[Shorewall-users] Portforwarding didn't work

Tom Eastep teastep@shorewall.net
Wed, 23 Jan 2002 13:31:32 -0800


On Wednesday 23 January 2002 10:09 am, stefan.buchwald@twt-gmbh.de wrote:
> Hi
>
> we still configure the shorewall and it is nearly done. but there is a
> problem.
> we try to connect from a computer in the internet to a database in our
> local net. we used the example with SAM from the documentation. and
> configured the computer as DMZ.
>
> Here is the configuration
> zones:
> dmz =A0 =A0 DMZ =A0 =A0 =A0 =A0 =A0 =A0 Demilitarized zone
> net =A0 =A0 Net =A0 =A0 =A0 =A0 =A0 =A0 Internet
> loc =A0 =A0 Local =A0 =A0 =A0 =A0 =A0 Local networks
>
> interfaces:
> loc =A0 =A0 eth1 =A0 =A0 =A0 =A0 =A0 =A0193.100.201.255
> - =A0 =A0 =A0 eth0 =A0 =A0 =A0 =A0 =A0 =A062.159.230.95 =A0 noping
>
> hosts
> dmz =A0 =A0 =A0 =A0 =A0 =A0 eth0:62.159.230.82
> net =A0 =A0 =A0 =A0 =A0 =A0 eth0:0.0.0.0/0
>
> policy:
> #CLIENT =A0 =A0 =A0 =A0 SERVER =A0 =A0 =A0 =A0 =A0POLICY =A0 =A0 =A0 =A0=
 =A0LOG LEVEL
> loc =A0 =A0 =A0 =A0 =A0 =A0 net =A0 =A0 =A0 =A0 =A0 =A0 ACCEPT
> loc =A0 =A0 =A0 =A0 =A0 =A0 dmz =A0 =A0 =A0 =A0 =A0 =A0 ACCEPT
> dmz =A0 =A0 =A0 =A0 =A0 =A0 all =A0 =A0 =A0 =A0 =A0 =A0 CONTINUE
> net =A0 =A0 =A0 =A0 =A0 =A0 all =A0 =A0 =A0 =A0 =A0 =A0 DROP =A0 =A0 =A0=
 =A0 =A0 =A0info
> all =A0 =A0 =A0 =A0 =A0 =A0 all =A0 =A0 =A0 =A0 =A0 =A0 REJECT =A0 =A0 =
=A0 =A0 =A0info
>
> rules:
> #Squid
> ACCEPT =A0 =A0 =A0 =A0 =A0loc =A0 =A0 =A0 fw =A0 =A0 =A0 =A0 =A0 =A0tcp=
 =A0 =A0 8080 =A0 =A0- =A0 =A0 =A0 all
> ACCEPT =A0 =A0 =A0 =A0 =A0fw =A0 =A0 =A0 =A0net =A0 =A0 =A0 =A0 =A0 tcp=
 =A0 =A0 www,443
> ACCEPT =A0 =A0 =A0 =A0 =A0fw =A0 =A0 =A0 =A0dmz =A0 =A0 =A0 =A0 =A0 tcp=
 =A0 =A0 www,443
> ACCEPT =A0 =A0 =A0 =A0 =A0fw =A0 =A0 =A0 =A0loc:193.100.201.116 udp =A0=
 =A0 53 =A0 =A0 =A0- =A0 =A0 =A0 all
> #Sendmail
> ACCEPT =A0 =A0 =A0 =A0 =A0net =A0 =A0 =A0 fw =A0 =A0 =A0 =A0 =A0 =A0tcp=
 =A0 =A0 smtp
> ACCEPT =A0 =A0 =A0 =A0 =A0fw =A0 =A0 =A0 =A0loc:193.100.201.2 =A0 tcp s=
mtp
> #DB
> ACCEPT =A0 =A0 =A0 =A0 dmz =A0 =A0 =A0loc:193.100.201.111 tcp 1521,1526=
 - all
> #ACCEPT =A0 =A0 =A0 =A0 =A0dmz =A0 =A0 =A0loc:193.100.201.61 tcp ssh =A0=
 =A0 - all
>
> on the firewall runs a squid and an sendmail und it works.
>
> But with the rules for DB =A0there is no way for a connect to the DB.
> Whithout the rule for the DB is an error in the logfile (all2all:REJECT=
)
> and thats ok. But whith the rule activated there is nothing in the log.
> Is this a problem of the configuration of the =A0firewall or is this a =
Linux
> problem?????

Are you using NAT or Masquerading in this setup?

-Tom
--=20
Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net