Hi. Im setting up a web farm test lab. I have a number of machines in the test last on a dmz zone on network 10.20.30.0. The test lab firewall has two NICS. One (eth0) has two ip addresses, eth0 10.161.101.40 and eth0:0 10.161.10.49. The other one, eth1 is on a private network, 10.20.30.0. I want to use DNAT to allow test engineers to ssh into the machines in the web farm. I have included the following rules. Pound is running and listening on port 80 and 443 of the firewall. #SECTION NEW ACCEPT net $FW tcp 22 Ping/ACCEPT net $FW:10.161.101.40 Ping/ACCEPT net $FW:10.161.101.49 ACCEPT net $FW:10.161.101.40 tcp 80 ACCEPT net $FW:10.161.101.40 tcp 443 ACCEPT net $FW:10.161.101.49 tcp 80 ACCEPT dmz $FW tcp 8970 ACCEPT dmz $FW tcp 8971 ACCEPT $FW dmz DNAT net dmz:10.20.30.21:22 tcp 22 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE My problem is with the DNAT entry. If I enable it, when someone uses ssh to log into the firewall (the first rule), somehow the request is forwarded to the dmz:10.20.30.21 machine. If I comment out the DNAT rule, logging into the firewall using ssh works. Any help would be appreciated. Rob Hicks ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Rob Hicks wrote:> Hi.Hi,> The test lab firewall has two NICS. One (eth0) has two ip addresses, > eth0 10.161.101.40 and eth0:0 10.161.10.49. The other one, eth1 is > on a private network, 10.20.30.0. > > I want to use DNAT to allow test engineers to ssh into the machines in > the web farm. [...]> ACCEPT net $FW tcp 22> DNAT net dmz:10.20.30.21:22 tcp > 22> My problem is with the DNAT entry. If I enable it, when someone uses ssh > to log into the firewall (the first rule), somehow the request is > forwarded to the dmz:10.20.30.21 machine. If I comment out the DNAT > rule, logging into the firewall using ssh works.The firewall has two external ip addresses, so if you don''t want to use non-standard ssh ports you can only address two ssh servers: One on each ip address. In neither of the two ssh rules above the column "ORIGINAL DEST" is specified, so they will both handle ssh connections to both your external addresses. Shorewall honors the last rule by default. You can choose one of these two solutions instead: 1) Let your users use the firewall machine as a "jump host". 2) DNAT non-standard ports for ssh connections to the dmz machines like this: DNAT net loc:10.20.30.21:22 tcp 30021 DNAT net loc:10.20.30.22:22 tcp 30022 ... and so on. Each solution has it''s pros and cons, so you will have to decide for yourself what to do. Good luck! /Martin ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Thanks Martin! -----Original Message----- From: Martin Leben [mailto:ml060223@leben.nu] Sent: Wednesday, October 01, 2008 2:54 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] DNAT Issue Rob Hicks wrote:> Hi.Hi,> The test lab firewall has two NICS. One (eth0) has two ip addresses, > eth0 10.161.101.40 and eth0:0 10.161.10.49. The other one, eth1 is > on a private network, 10.20.30.0. > > I want to use DNAT to allow test engineers to ssh into the machines in> the web farm. [...]> ACCEPT net $FW tcp 22> DNAT net dmz:10.20.30.21:22 tcp> 22> My problem is with the DNAT entry. If I enable it, when someone usesssh> to log into the firewall (the first rule), somehow the request is > forwarded to the dmz:10.20.30.21 machine. If I comment out the DNAT > rule, logging into the firewall using ssh works.The firewall has two external ip addresses, so if you don''t want to use non-standard ssh ports you can only address two ssh servers: One on each ip address. In neither of the two ssh rules above the column "ORIGINAL DEST" is specified, so they will both handle ssh connections to both your external addresses. Shorewall honors the last rule by default. You can choose one of these two solutions instead: 1) Let your users use the firewall machine as a "jump host". 2) DNAT non-standard ports for ssh connections to the dmz machines like this: DNAT net loc:10.20.30.21:22 tcp 30021 DNAT net loc:10.20.30.22:22 tcp 30022 ... and so on. Each solution has it''s pros and cons, so you will have to decide for yourself what to do. Good luck! /Martin ------------------------------------------------------------------------ - This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/