[Shorewall-users] Ip aliasing

Alex Martin shorewall at rettc.com
Thu Dec 4 13:43:01 PST 2003


Ok. For starters,

/etc/shorewall/nat does not need an entry if you are only port forwarding. I
think you should look into one-to-one nat, to at least understand the difference
between this and port forwarding. See:
http://www.shorewall.net/Documentation.htm#NAT

/etc/shorewall/masq is masquerading your eth1 interface, which you don't want to
do, unless you have hosts you want to masquerade other than just the two
addresses you are trying to port forward to. You have labeled this zone dmz, so
I by definition think that you have only these two hosts, but I could be wrong.

/etc/shorewall/rules: one thing is that you are accepting traffic to the
firewall before dnat'ing to the hosts you want to port forward to. This is not
necessary (unless you really want to provide access to all those services on
your firewall from the net). The dnat rule takes care of the firewall's
acceptance of traffic.
Also, the dnat rules need an entry in the 'original destination' column. This is
important!
Last, look at this: http://www.shorewall.net/ports.htm
You have some extra upd allowances in some cases, and you probably want to add
udp allowances in other cases.

/etc/shorewall/policy: You added a bunch of stuff (probably to try to get things
to work). This is killing many log entries you would see normally. I would start
with a fresh copy of the policy file and leave it in its default state. In most
cases, the policy need not be changed from the default policy for whatever setup
guide you are following.

Have a go at this and tell me what you find out.

Alex Martin
http://www.rettc.com


----- Original Message ----- 
From: "Marcelo Mujica" <mfmujic at eit.com.ar>
To: <shorewall-users at lists.shorewall.net>
Sent: Tuesday, December 02, 2003 7:39 PM
Subject: [Shorewall-users] Ip aliasing


Hi, I`m running shorewall (# shorewall version 1.4.8) in a redhat 7.3. The
firewall does a port forwarding to a DMZ server, from eth0.
Now I have to forward the smtp port , from another public ip that  to another
server in the DMZ.
The primary is filtered like you can see in the rules file in this mail.
When I config the secondary ip over eth0, (eth0:0)the ip cannot be recognized
for shorewall, I can ping, and do anything from outside over this ip. The
message log don`t register any action.
I follow de intructions for this faq(
http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html), but I`cannot
forward the unique port that I need.
TO make the job, I do NAT over the secondary Ip, and when I modified the file
NAT , shorewall start to recognize the secondary Ip.
NAT work, but I need forward only one port , and I can`t.
In the rules file now I`comment the specific rule that I try.

Thanks for your help.

Marcelo


# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:04:75:d6:f9:c6 brd ff:ff:ff:ff:ff:ff
    inet 200.61.163.217/29 brd 200.61.163.223 scope global eth0
    inet 200.61.163.218/29 brd 200.61.163.223 scope global secondary eth0:0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:04:75:86:13:53 brd ff:ff:ff:ff:ff:ff
    inet 172.16.1.7/24 brd 172.16.1.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:04:75:d6:f9:53 brd ff:ff:ff:ff:ff:ff

# ip route show
172.16.1.0/24 dev eth1  scope link
127.0.0.0/8 dev lo  scope link
default via 200.61.163.222 dev eth0

FILE ZONES
#ZONE   DISPLAY         COMMENTS
net     Net             Internet
dmz     DMZ             Demilitarized zone
loc     Local           Local networks

FILE INTERFACES
#ZONE    INTERFACE      BROADCAST       OPTIONS
net     eth0    -
dmz     eth1    -       routeback


FILE NAT
#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL
200.61.163.218  eth0:0  172.16.1.11     yes     no



FILE MASQ
eth0    eth1

FILE RULES

# Acepto DNS
ACCEPT  $FW     net     udp     53      -
ACCEPT  dmz     net     udp     53      -
ACCEPT  dmz     $FW     udp     53      -
ACCEPT  dmz     $FW:200.61.163.217      icmp    -       -
ACCEPT  $FW     net     tcp     -       -


ACCEPT  dmz     $FW     tcp     22
ACCEPT  dmz     $FW     udp     22      -

#Forward puerto 143,993,110,995,81,135,80
ACCEPT  net     $FW:200.61.163.217      tcp    ,143,993,110,995,81,135,80    -
DNAT    net     dmz:172.16.1.15 tcp     143,993,110,995,81,135,80    -
ACCEPT  net     $FW:200.61.163.217      udp     143,993,110,995,81,135,80      -
DNAT    net     dmz:172.16.1.15 tcp     143,993,110,995,81,135,80      -

#Forward puerto 25
#ACCEPT  net     $FW:200.61.163.218      tcp     25     -
#DNAT    net     dmz:172.16.1.11 tcp     25      -      200.61.163.218
#ACCEPT  net     $FW:200.61.163.218      udp     25  -
#DNAT    net     dmz:172.16.1.11 udp     25     -

FILE POLICY
#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
dmz     net     ACCEPT  -
dmz     $FW     ACCEPT  -
$FW     net     ACCEPT  -
$FW     dmz     ACCEPT  -
net     all     REJECT  info
net     $FW     REJECT  info
all             all             REJECT          info
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users at lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm



More information about the Shorewall-users mailing list