Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place! |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
07-02-2009, 11:47 PM
|
#1
|
LQ Newbie
Registered: Jul 2009
Posts: 3
Rep:
|
Shorewall with FTP and WEB Server Connection problem
Dear all,
I need your help, I am configuring shorewall with FTP and Web Server behind the shorewall box. The topolgy is
Internet======>Shorewall====>Switch====>FTP,WEBSERVER,PROXY=====>LAN
The shorewall has 2 ethernet with public IP:
eth0 = 200.x.x.1
eth1 = 200.x.x.2
eth1:1 = 60.x.x.1
The FTP has 2 ethernet with 1 public ip and 1 more private ip;
eth0 = 60.x.x.2
eth1 = 192.x.x.2
The WEBServer has 2 ethernet with 1 public ip and 1 more private ip;
eth0 = 60.x.x.3
eth1 = 192.x.x.3
The PROXY has 2 ethernet with 1 public ip and 1 more private ip;
eth0 = 202.x.x.3
eth1 = 192.x.x.4
But I have problem with connection to FTP and WebServer.. But the internet connection still running..
Here are my shorewall configuration..
/etc/shorewall/zones
########################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
net ipv4
local ipv4
fw firewall
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
/etc/shorewall/interfaces
########################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0
local eth1
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/shorewall/policy
########################################################################
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
fw all ACCEPT
net all DROP
local all ACCEPT
#LAST LINE -- DO NOT REMOVE
/etc/shorewall/masq
########################################################################
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC
eth0 eth1
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
/etc/shorewall/rules
########################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
ACCEPT local fw tcp 53
ACCEPT local fw udp 53
ACCEPT net fw tcp 53
ACCEPT net fw udp 53
ACCEPT local fw tcp 80
ACCEPT net fw tcp 80
ACCEPT local fw tcp 20
ACCEPT local fw tcp 21
ACCEPT local fw tcp 22
ACCEPT net fw tcp 22
ACCEPT fw local tcp 22
ACCEPT local fw tcp 10000
ACCEPT net fw tcp 10000
ACCEPT net fw tcp 25,110,143
ACCEPT fw net tcp 25,110,143
ACCEPT local fw tcp 25,110,143
REJECT local net tcp 25,110,143
#SECTION NEW
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
I don't know where is the wrong.. Could you help me please...
Thanks,
WISNU
|
|
|
07-03-2009, 06:04 PM
|
#2
|
LQ Newbie
Registered: Jun 2009
Location: /dev/null
Distribution: Jaunty 9.04
Posts: 15
Rep:
|
Let me make sure I understand... connections from the external (internet) to the webserver are being dropped but outbound internet connections are working?
There are two options that come to mind...
Try:
Code:
ACCEPT net local:xxx.xxx.xxx.xxx tcp 80
Where xxx is the ip address of your server.
You may need to set a static NAT rule, since traffic is being MASQ through the two interfaces. This would a Shorewall Manual question - that's one I don't know off the top of my head.
Or... possible adjust the policy rule:
You may want to set it to ACCEPT for testing purposes, just to find out if that rule is blocking or not. If ACCEPT works, and the first suggestion doesn't help... then I would try setting a static NAT rule to the server in question.
hope that helps
|
|
|
07-06-2009, 05:24 AM
|
#3
|
LQ Newbie
Registered: Jul 2009
Posts: 3
Original Poster
Rep:
|
I've tried your methode but still doesn't work..
Is there any suggestion...???
Or Do I have to use 1 more interface ? Coz I have different public ip (200.x.x.x and 60.x.x.x.x)
Any idea???
|
|
|
07-06-2009, 10:59 AM
|
#4
|
LQ Newbie
Registered: Jun 2009
Location: /dev/null
Distribution: Jaunty 9.04
Posts: 15
Rep:
|
Temporarily setting "net all ACCEPT" had no affect? What did you try as far as setting a static NAT rule to your webserver and FTP?
On the Shorewall box you have:
eth0 = 200.x.x.1
eth1 = 200.x.x.2
eth1:1 = 60.x.x.1
Which interfaces are connected to the internet and/or private LAN? It looks like eth0 and eth1 are internet IPs, while your eth1:1 is connected to the private LAN. Is this correct?
Shorewall doesn't recognize virtual interfaces, but you should still be able to segregate your traffic with the policies and rules.
|
|
|
07-07-2009, 05:39 AM
|
#5
|
LQ Newbie
Registered: Jul 2009
Posts: 3
Original Poster
Rep:
|
Shorewall with FTP and WEB Server Connection problem
Dear internalkernel,
Yes, no affect...
I've tried like what u said..
on the rules;
ACCEPT net loc:60.x.x.x tcp 80
and the policy;
net all drop
Did u see my topology?
Internet=====>Shorewall====>Switch====>FTP,WEBSERVER,PROXY=====>LAN
It is mean that the shorewall has no private IP, and the lan doesn't connect directly to shorewall.. the server (FTP,WEB,PROXY) has Private IP to connect directly with LAN and using public IP to connect directly with shorewall box..
The shorewall has 2 ethernet with public IP:
eth0 = 200.x.x.1 (public ip)
eth1 = 200.x.x.2 (public ip)
eth1:1 = 60.x.x.1 (public ip)
The FTP has 2 ethernet with 1 public ip and 1 more private ip;
eth0 = 60.x.x.2 (public ip)
eth1 = 192.x.x.2 (private ip/lan)
The WEBServer has 2 ethernet with 1 public ip and 1 more private ip;
eth0 = 60.x.x.3 (public ip)
eth1 = 192.x.x.3 (private ip/lan)
The PROXY has 2 ethernet with 1 public ip and 1 more private ip;
eth0 = 202.x.x.3 (public ip)
eth1 = 192.x.x.4 (private ip/lan)
Any idea ??? Should i put 1 more interface for the shorewall box cause it has different public ip on ethernet 1(1:1)...???
Last edited by wisnuhidayat; 07-07-2009 at 05:42 AM.
|
|
|
All times are GMT -5. The time now is 03:09 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|