Hi ! I installed Shorewall 5.1.3.2 on OpenSuSE Leap 42.2, configured for: 2 x ISP DMZ (with DNS, Web e-mail & ftp) on 192.168.1.2 local net 192.168.0.xxx Asterisk VoIP box on local net 192.168.0.5 (right now can't be moved to DMZ) Default route on Linux (/etc/sysconfig/network/ifroute-eth0) is not set as suggested in Shorewall manual.
Unfortunately, I made something wrong. Anyone can suggest a correct version ? Many thanks in advance ! *** SHOREWALL.CONF *** USE_DEFAULT_RT=No # because /etc/sysconfig/network/ifroute-eth0 is not set. *** PROVIDERS *** LTC 1 0x1 main eth0 gw1.xx.xx.xx track,balance=1 eth0,eth1 BTC 2 0x2 main eth1 gw2.99.202.254 track,balance=5 eth0,eth1 gw1.. and gw2 are real IPs of ISP gateways. LTC (eth0) is main ISP provider, BTC (eth1) backup one. *** INTERFACES *** net eth0 tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 net eth1 tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 loc eth2 tcpflags,nosmurfs,routefilter,logmartians dmz eth3 tcpflags,nosmurfs,routefilter,logmartians *** ZONES *** fw firewall net ipv4 loc ipv4 dmz ipv4 *** SNAT *** MASQUERADE 192.168.0.0/16 eth0 MASQUERADE 192.168.0.0/16 eth1 Should I add "MASQUERADE 192.168.1.0/16 eth0" for DMZ ? *** POLICY *** net net DROP info loc net ACCEPT dmz net ACCEPT loc dmz ACCEPT loc $FW ACCEPT dmz $FW ACCEPT $FW net ACCEPT dmz loc ACCEPT net all DROP info all all REJECT $LOG_LEVEL *** RULES *** Invalid(DROP) net all tcp DNS(ACCEPT) $FW net DNS(ACCEPT) $FW loc DNS(ACCEPT) dmz net Ping(DROP) net $FW Ping(ACCEPT) loc $FW Ping(ACCEPT) dmz $FW Ping(ACCEPT) loc dmz Ping(ACCEPT) dmz loc Ping(ACCEPT) dmz net # DNS/Web/Mail server running on DMZ 192.168.1.2 # Local PCs should see DNS server IP as 192.168.0.1 # Is that correct ? DNAT all dmz:192.168.1.2 tcp 53 # I'm in doubt about this. # Should I use this -> DNAT net dmz:192.168.1.2 tcp www DNAT all dmz:192.168.1.2 tcp www DNAT all dmz:192.168.1.2 tcp smtp DNAT all dmz:192.168.1.2 tcp pop3 DNAT all dmz:192.168.1.2 tcp imap DNAT all dmz:192.168.1.2 tcp ftp # From the net side our VoIP service provider should see Asterisk as running on external real IP. DNAT net loc:192.168.0.2 udp 4000:4999 DNAT net loc:192.168.0.2 udp 5060 Additionally, is it possible to route all Asterisk traffic to our VoIP provider through eth0 (provider LTC) only ? *** ROUTES *** Empty. I assume everything set in "providers". I am wrong here? ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
