Garby Trash wrote: > Dear Friends: > > I am very new to shorewall stuff. I am trying to create (obviously for > the first time) a home datacenter with a setup like below: > > > > > +--------+ > | ADSL | > | Modem | > +---+----+ > | > eth0: 81.216.202.218 > +------+--------+ > | OpenVZ box w |____DMZ connected > | HN as firewall| |with xover > +-and VPSes --+ |cable > LOC | eth2: 192.168.1.254 > eth1: 192.168.0.254 | +-----+---+ > +------.............. | | > |local router+gw 192.168.1.250 > +--+---+ +---------+ > 192.168.2.254 > | > |___|_______+ > | | > | | > | | > +-----+ +---+---+ > | | | | > +-----+ +-------+ > 192.168.2.0/24 > > > I want to make the 192.168.1.250 (a trixbox voip server) as well as > other webservers in the firewall+router cum OpenVZ box with several > virtual servers in the DMZ zone accessible to the world and vice > versa.
Given that you have only one IP address, the webserver solution has nothing to do with Shorewall. You need to run an HTTP proxy on the Shorewall box that can route requests based on host name. Apache can offer this type of service and I believe that Squid can also. > > I did everything I could in the rules and policy. When I port > forwarded dmz:192.168.1.250 in rules, the rest in DMZ including $FW > itself became unavailable. That's expected. Each connection to a particular (protocol,port) pair can either be sent to exactly one place or it can be spread among several destinations in round-robin or random fashion (Shorewall only supports round-robin). Using an IP-only solution like Netfilter/Shorewall, those are your only choices. So if you forward connections for (tcp,80) to 192.168.1.250, all HTTP connections will go there. > On the other hand the voip server could > connect to the remote voip terminator, but could not pass through the > audio. I tried to separately port forward the necessary ports (namely > udp 5060-5088 for sip, udp 8000-20000 for rtp and 4569 for iax and tcp > 25 and 110 for smtp and pop respectively. But none worked. "It didn't work" isn't a problem report. We need to see the information asked for in http://www.shorewall.net/support.htm#Guidelines. But before you send that, you may want to spend a little time with http://www.shorewall.net/troubleshoot.htm. Also for the VOIP issue, I suggest that you look in the mailing list archives -- I believe that Paul Gear posted definitive instructions a while back. > > I shall be obliged if any of the shorewall gurus could help me how to > host several servers (voip and webserver with VPSes inside). Again -- using an IP-only solution, all of your webservers would need to have the same content since you can't determine in advance which server is going to handle a given connection (unless you use non-standard port numbers to access some of your servers). You might also take a look at the port-forwarding troubleshooting tips in Shorewall FAQs 1a and 1b. I very much suspect that you are the first Shorewall user to even attempt to use OpenVZ. Seems like virtualization products are multiplying like rabbits these days. Anyone else used this with Shorewall? I notice that the installation instructions specifically instruct the user to disable the RedHat/Fedora firewall on the HN. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
