[Shorewall-users] Ip aliasing

Alex Martin shorewall at rettc.com
Thu Dec 4 13:43:01 PST 2003

Ok. For starters,

/etc/shorewall/nat does not need an entry if you are only port forwarding. I
think you should look into one-to-one nat, to at least understand the difference
between this and port forwarding. See:

/etc/shorewall/masq is masquerading your eth1 interface, which you don't want to
do, unless you have hosts you want to masquerade other than just the two
addresses you are trying to port forward to. You have labeled this zone dmz, so
I by definition think that you have only these two hosts, but I could be wrong.

/etc/shorewall/rules: one thing is that you are accepting traffic to the
firewall before dnat'ing to the hosts you want to port forward to. This is not
necessary (unless you really want to provide access to all those services on
your firewall from the net). The dnat rule takes care of the firewall's
acceptance of traffic.
Also, the dnat rules need an entry in the 'original destination' column. This is
Last, look at this: http://www.shorewall.net/ports.htm
You have some extra upd allowances in some cases, and you probably want to add
udp allowances in other cases.

/etc/shorewall/policy: You added a bunch of stuff (probably to try to get things
to work). This is killing many log entries you would see normally. I would start
with a fresh copy of the policy file and leave it in its default state. In most
cases, the policy need not be changed from the default policy for whatever setup
guide you are following.

Have a go at this and tell me what you find out.

Alex Martin

----- Original Message ----- 
From: "Marcelo Mujica" <mfmujic at eit.com.ar>
To: <shorewall-users at lists.shorewall.net>
Sent: Tuesday, December 02, 2003 7:39 PM
Subject: [Shorewall-users] Ip aliasing

Hi, I`m running shorewall (# shorewall version 1.4.8) in a redhat 7.3. The
firewall does a port forwarding to a DMZ server, from eth0.
Now I have to forward the smtp port , from another public ip that  to another
server in the DMZ.
The primary is filtered like you can see in the rules file in this mail.
When I config the secondary ip over eth0, (eth0:0)the ip cannot be recognized
for shorewall, I can ping, and do anything from outside over this ip. The
message log don`t register any action.
I follow de intructions for this faq(
http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html), but I`cannot
forward the unique port that I need.
TO make the job, I do NAT over the secondary Ip, and when I modified the file
NAT , shorewall start to recognize the secondary Ip.
NAT work, but I need forward only one port , and I can`t.
In the rules file now I`comment the specific rule that I try.

Thanks for your help.


# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet brd scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:04:75:d6:f9:c6 brd ff:ff:ff:ff:ff:ff
    inet brd scope global eth0
    inet brd scope global secondary eth0:0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:04:75:86:13:53 brd ff:ff:ff:ff:ff:ff
    inet brd scope global eth1
4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:04:75:d6:f9:53 brd ff:ff:ff:ff:ff:ff

# ip route show dev eth1  scope link dev lo  scope link
default via dev eth0

net     Net             Internet
dmz     DMZ             Demilitarized zone
loc     Local           Local networks

net     eth0    -
dmz     eth1    -       routeback

#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL  eth0:0     yes     no

eth0    eth1


# Acepto DNS
ACCEPT  $FW     net     udp     53      -
ACCEPT  dmz     net     udp     53      -
ACCEPT  dmz     $FW     udp     53      -
ACCEPT  dmz     $FW:      icmp    -       -
ACCEPT  $FW     net     tcp     -       -

ACCEPT  dmz     $FW     tcp     22
ACCEPT  dmz     $FW     udp     22      -

#Forward puerto 143,993,110,995,81,135,80
ACCEPT  net     $FW:      tcp    ,143,993,110,995,81,135,80    -
DNAT    net     dmz: tcp     143,993,110,995,81,135,80    -
ACCEPT  net     $FW:      udp     143,993,110,995,81,135,80      -
DNAT    net     dmz: tcp     143,993,110,995,81,135,80      -

#Forward puerto 25
#ACCEPT  net     $FW:      tcp     25     -
#DNAT    net     dmz: tcp     25      -
#ACCEPT  net     $FW:      udp     25  -
#DNAT    net     dmz: udp     25     -

#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
dmz     net     ACCEPT  -
dmz     $FW     ACCEPT  -
$FW     net     ACCEPT  -
$FW     dmz     ACCEPT  -
net     all     REJECT  info
net     $FW     REJECT  info
all             all             REJECT          info
Shorewall-users mailing list
Post: Shorewall-users at lists.shorewall.net
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

More information about the Shorewall-users mailing list