I have the following network configuration and requirements, and have been able to get my Gentoo system up and running, and with shorewall in place to act as a router. What I have been unable to do is get shorewall to handle the separate subnet which I use for some servers. I have my ADSL connection. It has a static IP of 165.xx.xx.71. I have also been allocated a network block of xxx.xxx.xxx.40-48 (6 usable IP''s) My gateway PC has 2 NIC''s. Eth0 is used for pppoe connectivity and eth1 is the internal network interface. I don''t use a DMZ for my servers, they operate on my local network as 192.168.0.2 and 192.168.0.5 192.168.0.2 is assigned xxx.xxx.xxx.41 and is a windows server that i require some standard port forwarding/translation too, for email, web etc 192.168.0.5 is assigned xxx.xxx.xxx.42 and is a linux server that i require web traffic forwarded too (80/443) At present, I have had to return to my Cisco router to manage the network as I have been unable to get the above SNAT/DNAT operations to work. I am very new at shorewall, but have spent the best part of 2 days with this, and could really use a hand. I have just updated from the 3.4.8 build that is in a gentoo package to the tarball source install of 4.2.1 I presently don''t have any operating configuration running as I was getting nowhere with it. Any suggestions on configuring this setup would be most appreciated ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
On Fri, Nov 07, 2008 at 08:38:55AM +1100, Marcus Limosani wrote:> > I have my ADSL connection. It has a static IP of 165.xx.xx.71. I > have also been allocated a network block of xxx.xxx.xxx.40-48 (6 usable > IP''s) >It would help to know if 165.228.58.71 and xxx.xxx.xxx.40-48 are in the same subnet and use the same gateway (I assume yes).> > > My gateway PC has 2 NIC''s. Eth0 is used for pppoe connectivity and eth1 > is the internal network interface. > > > > I don''t use a DMZ for my servers, they operate on my local network as > 192.168.0.2 and 192.168.0.5 >That is a very dangerous setup.> 192.168.0.2 is assigned xxx.xxx.xxx.41 and is a windows server that i > require some standard port forwarding/translation too, for email, web > etc > > 192.168.0.5 is assigned xxx.xxx.xxx.42 and is a linux server that i > require web traffic forwarded too (80/443) >How are you mapping the 192.168.0.x <-> xxx.xxx.xxx.4y addresses to each other? We need to see the output of ''shorewall dump'' in order to help you better. Using a DMZ and proxyarp is the way I prefer to do this sort of thing. However, you do not provide enough details to be able to suggest anything more specific. What you want to do is very simple. You should be able to start with a two-interface example configuration (included with Shorewall), get that working, and then add proxyarp for your other addresses that you want to map to servers on the local network. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Roberto C. Sánchez wrote:> What you want to do is very simple. You should be able to start with a > two-interface example configuration (included with Shorewall), get that > working, and then add proxyarp for your other addresses that you want to > map to servers on the local network.If the ISP is routing xxx.xxx.xxx.40-48 via 165.xx.xx.71, then Marcus doesn''t even need to use Proxy ARP. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
This is the case, the addresses are being routed by the ISP, and no they arent part of the same subnet The subnet allocated is 203.35.162.40/29 The firewall has been showing the traffic in the logs, but always shows as ACCEPT:REJECT ________________________________ From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Fri 7/11/2008 9:54 AM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Firewall Configuration Roberto C. Sánchez wrote:> What you want to do is very simple. You should be able to start with a > two-interface example configuration (included with Shorewall), get that > working, and then add proxyarp for your other addresses that you want to > map to servers on the local network.If the ISP is routing xxx.xxx.xxx.40-48 via 165.xx.xx.71, then Marcus doesn''t even need to use Proxy ARP. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net <http://shorewall.net/> \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Marcus Limosani wrote:> This is the case, the addresses are being routed by the ISP, and no they arent part of the same subnet > > The subnet allocated is 203.35.162.40/29 > > The firewall has been showing the traffic in the logs, but always shows as ACCEPT:REJECTMarcus, When analyzing firewall issues, attention to details is critical -- it follows that without details of a) how you configured your firewall (output of ''shorewall dump'' collected as described at http://www.shorewall.net/support.htm#Guidelines); b) what tests you tried; and c) what the results were, we can''t give you any concrete advise. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
