On 09/25/2017 09:09 AM, Rommel Rodriguez Toirac wrote:
> Hello;
> I have configured a network with shorewall as firewall in a host bastion
> mode and I want to configure a DMZ.
> This is a little view of what I have done.
>
> I declared three zones in my network; in the 192.168.41.0/24 IP range
> are my internal network (the shorewall firewall use the 172.16.120.1 IP
> to masquerade it) and in the 172.16.120.0/24 my external. The DMZ are in
> 192.168.14.0/24 IP range.
>
> The services of email and web browser depend of a first level network
> that are installed in other center (center offices); I mean, there are a
> central email server for all in and out email and a central proxy for
> access to web. For that I have an asigment IP for my email and proxy
> servers that are authorized.
>
> My network serve to a thirth level network (municipal offices). email
> (pop3me of the services
> used form then.
>
> This is my working around to try the DMZ config.
>
> - Declared the zones and the interfaces. Four zones: for the internal
> network (loc), for the external network (net), for the DMZ network (dmz)
> and for the firewall it seft (fw). The interfaces are assignet to the
> corresponding zones using the interfaces identifications.
>
> fw firewall
> net ipv4
> loc ipv4
> dmz ipv4
>
> net enp4s1 tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
> loc enp5s0 tcpflags,nosmurfs,routefilter,logmartians
> dmz enp7s0 tcpflags,nosmurfs,routefilter,logmartians
>
>
> - Configure the policy. The must simple: allow from the firewall access
> to every network; from the internal network can access to the external
> network and to the DMZ; from the DMZ can access to the local or internal
> network and to the external. From the external network is not allowed
> the access, this will be controlled for the firewall rules. If something
> is needed from the internal network and from the DMZ network to the
> firewall, it will be controlled from the firewall rules
> In the last places if something is missing it will be rejected.
>
> fw net ACCEPT info
> fw dmz ACCEPT info
> fw loc ACCEPT info
> loc net ACCEPT info
> loc dmz ACCEPT info
> dmz loc ACCEPT info
> dmz net ACCEPT info
The above policies make all of the ACCEPT rules in your rules file
unnecessary.
> net all DROP info
> all all REJECT info
>
> - Rules. Here declared the service needed from my users (in my internal
> network and in the municipal offices) for example the access to the
> instant messages service, to the email services, the access to the DNS
> services and consult to the external DNS from my network
>
> ?SECTION ALL
> ?SECTION ESTABLISHED
> ?SECTION RELATED
> ?SECTION INVALID
> ?SECTION UNTRACKED
> ?SECTION NEW
>
> DNS(DNAT):info net dmz:192.168.14.12
> FTP(DNAT):info net dmz:192.168.14.13
> Squid(DNAT):info net dmz:192.168.14.18
> DNAT:info net dmz:192.168.14.15tcp5222,5223,5269
> DNAT:info net dmz:192.168.14.8tcppop3,pop3s,smtp,smtps
> DNAT:info net dmz:192.168.14.14tcphttp,https
>
> DNS(ACCEPT) loc dmz:192.168.14.12tcp
> DNS(ACCEPT) loc dmz:192.168.14.12udp
> FTP(ACCEPT):info loc dmz:192.168.14.13
> Squid(ACCEPT):info loc dmz:192.168.14.18
> ACCEPT:info loc dmz:192.168.14.15tcp5222,5223,5269
> ACCEPT:info loc dmz:192.168.14.8tcppop3,pop3s,smtp,smtps
> ACCEPT:info loc dmz:192.168.14.14tcphttp,https
>
> DNS(ACCEPT) dmz net tcp
> DNS(ACCEPT) dmz loc tcp
> DNS(ACCEPT) dmz net udp
> DNS(ACCEPT) dmz loc udp
>
> NTP(ACCEPT):info dmz loc:192.168.41.16
> ACCEPT:info dmz loc:192.168.41.16tcp111,2049,20048,43810,52834
> ACCEPT:info dmz loc:192.168.41.16udp111,2049,20048,47934,54948
> SMB(ACCEPT):info dmz loc:192.168.41.16
>
> - As I mentioned early, my network have an authorized IP address from
> where can access to the email service and proxy in the central servers,
> to make this possible I use the snat.
> With snat I masquerade my network too.
>
> SNAT(172.16.120.8) 192.168.14.8 enp4s1 25,110
> SNAT(172.16.120.2) 192.168.14.18 enp4s1 3128
> SNAT(172.16.120.1) 192.168.41.0/24 enp4s1
According to the dump you sent, the firewall does not have addresses
172.16.120.8 or 172.16.120.2. You must add those addresses to interface
enp4s1 if you want those SNAT rules to work.
>
>
> Using this config the firewall is not working fine. For example, the
> users in the municipal offices can not access to service in my network.
Which zone are the 'municipal offices' in?
> The access to the services in central offices I still can not probe it.
> Is well planed this config? Is posible that using this config in central
> offices server the packect send from the email server of my network were
> identified with the IP 172.16.120.8 and proxies with 172.16.120.2? Is
> that correct?
See my comment above.
-Tom
--
shorewall_dump.tar.gz
Description: Binary data
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
