Hello! I''m trying to build some configuration with some troubles, maybe it''s simple. My network has a machine acting as a firewall / proxy server between internal and external zones. Then, my machine has two interfaces, eth0 connected to Internet with a static IP address, and eth1, connected to the internal network, with a static IP address too. Let''s assume that external IP is 200.200.200.200. Internal IP addresses are (really) 192.9.201.0 based. I''m using, as firewall / proxy, a machine with Ubuntu Server 8.04 LTS. Shorewall version is 4.0.6, squid is 2.6STABLE18, using squidguard and dansguardian to restrict access to some pages. The proxy port I''m using is 8008. The problem I have is that some machines need to use some internet based services, and then need to access directly the internet without using the proxy. Let''s assume that the IP addess of one of this machines is 192.9.201.100. All other machines in the 192.9.201.0 network are going to access the web via the squid/squidguard/dansguardian system. Well...I don''t really understand how to configure my shorewall to let this!!! I''''m copying my shorewall configuration files, located under /etc/shorewall. Please, can anybody help me with this, or guide me on the right direction? I''m really confused!!! Following, my config files: a) /etc/shorewall/zones: fw firewall lan ipv4 wan ipv4 vpn ipv4 dmz ipv4 wifi ipv4 b) /etc/shorewall/interfaces: wan eth0 detect lan eth1 detect vpn ppp+ detect c) /etc/shorewall/policy: all vpn ACCEPT info vpn all ACCEPT info lan all ACCEPT info dmz all ACCEPT info fw all ACCEPT info wan all DROP info wifi all ACCEPT info all all ACCEPT info d) /etc/shorewall/nat: (empty) e) /etc/shorewall/masq: eth0:0.0.0.0/0 192.9.201.0/0 f) /etc/shorewall/rules: ACCEPT fw wan tcp 53 - - # dns_queries ACCEPT fw wan udp 53 - - # dns_queries ACCEPT dmz wan udp 53 - - # dns_queries ACCEPT lan wan udp 53 - - # dns_queries ACCEPT wifi wan udp 53 - - # dns_queries REJECT wan fw tcp 113 - - # ident_port ACCEPT lan fw tcp 22 - - # ssh_port ACCEPT lan fw tcp 8443 - - # mnf_web_admin_port ACCEPT fw lan icmp 8 - - # ping ACCEPT lan fw icmp 8 - - # ping ACCEPT lan dmz icmp 8 - - # ping ACCEPT dmz lan icmp 8 - - # ping ACCEPT dmz fw icmp 8 - - # ping ACCEPT fw dmz icmp 8 - - # ping ACCEPT:info lan wan tcp pop3 - - # receive_mail ACCEPT:info lan wan tcp smtp - - # send_mail ACCEPT lan wan tcp http - - # web_surfing ACCEPT lan wan tcp https - - # secure_web_surfing ACCEPT:info lan wan tcp ssh - - # ssh ACCEPT lan wan tcp ftp - - # ftp ACCEPT lan wan tcp nntp - - # news ACCEPT fw wan udp ntp - - # time_synchronisation ACCEPT lan wan tcp imap - - # internet_mail ACCEPT lan wan tcp 53 - - # dns_queries2 ACCEPT lan fw udp 53 - - # caching_dns_server ACCEPT lan wan tcp 5050 - - # MSN ACCEPT lan wan tcp 1863 - - # MSN_Messenger ACCEPT lan wan tcp 443 - - # 443 ACCEPT lan wan icmp 8 - - # ping ACCEPT wan lan tcp 8443 - - # Service 1 ACCEPT lan wan tcp 1755 - - # Out service 1 ACCEPT wan fw tcp 8443 - - # Service 1 - b ACCEPT wan fw tcp 22 - - # sshExterno ACCEPT wan lan tcp 1723 - - # PopTop ACCEPT lan wan tcp 1723 - - # PopTop2 ACCEPT lan wan gre - - - # PopTop3 ACCEPT wan lan gre - - - # PopTop4 ACCEPT wan lan udp 1701 - - # PopTop5 ACCEPT lan wan udp 1701 - - # PopTop6 ACCEPT wan lan tcp 22 - - # sshInterno ACCEPT lan wan tcp 22 - - # sshInterno2 ACCEPT lan wan tcp 93 - - # Osecac DNAT wan lan:192.9.201.90:2000 tcp 2000 - - # IntService DNAT wan lan:192.9.201.90:81 tcp 81 - - # IntService DNAT wan lan:192.9.201.1:80 tcp 800 - - # IntService DNAT wan lan:192.9.201.115:82 tcp 82 - - # IntService DNAT wan lan:192.9.201.115:8800 tcp 8800 - - # IntService ACCEPT lan wan tcp 8118 - - # ExtService REDIRECT lan 8008 tcp www - all # proxy_server ACCEPT lan fw tcp 8008 - - # proxy_server ACCEPT fw wan tcp www - - # proxy_server ACCEPT lan wan tcp 264 - - 264 ACCEPT lan wan udp 500 - - # VPN ACCEPT lan wan udp 2746 - - # VPN ACCEPT lan:192.9.201.163 wan tcp 9999 - - ACCEPT lan:192.9.201.212 wan tcp 9999 - - ACCEPT lan:192.9.201.213 wan tcp 9999 - - ACCEPT lan:192.9.201.43 wan tcp 9999 - - ACCEPT lan fw tcp 8444 - - # proxy_server DNAT wan lan:192.9.201.115:3000 tcp 3000 - - # IntService DNAT wan lan:192.9.201.115:3001 tcp 3001 - - # IntService DNAT wan lan:192.9.201.115:3002 tcp 3002 - - # IntService DNAT wan lan:192.9.201.115:3003 tcp 3003 - - # IntService DNAT wan lan:192.9.201.115:3004 tcp 3004 - - # IntService DNAT wan lan:192.9.201.115:3005 tcp 3005 - - # IntService DNAT wan lan:192.9.201.115:3006 tcp 3006 - - # IntService DNAT wan lan:192.9.201.115:3007 tcp 3007 - - # IntService DNAT wan lan:192.9.201.115:3008 tcp 3008 - - # IntService DNAT wan lan:192.9.201.115:3009 tcp 3009 - - # IntService DNAT wan lan:192.9.201.115:3010 tcp 3010 - - # IntService ACCEPT wan fw udp 5000 - - # TestOpenVPN Thanks a lot in advance for your attention, and happy new year for everybody!!! HeCSa. ------------------------------------------------------------------------------
