Shorewall users - Oct 2009 - 3 Interface Config, DNAT but all private networks - assistance

Hi,

I''m struggling to get a configuration for shorewall working.

The network is as follows:

Server 2003 Web Server with 2 interfaces
Eth0 connected to the internet directly with a real IP and firewalled by
a Cisco.
Eth1 with address 10.3.3.3/24 connected to eth1 on the Debian Lenny
Linux Shorewall Box

Server 2003 SQL Server with 2 interfaces
Eth0 connected to the LAN with IP address 192.168.1.8/24
Eth1 with IP 172.16.1.8/24 connected to eth2 on the Debian Lenny Linux
Shorewall Box

Debian Lenny Linux shorewall box with 3 interfaces
Eth0 with IP 192.168.1.14/24 connected to the LAN 
Eth1 with IP 10.3.3.2/24 connected to the Web server 
Eth2 with IP 172.16.1.2/24 connected to and SQL Server 

The purpose being to isolate the Web Server in a DMZ, away from the SQL
Server and the LAN.

I would like to use NAT to hide the address of the SQL server from the
Web Server in the DMZ and allow port 1433 amongst others to connect from
the Web Server to the SQL Server.

My shorewall dump is attached and the configs are as follows:

=====masq:
eth1                    eth0            10.3.3.2
eth1                    eth2            10.3.3.2
==========policy:
fw              lan             ACCEPT          info
fw              dmz             ACCEPT          info
fw              sql             ACCEPT          info
lan             fw              ACCEPT
lan             dmz             DROP            info
lan             sql             DROP            info
dmz             all             DROP            info
sql             all             DROP            info
all             all             REJECT          info
==========rules:
SECTION NEW
DNAT            dmz             sql:172.16.1.8  tcp     1433    -
10.3.3.2
========interfaces:
lan     eth0            detect
dmz     eth1            detect
sql     eth2            detect
====zones:
fw      firewall
lan     ipv4
dmz     ipv4
sql     ipv4
====
Thanks


------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

James Robertson wrote:
> Hi,
> 
> I''m struggling to get a configuration for shorewall working.
> 
> The network is as follows:
> 
> My shorewall dump is attached and the configs are as follows:
So exactly what are we supposed to be looking for in this dump? Without
knowing exactly what connection you tried to make during the time that
the dump was being captured, I don''t have a clue where to start.

In the absence of that information, I can only suggest that you consult
the DNAT (port forwarding) troubleshooting tips in FAQs 1a and 1b. And
if you submit another report, please give us a hint about what you tried
and what you saw between the time when you reset the netfilter counters
(either via ''shorewall start'', ''shorewall
restart'', or ''shorewall
clear'') and when you took the dump.

And please also look at http://www.shorewall.net/Notices.html#Shell-EOL;
it might save you some grief when, in the future, you upgrade from Lenny
to Squeeze.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

> In the absence of that information, I can only suggest that you
consult the DNAT (port forwarding) troubleshooting tips in FAQs 1a and
1b. And if you submit another report, please give us a hint about > what
you tried and what you saw between the time when you reset the netfilter
counters (either via ''shorewall start'', ''shorewall
restart'', or
''shorewall
> clear'') and when you took the dump.
> And please also look at
http://www.shorewall.net/Notices.html#Shell-EOL;
> it might save you some grief when, in the future, you upgrade from
Lenny to Squeeze.


Worked out the issue.

Needed a persistent route on the SQL Server to get the traffic back to
10.3.3.3 via 172.16.1.2.

Thanks

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july