thr3ads.net - Shorewall users - Shorewall with FTP and WEB Server Connection problem [Jul 2009]

If this information is useful, please help other people find it:
Share via:

wisnu dwi hidayat

2009-Jul-10 04:33 UTC

Shorewall with FTP and WEB Server Connection problem

Dear Master,

I need your help, I am configuring shorewall with FTP and WEB Server
behind the shorewall box. The problem is that I can''t connected to the
FTP and WEB Server. But Internet connection from the PRoxy Server So
far so good through to the LAN..  Here is my topolgy below;


Internet======>Shorewall====>Switch====>FTP,WEBSERVER,PROXY=====>LAN

The shorewall has 2 ethernet with public IP:

eth0 = 200.x.x.1 (public ip)

eth1 = 200.x.x.2 (public ip)

eth1:1 = 60.x.x.1 (public ip)


The FTP has 2 ethernet with 1 public ip and 1 more private ip;

eth0 = 60.x.x.2 (public ip)

eth1 = 192.x.x.2 (private ip/lan)


The WEBServer has 2 ethernet with 1 public ip and 1 more private ip;

eth0 = 60.x.x.3 (public ip)

eth1 = 192.x.x.3 (private ip/lan)


The PROXY has 2 ethernet with 1 public ip and 1 more private ip;

eth0 = 202.x.x.3 (public ip)

eth1 = 192.x.x.4 (private ip/lan)

Here is my shorewall configuration..


/etc/shorewall/zones 

########################################################################


#ZONE TYPE OPTIONS IN OUT


# OPTIONS OPTIONS


net       ipv4 


local     ipv4 


fw        firewall


#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE


/etc/shorewall/interfaces 

########################################################################


#ZONE INTERFACE BROADCAST OPTIONS


net   eth0 


local eth1 


#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE 


/etc/shorewall/policy 

########################################################################


#SOURCE DEST POLICY LOG LIMIT:BURST


# LEVEL


fw      all  ACCEPT


net     all  DROP


local   all  ACCEPT


#LAST LINE -- DO NOT REMOVE 


/etc/shorewall/masq 

########################################################################


#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC


eth0       eth1 


#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE


/etc/shorewall/rules 

########################################################################


#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK


# PORT PORT(S) DEST LIMIT GROUP


#SECTION ESTABLISHED


#SECTION RELATED



ACCEPT  local  fw    tcp   53

ACCEPT  local  fw    udp   53

ACCEPT  net    fw    tcp   53

ACCEPT  net    fw    udp   53


ACCEPT  local  fw    tcp   80

ACCEPT  net    fw    tcp   80


ACCEPT  local  fw    tcp   20


ACCEPT  local  fw    tcp   21


ACCEPT  local  fw    tcp   22

ACCEPT  net    fw    tcp   22

ACCEPT  fw     local tcp   22


ACCEPT  local  fw    tcp   10000

ACCEPT  net    fw    tcp   10000


ACCEPT  net    fw    tcp   25,110,143

ACCEPT  fw     net   tcp   25,110,143

ACCEPT  local  fw    tcp   25,110,143

REJECT  local  net   tcp   25,110,143


#SECTION NEW


#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

I
don''t know what is the wrong with my configuration.. Why my Web Server
and FTP can not be accessed..?? Please give me advise or any sugestion
and idea are welcome.. 

Regards,
Wisnu




      

------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge  
This is your chance to win up to $100,000 in prizes! For a limited time, 
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize  
details at: http://p.sf.net/sfu/Challenge

