given that ppp0 is included in ''ppp+'', the order of the >>>> zones in /etc/shorewall/zones is important in determining if the >>>> zones are disjoint or if net is a sub-zone of offic. You want ''net'' >>>> first! Otherwise, your REDIRECT rule for offic will also redirect >>>> requests from the net. >>> Thanks, Tom. My zone file contents are: >>> >>> #ZONE TYPE OPTIONS IN OUT >>> # OPTIONS >>> OPTIONS >>> fw firewall >>> net ipv4 >>> home ipv4 >>> offic ipv4 >>> dmz ipv4 >>> #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE >> That looks ok -- so we''ll need the information I requested in my other >> post. >> >> -Tom > > I sent that in another post, but I got a message that it was being > help for the moderator because it was too big.Did you compress it? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Tom Eastep wrote:> rpyne@shopsite.com wrote: >> On 9 Jan 2008 at 13:27, Tom Eastep wrote:>>> That looks ok -- so we''ll need the information I requested in my other >>> post. >>> >>> -Tom >> I sent that in another post, but I got a message that it was being >> help for the moderator because it was too big. > > Did you compress it? >Note that you can also send it to support@shorewall.net -- no size restrictions there. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
rpyne@shopsite.com wrote:> On 9 Jan 2008 at 13:50, Tom Eastep wrote: > >> Tom Eastep wrote: >>> rpyne@shopsite.com wrote: >>>> On 9 Jan 2008 at 13:27, Tom Eastep wrote: >>>>> That looks ok -- so we''ll need the information I requested in my >>>>> other post. >>>>> >>>>> -Tom >>>> I sent that in another post, but I got a message that it was being >>>> help for the moderator because it was too big. >>> Did you compress it? >>> >> Note that you can also send it to support@shorewall.net -- no size >> restrictions there. > > Since the list didn''t like a zip file, here is the plain file.Okay -- here is the problem: NAT Table Chain PREROUTING (policy ACCEPT 8 packets, 1606 bytes) pkts bytes target prot opt in out source destination 1 48 home_dnat all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 offic_dnat all -- eth2 * 0.0.0.0/0 0.0.0.0/0 8 502 offic_dnat all -- ppp+ * 0.0.0.0/0 0.0.0.0/0 Note that traffic from all PPP interfaces is being sent into the offic_dnat chain. Chain offic_dnat (2 references) pkts bytes target prot opt in out source destination 3 144 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128 Which is redirecting TCP port 80 to the local port 3128. How to fix this? You need to restrict the ''offic'' zone to those IP addresses which you assign to PPP clients. I''ll assume that you assign some portion of your offic net (10.1.1.0/24). In /etc/shorewall/interfaces: - ppp+ In /etc/shorewall/hosts: offic ppp+:10.1.1.0/24 Now the ''offic'' zone is restricted to those hosts interfacing through a PPP device and that have addresses in 10.1.1.0/24. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace