Hello all, my first post so be gentle.... I was asked to restructure a few things here at work... after some consideration and no budget... i came up with this that i thought was good...
I have a Linux box named Megs. This box has 4 public IPs on it(one main and 3 aliases) and on one NIC I then have 2(what i call front end servers, Peter & Lois) also with one NIC and one NFS server(Joe) with one NIC, what i do is, everyone's domain has the same entries like this.. domain.com xxx.xxx.xxx.148 used for web services domain.com's MX xxx.xxx.xxx.147 for mail services now Megs has both those IPs, plus its own ip of xxx.xxx.xxx.146 My plan was this, have everything go to Megs and then redirect to other servers(all on the same network, but not using 2 nics or NAT as it made it hard to fix remotely if something broke, and that is important here, being able to do everything remotely. So i use Shorewall on all servers and block everything except certain ports for certain machines(Peter, Lois, Joe).... IE only Peter will accept http request from Megs and no where else.... I figure this was not a bad set up for them at this time.... So now i have this sort of working, but i am using another program named rinetd, to do the port redirections, and this works great for http, smtp, pop and imap. Now i figured Shorewall can do redirect too, however when it was setup i did not think of this at the time.... But now i ran into a problem rinetd does not do ftp, so now i have to allow some users directly over to the NFS server directly for now... So now my questions are... Can Shorewall do the redirects using only one NIC on Megs? So i can get rid of rinetd? Would i need to radically change my below configs to do this.... See below for my configs... I Thank everyone for being patient with me.... Thanks again and have a great day! RUles files # This is used so all on our local lan is accepted ACCEPT net:xxx.xxx.xxx.145/28 $FW # Reject Ping from the "bad" net zone.. and prevent your log from being flooded.. Ping/ACCEPT net:xxx.xxx.xxx.145/28, xxx.xxx.xxx.163 $FW # Permit all ICMP traffic FROM the firewall TO the net zone ACCEPT $FW net icmp # For ssh connections ACCEPT net:xxx.xxx.xxx164, xxx.xxx.xxx.182, xxx.xxx.xxx.163,xxx.xxx.xxx.145/28, 192.168.2.0/24 $FW tcp 22 # Mail connections ACCEPT net $FW tcp 25 ACCEPT net $FW tcp 110 ACCEPT net $FW tcp 143 # DNS connections #ACCEPT net $FW udp 53 # web connections ACCEPT net $FW tcp 80 FTP/ACCEPT net $FW Policy file #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST $FW net ACCEPT net $FW DROP info net all DROP info # The FOLLOWING POLICY MUST BE LAST all all REJECT info Zones file #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 Interfaces file #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect norfc1918,routefilter,dhcp,tcpflags,logmartians,nosmurfs -- Rob Morin Director of Technologies Dido Internet Inc. Montreal,Canada http://www.dido.ca 514-990-4444 ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
