[Shorewall-users] Two Newbie Questions. One About Virtual Addresses And The Other About IP-Chains

Tom Eastep teastep@shorewall.net
Sat, 19 Jan 2002 18:06:01 -0800


Francesca,

On Saturday 19 January 2002 05:07 pm, Francesca C Smith wrote:

> I am new to using Shorewall and well am impressed. Ok here are the
> questions. I run a hosting server running Red-Hat 7.2 with all latest
> patches installed. Iptables version 1.2.4, Kernel 2.4.9-13. I start up
> shorewall with the following configuration params file configuration.

I don't see an attachment -- You mention later though that you are workin=
g=20
off of the one-interface sample.

> I run
> one virtual host on this machine to serve up name based Apache Web Site=
s.
> The address's are 216.25.199.137 for eth0 and 216.25.199.138 for eth0:0=
=2E

While it wasn't previously stated, the samples all assume a single intern=
et=20
IP address. I've updated the web site to make that assumption explicit.

> I
> require all the following ports to be accessible on eth0 from outside. =
I
> only need 80,443 and 3306 for eth0:0 accessible from outside. From insi=
de
> only 20,21,22,53,123 need to access the local subnet 216.25.199/24.

You refer to "outside" and "inside" -- what exactly do these terms mean t=
o=20
you?

> Inside
> hosts on sub-net 216.25.199/24 only require 20,21,22 access to this hos=
t.

So does the firewall have more that one interface?

> Im thinking I need local zones for the internal sub-net with 216.25.199=
=2E138
> being excepted.

This is beginning to sound like my setup -- have you looked at=20
http://www.shorewall.net/myfiles.htm?

> Im thinking I need a dmz zone for 216.25.199.138. And all
> eth0 needs is a better thought out port access config than the simple o=
ne
> below. (Ftp Less UDP access Etc Etc). All I am asking is am I thinking =
in
> the right direction here.?? I can toy with and learn the best config ju=
st
> need a starting point. I have looked all over the archives and really d=
on't
> see much on iptables and virtual hosts. I am working off the sample one
> interface templates provided at the shorewall web site.

I think you need to abandon use of the sample configs -- I would also lik=
e to=20
know how many interfaces you have (or are thinking of having) on your=20
firewall. If you are doing this with only one interface, then you are=20
restricted to two zones: net (or whatever you choose to call the internet=
)=20
and fw. You can still differentiate between your external IP addresses bu=
t=20
you must do so entirely inside the rules file.=20

-Tom
--=20
Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net