Anderson Watanabe
2009-Mar-13 09:27 UTC
Re: Polices, Rules and Configurations - Partial Success
Hello!!!! Well, Finally I finded my mistake... (I think so...) I changed the "eth2" interface connected to pppoe modem, by "ppp0" interface, assigned by pppoe connection. Now, my external interface is "ppp0". By the way, I''m using Squid 3.0 for my proxy service. The rules to squid are: #/etc/shorewall/rules ..... REDIRECT adm 3128 tcp 80 REDIRECT tlm 3128 tcp 80 ACCEPT $FW net tcp 80,443 ......... The rules above, I used long ago, but now do not seem to work. How best to configure the permission for the proxy service, knowing that the port in use is 3128? Best Regards, Watanabe ----- Original Message ----- From: "Anderson Watanabe" <wataankaol@gmail.com> To: "Shorewall List" <shorewall-users@lists.sourceforge.net> Sent: Friday, March 13, 2009 3:49 PM Subject: Polices, Rules and Configurations - No Success (#/etc/shorewall/policy)> Hello, > > I forgot to put my #/etc/shorewall/policy file: > > # /etc/shorewall/policy > ############################################################################### > #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: > # LEVEL BURST MASK > # > adm net DROP info > tlm net DROP info > # > net adm DROP info > net tlm DROP info > # > $FW $FW ACCEPT > $FW net ACCEPT > adm tlm ACCEPT > # > all all REJECT info > # > #LAST LINE -- DO NOT REMOVE > > > > Thanks. > Watanabe > > > ----- Original Message ----- > From: "Anderson Watanabe" <wataankaol@gmail.com> > To: "Shorewall List" <shorewall-users@lists.sourceforge.net> > Sent: Friday, March 13, 2009 3:10 PM > Subject: Polices, Rules and Configurations - No Success > > >> Hello, >> >> >> I''m running a Shorewall 4.2.6 with all patchs. >> >> My policy is all traffic blocked and just allow some services. I''m try to >> set, but don''t have success to running okay. I''m searching, but don''t see >> my mistake. >> >> My configuration is: >> >> eth0 - internal interface (192.168.0.5/24) >> eth1 - internal interface (192.168.20.5/24) >> eth2 - external interface (220.x.y.234/24) connected with ISP''s modem >> >> Internal DNS = 192.168.0.200 >> >> I''m use PPPoE conected with eth2, and my IP on ppp0 is 220.x.y.235 and my >> pppoe interface (ppp0) receive the same (fixed) ip address >> (220.x.y.233). >> >> # /etc/shorewall/params >> TLM=eth0 >> ADM=eth1 >> EXT=eth2 >> DNS=192.168.0.200 >> >> # route -n >> Kernel IP routing table >> Destination Gateway Genmask Flags Metric Ref Use >> Iface >> 118.23.99.136 0.0.0.0 255.255.255.255 UH 0 0 0 >> ppp0 >> 220.x.y.0 0.0.0.0 255.255.255.0 U 0 0 0 >> eth2 >> 192.168.20.0 0.0.0.0 255.255.255.0 U 0 0 >> 0 eth0 >> 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 >> 0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 >> ppp0 >> >> >> My files: >> >> >> # /etc/shorewall/zones >> ############################################################################### >> #ZONE TYPE OPTIONS IN OUT >> # OPTIONS OPTIONS >> fw firewall >> net ipv4 >> tlm ipv4 >> adm ipv4 >> >> # /etc/shorewall/interfaces >> ############################################################################### >> #ZONE INTERFACE BROADCAST OPTIONS >> tlm $TLM detect routefilter,tcpflags,dhcp,routeback >> adm $ADM detect routefilter,tcpflags,dhcp,routeback >> net $EXT detect tcpflags,routefilter,blacklist,nosmurfs >> >> # /etc/shorewall/masq >> ############################################################################### >> #INTERFACE SOURCE ADDRESS PROTO PORT(S) >> IPSEC MARK >> $EXT $TLM >> $EXT $ADM >> >> # /etc/shorewall/rules >> #################################################################################################################################################### >> #ACTION SOURCE DEST PROTO DEST SOURCE >> ORIGINAL RATE USER/ MARK CONNLIMIT TIME >> # PORT PORT(S) >> DEST LIMIT GROUP >> REDIRECT adm 3128 tcp 80 >> REDIRECT tlm 3128 tcp 80 >> ACCEPT $FW net tcp 80,443 >> Ping/ACCEPT adm $FW >> Ping/ACCEPT tlm $FW >> Ping/ACCEPT $FW adm >> Ping/ACCEPT $FW tlm >> Ping/ACCEPT adm net >> Ping/ACCEPT $FW net >> DNS/ACCEPT adm:$DNS net >> DNS/ACCEPT $FW net >> DNS/ACCEPT tlm adm:$DNS >> >> # /etc/shorewall/rfc1918 >> ############################################################################### >> #SUBNETS TARGET >> 192.168.0.0/24 RETURN # ADM Network >> 192.168.20.0/24 RETURN # TLM Network >> 172.16.0.0/12 logdrop # RFC 1918 >> 192.168.0.0/16 logdrop # RFC 1918 >> 10.0.0.0/8 logdrop # RFC 1918 >> >> >> What am I doing wrong? Someone can help me? >> >> >> Best Regards, >> Watanabe >------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
