[Shorewall-users] Ip aliasing

Alex Martin shorewall at rettc.com
Tue Dec 2 22:06:49 PST 2003


Ok. I think you need to start over here. I am sure you spent time with the
documentation, but may have missed some stuff.

Mainly, I think you should investigate proxyarp more closely.

If you have a specific reason for not using proxyarp, let me know and I will
help sort out the configuration you have shown below. There are many errors in
your configs below for a port-forwarding type setup.

As I am saying, I would use proxy arp so that the hosts in the dmz have public
ips. This way you do not have to screw with port forwarding, as proxyarp will
make this transparent simply using ACCEPT rules. To use this, you assign a
public ip to each of the dmz hosts themselves, then using
/etc/shorewall/proxyarp, you instruct the firewall to forward traffic to the
proxyarp'ed addresses from its external public interface to the dmz interface.
Read this:
This is great, makes for MUCH simpler configuration.

I would start with a FRESH shorewall install, following the three interface
And using the three interface sample files:

Leave the default policy that this guide uses in place.

NOTE that the three interface guide is based on ONE public ip.

This means that you will need to modify /etc/shorewall/masq so that your dmz
interface is not masqueraded.

Also, you need to add the appropriate /etc/shorewall/proxyarp entries.

Also, using proxyarp, you DO NOT add ip aliases to the public firewall
interface. Shorewall takes care of this by proxying arp requests, again read
about proxyarp.

Then, using proxyarp, to accept port 25 to one dmz server, and say http traffic
to another dmz server, you use rules like:
ACCEPT    net    dmz:(dmz_server1_public_ip) tcp 25
ACCEPT    net    dmz:(dmz_server2_public_ip) tcp 80
No more confusing nat.

One more thing, I think that some of your rules are confused. For example, for
DNS service,
you allow tcp AND (probably) udp traffic on port 53.
For ssh, you only need to accept tcp port 22. Not udp 22 as well. Etc.
See http://www.shorewall.net/ports.htm

Again, let me know if proxyarp is not a viable solution for you, and I will help
you sort out the port forwarding setup.

If you want to continue with the port forwarding setup, take a look at this:
It has some examples for proper /etc/shorewall/nat entries, etc, that would
correct some errors you have made. Also has a proxyarp example. Also, it uses
one-to-one nat, with no DNAT rules, which is what you need to do if you use port
forwarding and not proxyarp.

Please let me know where you are at, as I would like to learn from your

Alex Martin

----- Original Message ----- 
From: "Marcelo Mujica" <mfmujic at eit.com.ar>
To: <shorewall-users at lists.shorewall.net>
Sent: Tuesday, December 02, 2003 7:39 PM
Subject: [Shorewall-users] Ip aliasing

Hi, I`m running shorewall (# shorewall version 1.4.8) in a redhat 7.3. The
firewall does a port forwarding to a DMZ server, from eth0.
Now I have to forward the smtp port , from another public ip that  to another
server in the DMZ.
The primary is filtered like you can see in the rules file in this mail.
When I config the secondary ip over eth0, (eth0:0)the ip cannot be recognized
for shorewall, I can ping, and do anything from outside over this ip. The
message log don`t register any action.
I follow de intructions for this faq(
http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html), but I`cannot
forward the unique port that I need.
TO make the job, I do NAT over the secondary Ip, and when I modified the file
NAT , shorewall start to recognize the secondary Ip.
NAT work, but I need forward only one port , and I can`t.
In the rules file now I`comment the specific rule that I try.

Thanks for your help.


# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet brd scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:04:75:d6:f9:c6 brd ff:ff:ff:ff:ff:ff
    inet brd scope global eth0
    inet brd scope global secondary eth0:0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:04:75:86:13:53 brd ff:ff:ff:ff:ff:ff
    inet brd scope global eth1
4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:04:75:d6:f9:53 brd ff:ff:ff:ff:ff:ff

# ip route show dev eth1  scope link dev lo  scope link
default via dev eth0

net     Net             Internet
dmz     DMZ             Demilitarized zone
loc     Local           Local networks

net     eth0    -
dmz     eth1    -       routeback

#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL  eth0:0     yes     no

eth0    eth1


# Acepto DNS
ACCEPT  $FW     net     udp     53      -
ACCEPT  dmz     net     udp     53      -
ACCEPT  dmz     $FW     udp     53      -
ACCEPT  dmz     $FW:      icmp    -       -
ACCEPT  $FW     net     tcp     -       -

ACCEPT  dmz     $FW     tcp     22
ACCEPT  dmz     $FW     udp     22      -

#Forward puerto 143,993,110,995,81,135,80
ACCEPT  net     $FW:      tcp    ,143,993,110,995,81,135,80    -
DNAT    net     dmz: tcp     143,993,110,995,81,135,80    -
ACCEPT  net     $FW:      udp     143,993,110,995,81,135,80      -
DNAT    net     dmz: tcp     143,993,110,995,81,135,80      -

#Forward puerto 25
#ACCEPT  net     $FW:      tcp     25     -
#DNAT    net     dmz: tcp     25      -
#ACCEPT  net     $FW:      udp     25  -
#DNAT    net     dmz: udp     25     -

#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
dmz     net     ACCEPT  -
dmz     $FW     ACCEPT  -
$FW     net     ACCEPT  -
$FW     dmz     ACCEPT  -
net     all     REJECT  info
net     $FW     REJECT  info
all             all             REJECT          info
Shorewall-users mailing list
Post: Shorewall-users at lists.shorewall.net
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

More information about the Shorewall-users mailing list