[Shorewall-users] Two Newbie Questions. One About Virtual Addresses And The Other About IP-Chains

Francesca C Smith SysAdmin@ladylinux.com
Sat, 19 Jan 2002 20:07:58 -0500


This is a multi-part message in MIME format.

------=_NextPart_000_0005_01C1A124.FD3CA830
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hiya,

I am new to using Shorewall and well am impressed. Ok here are the =
questions. I run a hosting server running Red-Hat 7.2 with all latest =
patches installed. Iptables version 1.2.4, Kernel 2.4.9-13. I start up =
shorewall with the following configuration params file configuration. I =
run one virtual host on this machine to serve up name based Apache Web =
Sites. The address's are 216.25.199.137 for eth0 and 216.25.199.138 for =
eth0:0. I require all the following ports to be accessible on eth0 from =
outside. I only need 80,443 and 3306 for eth0:0 accessible from outside. =
>From inside only 20,21,22,53,123 need to access the local subnet =
216.25.199/24. Inside hosts on sub-net 216.25.199/24 only require =
20,21,22 access to this host. Im thinking I need local zones for the =
internal sub-net with 216.25.199.138 being excepted. Im thinking I need =
a dmz zone for 216.25.199.138. And all eth0 needs is a better thought =
out port access config than the simple one below. (Ftp Less UDP access =
Etc Etc). All I am asking is am I thinking in the right direction =
here.?? I can toy with and learn the best config just need a starting =
point. I have looked all over the archives and really don't see much on =
iptables and virtual hosts. I am working off the sample one interface =
templates provided at the shorewall web site.

NET_IF=3Deth0

NET_BCAST=3Ddetect

NET_OPTIONS=3Dnoping,norfc1918

TCP_PORTS=3D20,21,22,25,53,80,110,123,443,3306,10000,10001

UDP_PORTS=3D20,21,22,25,53,80,110,123,443,3306,10000,10001

On another point .. Ip-Chains can be shut off I figure or does it even =
do anything but take up CPU cycles with ip-tables and netfilter ??

Thank You,

Francesca C Smith
SysAdmin
Lady Linux Hosting And Consulting

sysadmin@ladylinux.com



------=_NextPart_000_0005_01C1A124.FD3CA830
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2712.300" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Hiya,</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>I am new to using Shorewall and well am =
impressed.=20
Ok here are the questions. I run a hosting server running Red-Hat 7.2 =
with all=20
latest patches installed. Iptables version 1.2.4, Kernel 2.4.9-13. I =
start up=20
shorewall with the following configuration params file configuration. I =
run one=20
virtual host on this machine to serve up name based Apache Web Sites. =
The=20
address's are 216.25.199.137 for eth0 and 216.25.199.138 for eth0:0. I =
require=20
all the following ports to be accessible on eth0 from outside. I only =
need=20
80,443 and 3306 for eth0:0 accessible from outside. From inside only=20
20,21,22,53,123 need to access the local subnet 216.25.199/24. Inside =
hosts on=20
sub-net 216.25.199/24&nbsp;only require 20,21,22 access to this host. Im =

thinking I need local&nbsp;zones for the internal sub-net with =
216.25.199.138=20
being excepted. Im&nbsp;thinking I need a dmz zone for 216.25.199.138. =
And all=20
eth0 needs is a better thought out port access config than the simple =
one below.=20
(Ftp Less UDP access Etc Etc). All I am asking is am I thinking in the =
right=20
direction here.?? I can toy with and learn the best config just need a =
starting=20
point. I have looked all over the archives and really don't see much on =
iptables=20
and virtual hosts. I am working off the sample one interface templates =
provided=20
at the shorewall web site.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>NET_IF=3Deth0</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>NET_BCAST=3Ddetect</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial =
size=3D2>NET_OPTIONS=3Dnoping,norfc1918<BR></FONT></DIV>
<DIV><FONT face=3DArial=20
size=3D2>TCP_PORTS=3D20,21,22,25,53,80,110,123,443,3306,10000,10001</FONT=
></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial=20
size=3D2>UDP_PORTS=3D20,21,22,25,53,80,110,123,443,3306,10000,10001</FONT=
></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>On another point .. Ip-Chains can be =
shut off I=20
figure or does it even do anything but take up CPU cycles with ip-tables =
and=20
netfilter ??</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Thank You,</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Francesca C Smith</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>SysAdmin</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Lady Linux Hosting And =
Consulting</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><A=20
href=3D"mailto:sysadmin@ladylinux.com">sysadmin@ladylinux.com</A></DIV>
<DIV><BR></DIV></FONT></BODY></HTML>

------=_NextPart_000_0005_01C1A124.FD3CA830--