Shorewall with FTP and WEB Server Connection problem
Dear all,
I need your help, I am configuring shorewall with FTP and Web Server behind the shorewall box. The topolgy is Internet======>Shorewall====>Switch====>FTP,WEBSERVER,PROXY=====>LAN The shorewall has 2 ethernet with public IP: eth0 = 200.x.x.1 eth1 = 200.x.x.2 eth1:1 = 60.x.x.1 The FTP has 2 ethernet with 1 public ip and 1 more private ip; eth0 = 60.x.x.2 eth1 = 192.x.x.2 The WEBServer has 2 ethernet with 1 public ip and 1 more private ip; eth0 = 60.x.x.3 eth1 = 192.x.x.3 The PROXY has 2 ethernet with 1 public ip and 1 more private ip; eth0 = 202.x.x.3 eth1 = 192.x.x.4 But I have problem with connection to FTP and WebServer.. But the internet connection still running.. Here are my shorewall configuration.. /etc/shorewall/zones ######################################################################## #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS net ipv4 local ipv4 fw firewall #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE /etc/shorewall/interfaces ######################################################################## #ZONE INTERFACE BROADCAST OPTIONS net eth0 local eth1 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE /etc/shorewall/policy ######################################################################## #SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL fw all ACCEPT net all DROP local all ACCEPT #LAST LINE -- DO NOT REMOVE /etc/shorewall/masq ######################################################################## #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC eth0 eth1 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE /etc/shorewall/rules ######################################################################## #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK # PORT PORT(S) DEST LIMIT GROUP #SECTION ESTABLISHED #SECTION RELATED ACCEPT local fw tcp 53 ACCEPT local fw udp 53 ACCEPT net fw tcp 53 ACCEPT net fw udp 53 ACCEPT local fw tcp 80 ACCEPT net fw tcp 80 ACCEPT local fw tcp 20 ACCEPT local fw tcp 21 ACCEPT local fw tcp 22 ACCEPT net fw tcp 22 ACCEPT fw local tcp 22 ACCEPT local fw tcp 10000 ACCEPT net fw tcp 10000 ACCEPT net fw tcp 25,110,143 ACCEPT fw net tcp 25,110,143 ACCEPT local fw tcp 25,110,143 REJECT local net tcp 25,110,143 #SECTION NEW #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE I don't know where is the wrong.. Could you help me please... Thanks, WISNU |
Let me make sure I understand... connections from the external (internet) to the webserver are being dropped but outbound internet connections are working?
There are two options that come to mind... Try: Code:
ACCEPT net local:xxx.xxx.xxx.xxx tcp 80 You may need to set a static NAT rule, since traffic is being MASQ through the two interfaces. This would a Shorewall Manual question - that's one I don't know off the top of my head. Or... possible adjust the policy rule: Code:
net all DROP hope that helps |
I've tried your methode but still doesn't work..
Is there any suggestion...??? Or Do I have to use 1 more interface ? Coz I have different public ip (200.x.x.x and 60.x.x.x.x) Any idea??? |
Temporarily setting "net all ACCEPT" had no affect? What did you try as far as setting a static NAT rule to your webserver and FTP?
On the Shorewall box you have: eth0 = 200.x.x.1 eth1 = 200.x.x.2 eth1:1 = 60.x.x.1 Which interfaces are connected to the internet and/or private LAN? It looks like eth0 and eth1 are internet IPs, while your eth1:1 is connected to the private LAN. Is this correct? Shorewall doesn't recognize virtual interfaces, but you should still be able to segregate your traffic with the policies and rules. |
Shorewall with FTP and WEB Server Connection problem
Dear internalkernel,
Yes, no affect... I've tried like what u said.. on the rules; ACCEPT net loc:60.x.x.x tcp 80 and the policy; net all drop Did u see my topology? Internet=====>Shorewall====>Switch====>FTP,WEBSERVER,PROXY=====>LAN It is mean that the shorewall has no private IP, and the lan doesn't connect directly to shorewall.. the server (FTP,WEB,PROXY) has Private IP to connect directly with LAN and using public IP to connect directly with shorewall box.. The shorewall has 2 ethernet with public IP: eth0 = 200.x.x.1 (public ip) eth1 = 200.x.x.2 (public ip) eth1:1 = 60.x.x.1 (public ip) The FTP has 2 ethernet with 1 public ip and 1 more private ip; eth0 = 60.x.x.2 (public ip) eth1 = 192.x.x.2 (private ip/lan) The WEBServer has 2 ethernet with 1 public ip and 1 more private ip; eth0 = 60.x.x.3 (public ip) eth1 = 192.x.x.3 (private ip/lan) The PROXY has 2 ethernet with 1 public ip and 1 more private ip; eth0 = 202.x.x.3 (public ip) eth1 = 192.x.x.4 (private ip/lan) Any idea ??? Should i put 1 more interface for the shorewall box cause it has different public ip on ethernet 1(1:1)...??? |
All times are GMT -5. The time now is 05:43 PM. |