Hi,
Thanks for clarification.
After tinkering with rules/providers and changing to
"USE_DEFAULT_RT=Yes" I've got IP traffic routed.
Now some tricky stuff. DNS, Web, Mail and ftp are running on DMZ
192.168.1.2, while Squid transparent proxy on the same PC as firewall.
Internal loc zone is 192.168.0.xx.
I made these rules for www, pop3, imap and ftp (*_all_* because of 2 ISP
connections)
||*|DNAT all dmz:192.168.1.2 tcp www
|*|*DNAT all dmz:192.168.1.2 tcp pop3*
.... etc|
|
BTW, is it possible to make rules like these:|
||*|DNAT all dmz:192.168.1.2 tcp www, ftp, pop3, imap, 53|*
Will this rule work for transparent proxy (where 192.168.1.2 - IP of our
web server running on DMZ.) ?
*REDIRECT loc 3128 tcp www - !192.168.1.2*
How I can set Squid (running on firewall) to use DNS server running on
DMZ 192.168.1.2 ?
*|DNAT all dmz:192.168.1.2 tcp 53
|*||*DNAT all dmz:192.168.1.2 udp 53*
||Or Squid option
*dns_nameservers 192.168.1.2*
PS. From loc zone 192.168.0.xx services like web, mail should be
accessible via normal domain names, e.g. www.domain.com,
mail.domain.com, etc.
On 04/29/2017 02:04 AM, Tom Eastep wrote:
> On 04/28/2017 01:40 PM, [email protected] wrote:
> > Hi !
>
> > I installed Shorewall 5.1.3.2 on OpenSuSE Leap 42.2, configured
> > for: 2 x ISP DMZ (with DNS, Web e-mail & ftp) on 192.168.1.2 local
> > net 192.168.0.xxx Asterisk VoIP box on local net 192.168.0.5 (right
> > now can't be moved to DMZ) Default route on Linux
> > (/etc/sysconfig/network/ifroute-eth0) is not set as suggested in
> > Shorewall manual.
>
> > Unfortunately, I made something wrong. Anyone can suggest a
> > correct version ?
>
> What doesn't work?
>
> > Many thanks in advance !
>
> > *** SHOREWALL.CONF *** USE_DEFAULT_RT=No # because
> > /etc/sysconfig/network/ifroute-eth0 is not set.
>
> Why do you believe that should preclude using USE_DEFAULT_RT=Yes
>
> > *** PROVIDERS *** LTC 1 0x1 main eth0 gw1.xx.xx.xx track,balance=1
> > eth0,eth1 BTC 2 0x2 main eth1 gw2.99.202.254 track,balance=5
> > eth0,eth1
>
> > gw1.. and gw2 are real IPs of ISP gateways. LTC (eth0) is main ISP
> > provider, BTC (eth1) backup one.
>
> Then why don't you specify 'primary' for eth0 and 'fallback' for eth1?
>
>
> > *** INTERFACES *** net eth0
> > tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 net eth1
> > tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 loc eth2
> > tcpflags,nosmurfs,routefilter,logmartians dmz eth3
> > tcpflags,nosmurfs,routefilter,logmartians
>
> I would change 'routefilter,logmartians' to 'rpfilter' and set
> RPFILTER_LOG_LEVEL.
>
>
> > *** ZONES *** fw firewall net ipv4 loc ipv4 dmz ipv4
>
> > *** SNAT *** MASQUERADE 192.168.0.0/16 eth0 MASQUERADE
> > 192.168.0.0/16 eth1 Should I add "MASQUERADE 192.168.1.0/16 eth0"
> > for DMZ ?
>
> Yes.
>
>
> > *** POLICY *** net net DROP info loc
> net
> > ACCEPT dmz net ACCEPT loc dmz ACCEPT
> loc $FW
> > ACCEPT dmz $FW ACCEPT $FW net ACCEPT dmz
> > loc ACCEPT net all DROP info
> all all
> > REJECT $LOG_LEVEL
>
> > *** RULES *** Invalid(DROP) net all tcp
>
> None of the rules below do anything since they duplicate your policies
> (which are almost wide-open).
>
> > DNS(ACCEPT) $FW net DNS(ACCEPT) $FW loc
> DNS(ACCEPT) dmz net
> > Ping(DROP) net $FW Ping(ACCEPT) loc
> > $FW Ping(ACCEPT) dmz $FW Ping(ACCEPT) loc
> > dmz Ping(ACCEPT) dmz loc Ping(ACCEPT) dmz
> > net
>
> > # DNS/Web/Mail server running on DMZ 192.168.1.2 # Local PCs should
> > see DNS server IP as 192.168.0.1 # Is that correct ?
>
> Why do you want to have them use 192.168.0.1 rather than 192.168.1.2?
>
> > DNAT all dmz:192.168.1.2 tcp 53
>
> > # I'm in doubt about this. # Should I use this -> DNAT net
> > dmz:192.168.1.2 tcp www DNAT all dmz:192.168.1.2 tcp
> > www DNAT all dmz:192.168.1.2 tcp smtp DNAT all
> > dmz:192.168.1.2 tcp pop3 DNAT all dmz:192.168.1.2
> > tcp imap DNAT all dmz:192.168.1.2 tcp ftp
>
> > # From the net side our VoIP service provider should see Asterisk
> > as running on external real IP. DNAT net loc:192.168.0.2 udp
> > 4000:4999 DNAT net loc:192.168.0.2 udp 5060
> Additionally, is it
> > possible to route all Asterisk traffic to our VoIP provider through
> > eth0 (provider LTC) only ?
>
> If you make eth0 'primary', that will happen automatically.
>
>
> > *** ROUTES *** Empty. I assume everything set in "providers". I am
> > wrong here?
>
>
> If these suggestions don't help, please send the output of 'shorewall
> dump' with your next report, collected as described at
> http://www.shorewall.net/support.htm#Guidelines
>
> -Tom
> >
------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most >
engaging tech sites, Slashdot.org! http://sdm.link/slashdot >
_______________________________________________ > Shorewall-users
mailing list > [email protected] >
https://lists.sourceforge.net/lists/listinfo/shorewall-users >
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