On Thu, Jan 01, 2009 at 06:19:25PM -0200, HeCSa wrote:> Hello! > I''m trying to build some configuration with some troubles, maybe it''s > simple.<SNIP>> I''m using, as firewall / proxy, a machine with Ubuntu Server 8.04 LTS. > Shorewall version is 4.0.6, squid is 2.6STABLE18, using squidguard and > dansguardian to restrict access to some pages.<SNIP>> Well...I don''t really understand how to configure my shorewall to let > this!!!First, start by reading this page: http://www.shorewall.net/Shorewall_Squid_Usage.html Also, have a look at NONAT in the shorewall-rules man page, as it seems you will need that.> I''''m copying my shorewall configuration files, located underPlease don''t do that. We don''t have time to go through your configuration files. Especially since they do not tell the whole story. Please read the information at the above link. If, after that, you cannot make it work the way you think it should work, then please ask your question in accordance with the guidelines located here: http://www.shorewall.net/support.htm Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------------
Roberto:
The problem was the line with the "REDIRECT".
If I comment this line, and then add a line with "ACCEPT" for
192.9.201.100, all works as desired.
Thanks for your lines. I discovered the "dump" command, never used
in the past by me.
Best regards,
HeCSa.
Roberto C. Sánchez wrote:> On Thu, Jan 01, 2009 at 06:19:25PM -0200, HeCSa wrote:
>
>> Hello!
>> I''m trying to build some configuration with some troubles,
maybe it''s
>> simple.
>>
> <SNIP>
>
>> I''m using, as firewall / proxy, a machine with Ubuntu Server
8.04 LTS.
>> Shorewall version is 4.0.6, squid is 2.6STABLE18, using squidguard and
>> dansguardian to restrict access to some pages.
>>
> <SNIP>
>
>> Well...I don''t really understand how to configure my shorewall
to let
>> this!!!
>>
>
> First, start by reading this page:
>
> http://www.shorewall.net/Shorewall_Squid_Usage.html
>
> Also, have a look at NONAT in the shorewall-rules man page, as it seems
> you will need that.
>
>
>> I''''m copying my shorewall configuration files,
located under
>>
>
> Please don''t do that. We don''t have time to go through
your
> configuration files. Especially since they do not tell the whole story.
> Please read the information at the above link. If, after that, you
> cannot make it work the way you think it should work, then please ask
> your question in accordance with the guidelines located here:
>
> http://www.shorewall.net/support.htm
>
> Regards,
>
> -Roberto
>
>
> ------------------------------------------------------------------------
>
>
------------------------------------------------------------------------------
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
------------------------------------------------------------------------------
HeCSa wrote:> Roberto: > The problem was the line with the "REDIRECT". > If I comment this line, and then add a line with "ACCEPT" for > 192.9.201.100, all works as desired. > Thanks for your lines. I discovered the "dump" command, never used > in the past by me.Roberto was trying to tell you to insert this BEFORE the REDIRECT rule: NONAT loc:192.9.201.100 net If you only have a few hosts that need this exception, you can also make the SOURCE of your REDIRECT rule: loc:!192.9.2.1.100,... ------------------------------------------------------------------------------
Excellent! It''s working now as I was tryimg! Thanks a lot, and best regards. HeCSa. Shorewall Guy wrote:> HeCSa wrote: > >> Roberto: >> The problem was the line with the "REDIRECT". >> If I comment this line, and then add a line with "ACCEPT" for >> 192.9.201.100, all works as desired. >> Thanks for your lines. I discovered the "dump" command, never used >> in the past by me. >> > > Roberto was trying to tell you to insert this BEFORE the REDIRECT rule: > > NONAT loc:192.9.201.100 net > > If you only have a few hosts that need this exception, you can also make > the SOURCE of your REDIRECT rule: > > loc:!192.9.2.1.100,... > > ------------------------------------------------------------------------------ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------