-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 04/28/2017 01:40 PM, [email protected] wrote: > Hi ! > > I installed Shorewall 5.1.3.2 on OpenSuSE Leap 42.2, configured > for: 2 x ISP DMZ (with DNS, Web e-mail & ftp) on 192.168.1.2 local > net 192.168.0.xxx Asterisk VoIP box on local net 192.168.0.5 (right > now can't be moved to DMZ) Default route on Linux > (/etc/sysconfig/network/ifroute-eth0) is not set as suggested in > Shorewall manual. > > Unfortunately, I made something wrong. Anyone can suggest a > correct version ?
What doesn't work? > Many thanks in advance ! > > *** SHOREWALL.CONF *** USE_DEFAULT_RT=No # because > /etc/sysconfig/network/ifroute-eth0 is not set. Why do you believe that should preclude using USE_DEFAULT_RT=Yes > > *** PROVIDERS *** LTC 1 0x1 main eth0 gw1.xx.xx.xx track,balance=1 > eth0,eth1 BTC 2 0x2 main eth1 gw2.99.202.254 track,balance=5 > eth0,eth1 > > gw1.. and gw2 are real IPs of ISP gateways. LTC (eth0) is main ISP > provider, BTC (eth1) backup one. Then why don't you specify 'primary' for eth0 and 'fallback' for eth1? > > *** INTERFACES *** net eth0 > tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 net eth1 > tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 loc eth2 > tcpflags,nosmurfs,routefilter,logmartians dmz eth3 > tcpflags,nosmurfs,routefilter,logmartians I would change 'routefilter,logmartians' to 'rpfilter' and set RPFILTER_LOG_LEVEL. > > *** ZONES *** fw firewall net ipv4 loc ipv4 dmz ipv4 > > *** SNAT *** MASQUERADE 192.168.0.0/16 eth0 MASQUERADE > 192.168.0.0/16 eth1 Should I add "MASQUERADE 192.168.1.0/16 eth0" > for DMZ ? Yes. > > *** POLICY *** net net DROP info loc > net > ACCEPT dmz net ACCEPT loc dmz ACCEPT > loc $FW > ACCEPT dmz $FW ACCEPT $FW net ACCEPT > dmz > loc ACCEPT net all DROP info all > all > REJECT $LOG_LEVEL > > *** RULES *** Invalid(DROP) net all tcp None of the rules below do anything since they duplicate your policies (which are almost wide-open). > DNS(ACCEPT) $FW net DNS(ACCEPT) $FW loc DNS(ACCEPT) > dmz net > Ping(DROP) net $FW Ping(ACCEPT) loc > $FW Ping(ACCEPT) dmz $FW Ping(ACCEPT) loc > dmz Ping(ACCEPT) dmz loc Ping(ACCEPT) dmz > net > > # DNS/Web/Mail server running on DMZ 192.168.1.2 # Local PCs should > see DNS server IP as 192.168.0.1 # Is that correct ? Why do you want to have them use 192.168.0.1 rather than 192.168.1.2? > DNAT all dmz:192.168.1.2 tcp 53 > > # I'm in doubt about this. # Should I use this -> DNAT net > dmz:192.168.1.2 tcp www DNAT all dmz:192.168.1.2 tcp > www DNAT all dmz:192.168.1.2 tcp smtp DNAT all > dmz:192.168.1.2 tcp pop3 DNAT all dmz:192.168.1.2 > tcp imap DNAT all dmz:192.168.1.2 tcp ftp > > # From the net side our VoIP service provider should see Asterisk > as running on external real IP. DNAT net loc:192.168.0.2 udp > 4000:4999 DNAT net loc:192.168.0.2 udp 5060 Additionally, is it > possible to route all Asterisk traffic to our VoIP provider through > eth0 (provider LTC) only ? If you make eth0 'primary', that will happen automatically. > > *** ROUTES *** Empty. I assume everything set in "providers". I am > wrong here? > If these suggestions don't help, please send the output of 'shorewall dump' with your next report, collected as described at http://www.shorewall.net/support.htm#Guidelines - -Tom - -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJZA8qVAAoJEJbms/JCOk0Q72oP/jVB+qKcQin7RZhE1sY/NMZy 4G+aC5TpV3Wt5sNK0pyTsligkbItgXNtI29i0xA6Lj/sCj83T8defFN5I84WRj1I hH5CUpSzx/NY0zXgG/s+/N2gdDW8i1yeSHytOmYhkQjmPFTkw6MODdgwDa7XmeVl ee1SWCzPyBFjDDhxty/fFO1Bec+fZi/b3vebdM/kBJABJVNGU+yZYd8KUU6SlXw2 qEv+h+308NFFIA+DAHKWrvwyLnpI1KOigOPFE/XrvgBbt9u3aCTYeJrmAeRm16Q5 AutT9ZaKonlqYmJuRfsuiG93N/JtwoNU67YzBwIET1mQirPWoZCg3Kq5DjDrfNtl d/KmFbMoBDLrrAOrcei/2E5F43ktBxEQzK0PuWT2g51/cIs8sYHLzPWG7NEK+YCW IroHzfU9J+AyQt1kcMd8D3ClsKTXjMQmKv4iLNys57ewd34Ptz/HG+hexQLf/80Z ugg0R10y1nRabr0YAK08JO1Ac0tDTdo82vsZPuGrpGuLgRPxFOtB5wrZoNDh4ati D0oluss4oGgeoFS1FC89Ppd9RLw4SDRDMueSOQotbI3EUnp9emTEgQNah5d2cSqY Npmd3z4pz6cd8vWbqLZiFSSxZTT5gcGVGhiYB3w83VF6ja7niGDI610FDDoaIF5v xPzRtcp7dGXx7PYVKFOV =0O8k -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