As of right now, there is nothing configured in shorewall at all, i am using my old cisco router as I couldnt get things operating under shorewall and couldnt be without the routing of the extra subnet. Right now, I am unsure as to how to begin to implement the zones / interfaces / default policies and firewall rules to suit my configuration. The DMZ is the biggest ''concern'' I have, I dont have the ability of running the two servers on a separate interface as they also host internally required services. The windows server is a domain controller. I am not sure though if the DMZ can be implemented in the configuration I have. Unfortunately, I a wont be able to do any huge amount with this until Sunday as I am going interstate (again why the system is running the Cisco unit until i can spend more time in front of it again) My configuration can''t be unique, its just escaping me :) My previous firewall (Slackware / IPTables) died, which is why im now looking at a system i can set up and manage myself. Thanks again for your quick responses and advice ________________________________ From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Fri 7/11/2008 10:45 AM To: Shorewall Users Subject: Re: [Shorewall-users] Firewall Configuration Marcus Limosani wrote:> This is the case, the addresses are being routed by the ISP, and no they arent part of the same subnet > > The subnet allocated is 203.35.162.40/29 > > The firewall has been showing the traffic in the logs, but always shows as ACCEPT:REJECTMarcus, When analyzing firewall issues, attention to details is critical -- it follows that without details of a) how you configured your firewall (output of ''shorewall dump'' collected as described at http://www.shorewall.net/support.htm#Guidelines); b) what tests you tried; and c) what the results were, we can''t give you any concrete advise. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net <http://shorewall.net/> \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Marcus Limosani wrote:> > Thanks again for your quick responses and adviceMy first advice is to please reconfigure your email client so that it folds each line at 72-78 columns. Each of your paragraphs is one long line which makes quoting very painful. Next, be sure you have Shorewall-perl installed and uninstall Shorewall-shell if you have it. Next, start with the two-interface sample config (see http://www.shorewall.net/two-interface.htm) with ppp0 as the external interface and eth1 as the internal. Follow the instructions you find at that URL. TEST IT -- be sure that all of your local systems can access the internet. Your servers won''t yet be visible on the net. Next add two lines to /etc/shorewall/nat: #EXTERNAL INTERFACE INTERNAL ALL LOCAL # INTERFACES 203.35.162.41 ppp0 192.168.0.2 203.25.162.42 ppp0 192.168.0.5 In /etc/shorewall/rules: ACCEPT net loc:192.168.0.2 tcp 80,25,... ACCEPT net loc:192.168.0.5 tcp 80,443 Plus whatever other rules you need and restart Shorewall. That''s it. Now -- if it doesn''t work, collect that I asked for in my last message or we will be back at this same point again. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
The outlook client doesnt seem to wordwrap too well. I will be more mindful of line lengths when I post :) I am trying to manage shorewall via the webmin interface which indicates that it needs shorewall-shell, and I also have the perl version installed, will this actually affect it''s operation? When I get home on Sunday, I will implement as per your suggestions and post results. Thanks for your time and repsonses ________________________________ From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Fri 7/11/2008 11:33 AM To: Shorewall Users Subject: Re: [Shorewall-users] Firewall Configuration Marcus Limosani wrote:> > Thanks again for your quick responses and adviceMy first advice is to please reconfigure your email client so that it folds each line at 72-78 columns. Each of your paragraphs is one long line which makes quoting very painful. Next, be sure you have Shorewall-perl installed and uninstall Shorewall-shell if you have it. Next, start with the two-interface sample config (see http://www.shorewall.net/two-interface.htm) with ppp0 as the external interface and eth1 as the internal. Follow the instructions you find at that URL. TEST IT -- be sure that all of your local systems can access the internet. Your servers won''t yet be visible on the net. Next add two lines to /etc/shorewall/nat: #EXTERNAL INTERFACE INTERNAL ALL LOCAL # INTERFACES 203.35.162.41 ppp0 192.168.0.2 203.25.162.42 ppp0 192.168.0.5 In /etc/shorewall/rules: ACCEPT net loc:192.168.0.2 tcp 80,25,... ACCEPT net loc:192.168.0.5 tcp 80,443 Plus whatever other rules you need and restart Shorewall. That''s it. Now -- if it doesn''t work, collect that I asked for in my last message or we will be back at this same point again. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net <http://shorewall.net/> \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/