[Shorewall-users] Ip aliasing

Alex Martin shorewall at rettc.com
Tue Dec 2 22:06:49 PST 2003


Hello,

Ok. I think you need to start over here. I am sure you spent time with the
documentation, but may have missed some stuff.

Mainly, I think you should investigate proxyarp more closely.

If you have a specific reason for not using proxyarp, let me know and I will
help sort out the configuration you have shown below. There are many errors in
your configs below for a port-forwarding type setup.

As I am saying, I would use proxy arp so that the hosts in the dmz have public
ips. This way you do not have to screw with port forwarding, as proxyarp will
make this transparent simply using ACCEPT rules. To use this, you assign a
public ip to each of the dmz hosts themselves, then using
/etc/shorewall/proxyarp, you instruct the firewall to forward traffic to the
proxyarp'ed addresses from its external public interface to the dmz interface.
Read this:
http://www.shorewall.net/shorewall_setup_guide.htm#ProxyARP
This is great, makes for MUCH simpler configuration.

I would start with a FRESH shorewall install, following the three interface
guide:
http://www.shorewall.net/three-interface.htm
And using the three interface sample files:
http://www.shorewall.net/pub/shorewall/Samples/samples-1.4.8/three-interfaces.tgz

Leave the default policy that this guide uses in place.

NOTE that the three interface guide is based on ONE public ip.

This means that you will need to modify /etc/shorewall/masq so that your dmz
interface is not masqueraded.

Also, you need to add the appropriate /etc/shorewall/proxyarp entries.

Also, using proxyarp, you DO NOT add ip aliases to the public firewall
interface. Shorewall takes care of this by proxying arp requests, again read
about proxyarp.

Then, using proxyarp, to accept port 25 to one dmz server, and say http traffic
to another dmz server, you use rules like:
ACCEPT    net    dmz:(dmz_server1_public_ip) tcp 25
ACCEPT    net    dmz:(dmz_server2_public_ip) tcp 80
No more confusing nat.

One more thing, I think that some of your rules are confused. For example, for
DNS service,
you allow tcp AND (probably) udp traffic on port 53.
For ssh, you only need to accept tcp port 22. Not udp 22 as well. Etc.
See http://www.shorewall.net/ports.htm

Again, let me know if proxyarp is not a viable solution for you, and I will help
you sort out the port forwarding setup.

If you want to continue with the port forwarding setup, take a look at this:
http://www.shorewall.net/CorpNetwork.htm
It has some examples for proper /etc/shorewall/nat entries, etc, that would
correct some errors you have made. Also has a proxyarp example. Also, it uses
one-to-one nat, with no DNAT rules, which is what you need to do if you use port
forwarding and not proxyarp.

Please let me know where you are at, as I would like to learn from your
progress.

Thanks,
Alex Martin
http://www.rettc.com



----- Original Message ----- 
From: "Marcelo Mujica" <mfmujic at eit.com.ar>
To: <shorewall-users at lists.shorewall.net>
Sent: Tuesday, December 02, 2003 7:39 PM
Subject: [Shorewall-users] Ip aliasing


Hi, I`m running shorewall (# shorewall version 1.4.8) in a redhat 7.3. The
firewall does a port forwarding to a DMZ server, from eth0.
Now I have to forward the smtp port , from another public ip that  to another
server in the DMZ.
The primary is filtered like you can see in the rules file in this mail.
When I config the secondary ip over eth0, (eth0:0)the ip cannot be recognized
for shorewall, I can ping, and do anything from outside over this ip. The
message log don`t register any action.
I follow de intructions for this faq(
http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html), but I`cannot
forward the unique port that I need.
TO make the job, I do NAT over the secondary Ip, and when I modified the file
NAT , shorewall start to recognize the secondary Ip.
NAT work, but I need forward only one port , and I can`t.
In the rules file now I`comment the specific rule that I try.

Thanks for your help.

Marcelo


# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:04:75:d6:f9:c6 brd ff:ff:ff:ff:ff:ff
    inet 200.61.163.217/29 brd 200.61.163.223 scope global eth0
    inet 200.61.163.218/29 brd 200.61.163.223 scope global secondary eth0:0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:04:75:86:13:53 brd ff:ff:ff:ff:ff:ff
    inet 172.16.1.7/24 brd 172.16.1.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:04:75:d6:f9:53 brd ff:ff:ff:ff:ff:ff

# ip route show
172.16.1.0/24 dev eth1  scope link
127.0.0.0/8 dev lo  scope link
default via 200.61.163.222 dev eth0

FILE ZONES
#ZONE   DISPLAY         COMMENTS
net     Net             Internet
dmz     DMZ             Demilitarized zone
loc     Local           Local networks

FILE INTERFACES
#ZONE    INTERFACE      BROADCAST       OPTIONS
net     eth0    -
dmz     eth1    -       routeback


FILE NAT
#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL
200.61.163.218  eth0:0  172.16.1.11     yes     no



FILE MASQ
eth0    eth1

FILE RULES

# Acepto DNS
ACCEPT  $FW     net     udp     53      -
ACCEPT  dmz     net     udp     53      -
ACCEPT  dmz     $FW     udp     53      -
ACCEPT  dmz     $FW:200.61.163.217      icmp    -       -
ACCEPT  $FW     net     tcp     -       -


ACCEPT  dmz     $FW     tcp     22
ACCEPT  dmz     $FW     udp     22      -

#Forward puerto 143,993,110,995,81,135,80
ACCEPT  net     $FW:200.61.163.217      tcp    ,143,993,110,995,81,135,80    -
DNAT    net     dmz:172.16.1.15 tcp     143,993,110,995,81,135,80    -
ACCEPT  net     $FW:200.61.163.217      udp     143,993,110,995,81,135,80      -
DNAT    net     dmz:172.16.1.15 tcp     143,993,110,995,81,135,80      -

#Forward puerto 25
#ACCEPT  net     $FW:200.61.163.218      tcp     25     -
#DNAT    net     dmz:172.16.1.11 tcp     25      -      200.61.163.218
#ACCEPT  net     $FW:200.61.163.218      udp     25  -
#DNAT    net     dmz:172.16.1.11 udp     25     -

FILE POLICY
#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
dmz     net     ACCEPT  -
dmz     $FW     ACCEPT  -
$FW     net     ACCEPT  -
$FW     dmz     ACCEPT  -
net     all     REJECT  info
net     $FW     REJECT  info
all             all             REJECT          info
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users at lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm



More information about the Shorewall-users mailing list