Hello;
I have configured a network with shorewall as firewall in a host bastion mode and I want to configure a DMZ.
This is a little view of what I have done.
I declared three zones in my network; in the 192.168.41.0/24 IP range are my internal network (the shorewall firewall use the 172.16.120.1 IP to masquerade it) and in the 172.16.120.0/24 my external. The DMZ are in 192.168.14.0/24 IP range.
The services of email and web browser depend of a first level network that are installed in other center (center offices); I mean, there are a central email server for all in and out email and a central proxy for access to web. For that I have an asigment IP for my email and proxy servers that are authorized.
My network serve to a thirth level network (municipal offices). email (pop3 and smtp), instant messages, FTP, web are some of the services used form then.
This is my working around to try the DMZ config.
- Declared the zones and the interfaces. Four zones: for the internal network (loc), for the external network (net), for the DMZ network (dmz) and for the firewall it seft (fw). The interfaces are assignet to the corresponding zones using the interfaces identifications.
fw firewall
net ipv4
loc ipv4
dmz ipv4
net enp4s1 tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
loc enp5s0 tcpflags,nosmurfs,routefilter,logmartians
dmz enp7s0 tcpflags,nosmurfs,routefilter,logmartians
- Configure the policy. The must simple: allow from the firewall access to every network; from the internal network can access to the external network and to the DMZ; from the DMZ can access to the local or internal network and to the external. From the external network is not allowed the access, this will be controlled for the firewall rules. If something is needed from the internal network and from the DMZ network to the firewall, it will be controlled from the firewall rules
In the last places if something is missing it will be rejected.
fw net ACCEPT info
fw dmz ACCEPT info
fw loc ACCEPT info
loc net ACCEPT info
loc dmz ACCEPT info
dmz loc ACCEPT info
dmz net ACCEPT info
net all DROP info
all all REJECT info
- Rules. Here declared the service needed from my users (in my internal network and in the municipal offices) for example the access to the instant messages service, to the email services, the access to the DNS services and consult to the external DNS from my network
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
DNS(DNAT):info net dmz:192.168.14.12
FTP(DNAT):info net dmz:192.168.14.13
Squid(DNAT):info net dmz:192.168.14.18
DNAT:info net dmz:192.168.14.15 tcp 5222,5223,5269
DNAT:info net dmz:192.168.14.8 tcp pop3,pop3s,smtp,smtps
DNAT:info net dmz:192.168.14.14 tcp http,https
DNS(ACCEPT) loc dmz:192.168.14.12 tcp
DNS(ACCEPT) loc dmz:192.168.14.12 udp
FTP(ACCEPT):info loc dmz:192.168.14.13
Squid(ACCEPT):info loc dmz:192.168.14.18
ACCEPT:info loc dmz:192.168.14.15 tcp 5222,5223,5269
ACCEPT:info loc dmz:192.168.14.8 tcp pop3,pop3s,smtp,smtps
ACCEPT:info loc dmz:192.168.14.14 tcp http,https
DNS(ACCEPT) dmz net tcp
DNS(ACCEPT) dmz loc tcp
DNS(ACCEPT) dmz net udp
DNS(ACCEPT) dmz loc udp
NTP(ACCEPT):info dmz loc:192.168.41.16
ACCEPT:info dmz loc:192.168.41.16 tcp 111,2049,20048,43810,52834
ACCEPT:info dmz loc:192.168.41.16 udp 111,2049,20048,47934,54948
SMB(ACCEPT):info dmz loc:192.168.41.16
- As I mentioned early, my network have an authorized IP address from where can access to the email service and proxy in the central servers, to make this possible I use the snat.
With snat I masquerade my network too.
SNAT(172.16.120.8) 192.168.14.8 enp4s1 25,110
SNAT(172.16.120.2) 192.168.14.18 enp4s1 3128
SNAT(172.16.120.1) 192.168.41.0/24 enp4s1
Using this config the firewall is not working fine. For example, the users in the municipal offices can not access to service in my network. The access to the services in central offices I still can not probe it. Is well planed this config? Is posible that using this config in central offices server the packect send from the email server of my network were identified with the IP 172.16.120.8 and proxies with 172.16.120.2? Is that correct?
Thank for your attentions and sorry for my horrible English.
Rommel Rodriguez Toirac
romme...@nauta.cu
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