Tom Eastep

2009-Jul-10 13:40 UTC

head link

Re: Shorewall with FTP and WEB Server Connection problem

wisnu dwi hidayat wrote:> Dear Master,
> 
> I need your help, I am configuring shorewall with FTP and WEB Server
> <http://www.linuxquestions.org/questions/#> behind the shorewall box.
> The problem is that I can''t connected to the FTP and WEB Server.
But
> Internet connection from the PRoxy Server So far so good through to the
> LAN..  Here is my topolgy below;
> 
>
Internet======>Shorewall====>Switch====>FTP,WEBSERVER,PROXY=====>LAN
> 
> The shorewall has 2 ethernet with public IP:
> eth0 = 200.x.x.1 (public ip)
> eth1 = 200.x.x.2 (public ip)
> eth1:1 = 60.x.x.1 (public ip)
> 
> The FTP has 2 ethernet with 1 public ip and 1 more private ip;
> eth0 = 60.x.x.2 (public ip)
> eth1 = 192.x.x.2 (private ip/lan)
> 
> The WEBServer has 2 ethernet with 1 public ip and 1 more private ip;
> eth0 = 60.x.x.3 (public ip)
> eth1 = 192.x.x.3 (private ip/lan)
> 
> The PROXY has 2 ethernet with 1 public ip and 1 more private ip;
> eth0 = 202.x.x.3 (public ip)
> eth1 = 192.x.x.4 (private ip/lan)
> 
> Here is my shorewall configuration..
We prefer *not* to see your Shorewall configuration but rather the
output of "shorewall dump" collected as described at
http://www.shorewall.net/support.htm#Guidelines.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge  
This is your chance to win up to $100,000 in prizes! For a limited time, 
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize  
details at: http://p.sf.net/sfu/Challenge

Tom Eastep

2009-Jul-10 13:47 UTC

head link

Re: Shorewall with FTP and WEB Server Connection problem

wisnu dwi hidayat wrote:
> /etc/shorewall/rules
> ########################################################################
> 
> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
> 
> # PORT PORT(S) DEST LIMIT GROUP
> 
> #SECTION ESTABLISHED
> 
> #SECTION RELATED
> 
> 
> ACCEPT local fw tcp 53
> ACCEPT local fw udp 53
> ACCEPT net fw tcp 53
> ACCEPT net fw udp 53
You run a public DNS server on your firewall?
> 
> ACCEPT local fw tcp 80
> ACCEPT net fw tcp 80
And an HTTP server?
> 
> ACCEPT local fw tcp 20
NO NO NO NO -- Please read
http://www.shorewall.net/FTP.html> 
> ACCEPT local fw tcp 21
> 
> ACCEPT local fw tcp 22
> ACCEPT net fw tcp 22
> ACCEPT fw local tcp 22
> 
> ACCEPT local fw tcp 10000
> ACCEPT net fw tcp 10000
> 
> ACCEPT net fw tcp 25,110,143
> ACCEPT fw net tcp 25,110,143
> ACCEPT local fw tcp 25,110,143
> REJECT local net tcp 25,110,143
You have no net->local ACCEPT rules so connections from the internet to
your server are not allowed.

You seem to be confused about how zones work. Your ftp server/web
server/Proxy is in the ''local'' zone, not the
''fw'' zone. Connections to
that server from the internet require rules of the form:

ACCEPT	net	local	...

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge  
This is your chance to win up to $100,000 in prizes! For a limited time, 
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize  
details at: http://p.sf.net/sfu/Challenge

Tom Eastep

2009-Jul-10 14:23 UTC

head link

Re: Shorewall with FTP and WEB Server Connection problem

Tom Eastep wrote:> wisnu dwi hidayat wrote:
> 
>> /etc/shorewall/rules
>>
########################################################################
>>
>> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
>>
>> # PORT PORT(S) DEST LIMIT GROUP
>>
>> #SECTION ESTABLISHED
>>
>> #SECTION RELATED
>>
>>
>> ACCEPT local fw tcp 53
>> ACCEPT local fw udp 53
>> ACCEPT net fw tcp 53
>> ACCEPT net fw udp 53
> 
> You run a public DNS server on your firewall?
> 
>> ACCEPT local fw tcp 80
>> ACCEPT net fw tcp 80
> 
> And an HTTP server?
> 
>> ACCEPT local fw tcp 20
> 
> NO NO NO NO -- Please read http://www.shorewall.net/FTP.html
>> ACCEPT local fw tcp 21
>>
>> ACCEPT local fw tcp 22
>> ACCEPT net fw tcp 22
>> ACCEPT fw local tcp 22
>>
>> ACCEPT local fw tcp 10000
>> ACCEPT net fw tcp 10000
>>
>> ACCEPT net fw tcp 25,110,143
>> ACCEPT fw net tcp 25,110,143
>> ACCEPT local fw tcp 25,110,143
>> REJECT local net tcp 25,110,143
> 
> You have no net->local ACCEPT rules so connections from the internet to
> your server are not allowed.
> 
> You seem to be confused about how zones work. Your ftp server/web
> server/Proxy is in the ''local'' zone, not the
''fw'' zone. Connections to
> that server from the internet require rules of the form:
> 
> ACCEPT	net	local	...
Example:

ACCEPT	net	local:60.x.x.2	tcp	21    #Allow FTP access from the
                                              #Internet

Rewritten to use the FTP macro:

FTP/ACCEPT	net	local:60.x.x.2

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge  
This is your chance to win up to $100,000 in prizes! For a limited time, 
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize  
details at: http://p.sf.net/sfu/Challenge

wisnu dwi hidayat

2009-Jul-16 07:17 UTC

head link

Re: Shorewall with FTP and WEB Server Connection problem

Dear Tom,

I already reconfigure the rules like your explanation..  

Accept     net     local     

But it still doesn''t work.. or it''s because my topology is nod
standarized with the shorewall network architecture.. ??

See ;
 The shorewall has 2 ethernet with public IP:> eth0 = 200.x.x.1 (public ip)
> eth1 = 200.x.x.2 (public ip)
> eth1:1 = 60.x.x.1 (public ip)
I ''ve given the eth1 as local not dmz , is it possible to give public
ip as local..???

Regards,
Wisnu




________________________________
From: Tom Eastep <teastep@shorewall.net>
To: Shorewall Users <shorewall-users@lists.sourceforge.net>
Sent: Friday, July 10, 2009 8:47:46 PM
Subject: Re: [Shorewall-users] Shorewall with FTP and WEB Server Connection
problem

wisnu dwi hidayat wrote:
> /etc/shorewall/rules
> ########################################################################
> 
> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
> 
> # PORT PORT(S) DEST LIMIT GROUP
> 
> #SECTION ESTABLISHED
> 
> #SECTION RELATED
> 
> 
> ACCEPT local fw tcp 53
> ACCEPT local fw udp 53
> ACCEPT net fw tcp 53
> ACCEPT net fw udp 53
You run a public DNS server on your firewall?
> 
> ACCEPT local fw tcp 80
> ACCEPT net fw tcp 80
And an HTTP server?
> 
> ACCEPT local fw tcp 20
NO NO NO NO -- Please read
http://www.shorewall.net/FTP.html> 
> ACCEPT local fw tcp 21
> 
> ACCEPT local fw tcp 22
> ACCEPT net fw tcp 22
> ACCEPT fw local tcp 22
> 
> ACCEPT local fw tcp 10000
> ACCEPT net fw tcp 10000
> 
> ACCEPT net fw tcp 25,110,143
> ACCEPT fw net tcp 25,110,143
> ACCEPT local fw tcp 25,110,143
> REJECT local net tcp 25,110,143
You have no net->local ACCEPT rules so connections from the internet to
your server are not allowed.

You seem to be confused about how zones work. Your ftp server/web
server/Proxy is in the ''local'' zone, not the
''fw'' zone. Connections to
that server from the internet require rules of the form:

ACCEPT    net    local    ...

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,        \ died peacefully in his sleep. Not screaming like
Washington, USA    \ all of the passengers in his car
http://shorewall.net \________________________________________________


      

------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge  
This is your chance to win up to $100,000 in prizes! For a limited time, 
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize  
details at: http://p.sf.net/sfu/Challenge

Tom Eastep

2009-Jul-16 18:40 UTC

head link

Re: Shorewall with FTP and WEB Server Connection problem

wisnu dwi hidayat wrote:> Dear Tom,
>  
> I already reconfigure the rules like your explanation.. 
>  
> Accept     net     local    
> 
> But it still doesn''t work.. or it''s because my topology
is nod
> standarized with the shorewall network architecture.. ??
Until you submit a proper trouble report as described at
http://www.shorewall.net/support.htm#Guidelines, we won''t be able to
help you. I asked you do do that in my first response to your initial post!

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge  
This is your chance to win up to $100,000 in prizes! For a limited time, 
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize  
details at: http://p.sf.net/sfu/Challenge

Shorewall users - Jul 2009 - Shorewall with FTP and WEB Server Connection problem

Shorewall with FTP and WEB Server Connection problem

Re: Shorewall with FTP and WEB Server Connection problem

Re: Shorewall with FTP and WEB Server Connection problem

Re: Shorewall with FTP and WEB Server Connection problem

Re: Shorewall with FTP and WEB Server Connection problem

Re: Shorewall with FTP and WEB Server Connection problem