LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-03-2009, 12:47 AM   #1
wisnuhidayat
LQ Newbie
 
Registered: Jul 2009
Posts: 3

Rep: Reputation: 0
Smile Shorewall with FTP and WEB Server Connection problem


Dear all,

I need your help, I am configuring shorewall with FTP and Web Server behind the shorewall box. The topolgy is

Internet======>Shorewall====>Switch====>FTP,WEBSERVER,PROXY=====>LAN

The shorewall has 2 ethernet with public IP:
eth0 = 200.x.x.1
eth1 = 200.x.x.2
eth1:1 = 60.x.x.1

The FTP has 2 ethernet with 1 public ip and 1 more private ip;
eth0 = 60.x.x.2
eth1 = 192.x.x.2

The WEBServer has 2 ethernet with 1 public ip and 1 more private ip;
eth0 = 60.x.x.3
eth1 = 192.x.x.3

The PROXY has 2 ethernet with 1 public ip and 1 more private ip;
eth0 = 202.x.x.3
eth1 = 192.x.x.4


But I have problem with connection to FTP and WebServer.. But the internet connection still running..
Here are my shorewall configuration..

/etc/shorewall/zones
########################################################################

#ZONE TYPE OPTIONS IN OUT

# OPTIONS OPTIONS

net ipv4

local ipv4

fw firewall

#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

/etc/shorewall/interfaces
########################################################################

#ZONE INTERFACE BROADCAST OPTIONS

net eth0

local eth1

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

/etc/shorewall/policy
########################################################################

#SOURCE DEST POLICY LOG LIMIT:BURST

# LEVEL

fw all ACCEPT

net all DROP

local all ACCEPT

#LAST LINE -- DO NOT REMOVE

/etc/shorewall/masq
########################################################################

#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC

eth0 eth1

#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

/etc/shorewall/rules
########################################################################

#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK

# PORT PORT(S) DEST LIMIT GROUP

#SECTION ESTABLISHED

#SECTION RELATED


ACCEPT local fw tcp 53
ACCEPT local fw udp 53
ACCEPT net fw tcp 53
ACCEPT net fw udp 53

ACCEPT local fw tcp 80
ACCEPT net fw tcp 80

ACCEPT local fw tcp 20

ACCEPT local fw tcp 21

ACCEPT local fw tcp 22
ACCEPT net fw tcp 22
ACCEPT fw local tcp 22

ACCEPT local fw tcp 10000
ACCEPT net fw tcp 10000

ACCEPT net fw tcp 25,110,143
ACCEPT fw net tcp 25,110,143
ACCEPT local fw tcp 25,110,143
REJECT local net tcp 25,110,143

#SECTION NEW

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


I don't know where is the wrong.. Could you help me please...


Thanks,
WISNU
 
Old 07-03-2009, 07:04 PM   #2
internalkernel
LQ Newbie
 
Registered: Jun 2009
Location: /dev/null
Distribution: Jaunty 9.04
Posts: 15

Rep: Reputation: 0
Let me make sure I understand... connections from the external (internet) to the webserver are being dropped but outbound internet connections are working?

There are two options that come to mind...

Try:
Code:
ACCEPT	net       local:xxx.xxx.xxx.xxx	tcp	80
Where xxx is the ip address of your server.

You may need to set a static NAT rule, since traffic is being MASQ through the two interfaces. This would a Shorewall Manual question - that's one I don't know off the top of my head.

Or... possible adjust the policy rule:
Code:
net all DROP
You may want to set it to ACCEPT for testing purposes, just to find out if that rule is blocking or not. If ACCEPT works, and the first suggestion doesn't help... then I would try setting a static NAT rule to the server in question.

hope that helps
 
Old 07-06-2009, 06:24 AM   #3
wisnuhidayat
LQ Newbie
 
Registered: Jul 2009
Posts: 3

Original Poster
Rep: Reputation: 0
I've tried your methode but still doesn't work..

Is there any suggestion...???

Or Do I have to use 1 more interface ? Coz I have different public ip (200.x.x.x and 60.x.x.x.x)

Any idea???
 
Old 07-06-2009, 11:59 AM   #4
internalkernel
LQ Newbie
 
Registered: Jun 2009
Location: /dev/null
Distribution: Jaunty 9.04
Posts: 15

Rep: Reputation: 0
Temporarily setting "net all ACCEPT" had no affect? What did you try as far as setting a static NAT rule to your webserver and FTP?

On the Shorewall box you have:
eth0 = 200.x.x.1
eth1 = 200.x.x.2
eth1:1 = 60.x.x.1

Which interfaces are connected to the internet and/or private LAN? It looks like eth0 and eth1 are internet IPs, while your eth1:1 is connected to the private LAN. Is this correct?

Shorewall doesn't recognize virtual interfaces, but you should still be able to segregate your traffic with the policies and rules.
 
Old 07-07-2009, 06:39 AM   #5
wisnuhidayat
LQ Newbie
 
Registered: Jul 2009
Posts: 3

Original Poster
Rep: Reputation: 0
Shorewall with FTP and WEB Server Connection problem

Dear internalkernel,

Yes, no affect...
I've tried like what u said..

on the rules;
ACCEPT net loc:60.x.x.x tcp 80

and the policy;
net all drop

Did u see my topology?

Internet=====>Shorewall====>Switch====>FTP,WEBSERVER,PROXY=====>LAN

It is mean that the shorewall has no private IP, and the lan doesn't connect directly to shorewall.. the server (FTP,WEB,PROXY) has Private IP to connect directly with LAN and using public IP to connect directly with shorewall box..

The shorewall has 2 ethernet with public IP:
eth0 = 200.x.x.1 (public ip)
eth1 = 200.x.x.2 (public ip)
eth1:1 = 60.x.x.1 (public ip)

The FTP has 2 ethernet with 1 public ip and 1 more private ip;
eth0 = 60.x.x.2 (public ip)
eth1 = 192.x.x.2 (private ip/lan)

The WEBServer has 2 ethernet with 1 public ip and 1 more private ip;
eth0 = 60.x.x.3 (public ip)
eth1 = 192.x.x.3 (private ip/lan)

The PROXY has 2 ethernet with 1 public ip and 1 more private ip;
eth0 = 202.x.x.3 (public ip)
eth1 = 192.x.x.4 (private ip/lan)

Any idea ??? Should i put 1 more interface for the shorewall box cause it has different public ip on ethernet 1(1:1)...???

Last edited by wisnuhidayat; 07-07-2009 at 06:42 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Ftp(through web site access to ftp server) kelper Linux - Software 4 07-03-2015 06:14 PM
iptables rules for web server email server,ftp and ssh,please help lightwing Linux - Networking 1 03-25-2009 09:58 PM
How to monitor web server, FTP server, Mail server and database server vodka33us Programming 1 06-16-2008 05:20 AM
Shorewall and Internal FTP Server Problem jonwatson Linux - Server 2 12-22-2006 04:33 PM
Setup a linux server, DNS, WEB, FTP, and Mail Server Help watermelon_lee Linux - Networking 1 08-26-2003 04:09 AM


All times are GMT -5. The time now is 03:56 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration