[Shorewall-users] Re: [leaf-user] 3 Bering problems
Thu, 4 Jul 2002 07:18:46 -0700 (PDT)
On Thu, 4 Jul 2002, Tom Eastep wrote:
> On Wed, 3 Jul 2002, Nachman Yaakov Ziskind wrote:
> > 1) Incoming connections to the servers are identified as coming from the
> > router, not the original IP address. This makes life difficult for several
> > reasons. How do I address this?
> The "rules" above do exactly that.
> On my web site and in my posts on mailing lists, I have consistently
> recommended that people use a DNS solution rather than an IP solution to
> the problem that you sere trying to solve (basically the problem
> described in Shorewall FAQ #2). When I made that recommendation to you,
> you replied:
> "I have no clue what Bind 9 views is, or how to set it up. But I suspect
> it involves doing things through DNS. I further suspect it will be like
> pulling teeth with every w/s pointing to my ISP's DNS servers. I suppose I
> *could* just load a hosts file on every workstation. Ouch."
> Given your response, I made the recommendation that resulted in the rules
> that you have above. One of the features of that solution is that all
> redirected connections look to the server as if they were initiated by the
> firewall. That is absolutely necessary since the server MUST reply back
> through the firewall so that the firewall can "de-NAT" the reply packets.
> If having the connections appear to come from the firewall is a problem
> for you then you need to switch to a DNS solution.
After I had posted, I realized that there is another issue here that may
be what you are really complaining about. If your 'loc' zone is defined
entirely in terms of interfaces then you problably want to revise your
rules to read:
ACCEPT loc:10.1.1.0/24 loc:10.1.1.1 tcp smtp - 18.104.22.168:10.1.1.200
ACCEPT loc:10.1.1.0/24 loc:10.1.1.252 tcp www - 22.214.171.124:10.1.1.200
ACCEPT loc:10.1.1.0/24 loc:10.1.1.253 tcp www - 126.96.36.199:10.1.1.200
ACCEPT loc:10.1.1.0/24 loc:10.1.1.254 tcp www - 188.8.131.52:10.1.1.200
That will restrict the scope of SNAT to connections originating on the
local system. With the rules that you posted (and assuming that 'loc' is
defined in terms of one or more interfaces), connections originating from
outside your firewall will also appear to originate from the firewall.
Sorry that I was so dense on the first go-around. I will also change the
FAQ to make this point clear.
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ email@example.com