Anderson Watanabe wrote:> Hello!!!! > > > Well, > > Finally I finded my mistake... (I think so...) > > I changed the "eth2" interface connected to pppoe modem, by "ppp0" > interface, assigned by pppoe connection. > Now, my external interface is "ppp0". > > By the way, I''m using Squid 3.0 for my proxy service. > > The rules to squid are: > #/etc/shorewall/rules > ..... > REDIRECT adm 3128 tcp 80 > REDIRECT tlm 3128 tcp 80 > ACCEPT $FW net tcp 80,443 > ......... > > The rules above, I used long ago, but now do not seem to work. How best to > configure the permission for the proxy service, knowing that the port in use > is 3128?Those rules are correct. In almost EVERY case where a Shorewall user has reported a problem with transparent proxy, the problem was in the Squid configuration and not in the Shorewall configuration. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
Eduardo Ferreira
2009-Mar-13 17:11 UTC
Re: Polices, Rules and Configurations - Partial Success
> > Those rules are correct. In almost EVERY case where a Shorewall user has > reported a problem with transparent proxy, the problem was in the Squid > configuration and not in the Shorewall configuration. > > -TomIf I recall correctly, there was an update to Squid that changed the way you declared transparency. In the old way, you used a set of directive lines. Now, you just add the clause transparent to your http_port directive: OLD WAY: # transparent proxy #httpd_accel_host virtual #httpd_accel_port 80 #httpd_accel_with_proxy on #httpd_accel_uses_host_header on NOW: http_port xx.xx.xx.x:3128 transparent ------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
Anderson Watanabe
2009-Mar-14 08:37 UTC
Polices, Rules and Configurations - Almost Finalized
Hello List, Many services are running okay. Now, I need to create a rule, to allow some ips to use Skype. By default, my policy block all traffic from internals network to internet. But, I just have success for connect to Skype, if I allow all traffic to these ips. How can I creat this rule? Best Regards, Watanabe -------------------------------------------------------------------------------------------------------------------- # /etc/shorewall/policy ############################################################################### #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: # LEVEL BURST MASK # adm net DROP info tlm net DROP info # net adm DROP info net tlm DROP info # $FW $FW ACCEPT $FW net ACCEPT adm tlm ACCEPT # all all REJECT info # #LAST LINE -- DO NOT REMOVE /etc/shorewall/params TLM=eth0 ADM=eth1 EXT=eth2 DNS=192.168.0.200 # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 118.23.99.136 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 220.x.y.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 192.168.20.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 ppp0 # /etc/shorewall/zones ############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 tlm ipv4 adm ipv4 # /etc/shorewall/interfaces ############################################################################### #ZONE INTERFACE BROADCAST OPTIONS tlm $TLM detect routefilter,tcpflags,dhcp,routeback adm $ADM detect routefilter,tcpflags,dhcp,routeback net ppp0 detect tcpflags,routefilter,blacklist,nosmurfs # /etc/shorewall/masq ############################################################################### #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK ppp0 $TLM ppp0 $ADM # /etc/shorewall/rules #################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME # PORT PORT(S) DEST LIMIT GROUP REDIRECT adm 3128 tcp 80 REDIRECT tlm 3128 tcp 80 ACCEPT $FW net tcp 80,443 Ping/ACCEPT adm $FW Ping/ACCEPT tlm $FW Ping/ACCEPT $FW adm Ping/ACCEPT $FW tlm Ping/ACCEPT adm net Ping/ACCEPT $FW net DNS/ACCEPT adm:$DNS net DNS/ACCEPT $FW net DNS/ACCEPT tlm adm:$DNS # /etc/shorewall/rfc1918 ############################################################################### #SUBNETS TARGET 192.168.0.0/24 RETURN # ADM Network 192.168.20.0/24 RETURN # TLM Network 172.16.0.0/12 logdrop # RFC 1918 192.168.0.0/16 logdrop # RFC 1918 10.0.0.0/8 logdrop # RFC 1918 ------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
Roberto C. Sánchez
2009-Mar-14 12:25 UTC
Re: Polices, Rules and Configurations - Almost Finalized
On Sat, Mar 14, 2009 at 05:37:42PM +0900, Anderson Watanabe wrote:> > By default, my policy block all traffic from internals network to internet. > But, I just have success for connect to Skype, if I allow all traffic to > these ips. >First off, blocking outbound traffic is considered an "advanced" configuration. You should get everything working first without blocking outbound traffic. Second, please stop posting your configuration files. This page explains how to properly request support: http://www.shorewall.net/support.htm Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com