Shorewall with FTP and WEB Server Connection problem

wisnuhidayat · 07-02-2009, 11:47 PM

Dear all,

I need your help, I am configuring shorewall with FTP and Web Server behind the shorewall box. The topolgy is

Internet======>Shorewall====>Switch====>FTP,WEBSERVER,PROXY=====>LAN

The shorewall has 2 ethernet with public IP:
eth0 = 200.x.x.1
eth1 = 200.x.x.2
eth1:1 = 60.x.x.1

The FTP has 2 ethernet with 1 public ip and 1 more private ip;
eth0 = 60.x.x.2
eth1 = 192.x.x.2

The WEBServer has 2 ethernet with 1 public ip and 1 more private ip;
eth0 = 60.x.x.3
eth1 = 192.x.x.3

The PROXY has 2 ethernet with 1 public ip and 1 more private ip;
eth0 = 202.x.x.3
eth1 = 192.x.x.4

But I have problem with connection to FTP and WebServer.. But the internet connection still running..
Here are my shorewall configuration..

/etc/shorewall/zones
########################################################################

#ZONE TYPE OPTIONS IN OUT

# OPTIONS OPTIONS

net ipv4

local ipv4

fw firewall

#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

/etc/shorewall/interfaces
########################################################################

#ZONE INTERFACE BROADCAST OPTIONS

net eth0

local eth1

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

/etc/shorewall/policy
########################################################################

#SOURCE DEST POLICY LOG LIMIT:BURST

# LEVEL

fw all ACCEPT

net all DROP

local all ACCEPT

#LAST LINE -- DO NOT REMOVE

/etc/shorewall/masq
########################################################################

#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC

eth0 eth1

#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

/etc/shorewall/rules
########################################################################

#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK

# PORT PORT(S) DEST LIMIT GROUP

#SECTION ESTABLISHED

#SECTION RELATED

ACCEPT local fw tcp 53
ACCEPT local fw udp 53
ACCEPT net fw tcp 53
ACCEPT net fw udp 53

ACCEPT local fw tcp 80
ACCEPT net fw tcp 80

ACCEPT local fw tcp 20

ACCEPT local fw tcp 21

ACCEPT local fw tcp 22
ACCEPT net fw tcp 22
ACCEPT fw local tcp 22

ACCEPT local fw tcp 10000
ACCEPT net fw tcp 10000

ACCEPT net fw tcp 25,110,143
ACCEPT fw net tcp 25,110,143
ACCEPT local fw tcp 25,110,143
REJECT local net tcp 25,110,143

#SECTION NEW

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

I don't know where is the wrong.. Could you help me please...

Thanks,
WISNU

internalkernel · 07-03-2009, 06:04 PM

Let me make sure I understand... connections from the external (internet) to the webserver are being dropped but outbound internet connections are working?

There are two options that come to mind...

Try:

Code:

ACCEPT	net       local:xxx.xxx.xxx.xxx	tcp	80

Where xxx is the ip address of your server.

You may need to set a static NAT rule, since traffic is being MASQ through the two interfaces. This would a Shorewall Manual question - that's one I don't know off the top of my head.

Or... possible adjust the policy rule:

Code:

net all DROP

You may want to set it to ACCEPT for testing purposes, just to find out if that rule is blocking or not. If ACCEPT works, and the first suggestion doesn't help... then I would try setting a static NAT rule to the server in question.

hope that helps

wisnuhidayat · 07-06-2009, 05:24 AM

I've tried your methode but still doesn't work..

Is there any suggestion...???

Or Do I have to use 1 more interface ? Coz I have different public ip (200.x.x.x and 60.x.x.x.x)

Any idea???

internalkernel · 07-06-2009, 10:59 AM

Temporarily setting "net all ACCEPT" had no affect? What did you try as far as setting a static NAT rule to your webserver and FTP?

On the Shorewall box you have:
eth0 = 200.x.x.1
eth1 = 200.x.x.2
eth1:1 = 60.x.x.1

Which interfaces are connected to the internet and/or private LAN? It looks like eth0 and eth1 are internet IPs, while your eth1:1 is connected to the private LAN. Is this correct?

Shorewall doesn't recognize virtual interfaces, but you should still be able to segregate your traffic with the policies and rules.

wisnuhidayat · 07-07-2009, 05:39 AM

Dear internalkernel,

Yes, no affect...
I've tried like what u said..

on the rules;
ACCEPT net loc:60.x.x.x tcp 80

and the policy;
net all drop

Did u see my topology?

Internet=====>Shorewall====>Switch====>FTP,WEBSERVER,PROXY=====>LAN

It is mean that the shorewall has no private IP, and the lan doesn't connect directly to shorewall.. the server (FTP,WEB,PROXY) has Private IP to connect directly with LAN and using public IP to connect directly with shorewall box..

The shorewall has 2 ethernet with public IP:
eth0 = 200.x.x.1 (public ip)
eth1 = 200.x.x.2 (public ip)
eth1:1 = 60.x.x.1 (public ip)

The FTP has 2 ethernet with 1 public ip and 1 more private ip;
eth0 = 60.x.x.2 (public ip)
eth1 = 192.x.x.2 (private ip/lan)

The WEBServer has 2 ethernet with 1 public ip and 1 more private ip;
eth0 = 60.x.x.3 (public ip)
eth1 = 192.x.x.3 (private ip/lan)

The PROXY has 2 ethernet with 1 public ip and 1 more private ip;
eth0 = 202.x.x.3 (public ip)
eth1 = 192.x.x.4 (private ip/lan)

Any idea ??? Should i put 1 more interface for the shorewall box cause it has different public ip on ethernet 1(1:1)...???