[Shorewall-users] DMZ with static NAT + port forwarding

Tom Eastep teastep at shorewall.net
Sat Jun 14 14:29:07 PDT 2003

On Fri, 2003-06-13 at 02:55, Gokul Poduval wrote:

>    I am trying to install shorewall to act as a firewall in a similar
> fashion to the three interface setup as mentioned in shorewall docs. The
> only problem is that I have two machines (say A and B), offering https
> service outside, and I want to put both of them in a DMZ
> ( I have multiple IPs, therefore I was thinking of
> using port forwarding for A and static NAT for B. I do not want to use
> proxy ARP because then I would need to assign a public ip to B, while it
> resides in a network.
>    I had initially installed Mandrake 9.1, but I have upgraded the
> shorewall version with the RPM on the sf.net, and I have also
> overwritten the /etc/shorewall/* files with three-interfacs.tgz. I am
> able to successfully setup port forwarding to access machine A, but I
> cannot access machine B at its public ip. One potential problem could be
> that machines in DMZ need masquerading, hence the DMZ is defined in masq
> file. But shorewall docs say that machines requiring static NAT should
> not be defined in masq. Could that be a problem ?

No -- you can use static NAT on some systems in a subnet and masquerade
the rest. See http://www.shorewall.net/shorewall_setup_guide.htm and

> (Please cc your answers to me, I havent suscribed to the list yet)
> Here are my configuation files (the ones I modified, the others are
> untouched)
> zones
> -------
> net     Net             Internet
> loc     Local           Local Networks
> dmz     DMZ             Demilitarized Zone
> interfaces
> ----------
> net     eth1            detect          routefilter,norfc1918,tcpflags
> loc     eth2            detect
> dmz     eth0            detect
> masq
> ----
> eth1                    eth0  
> eth1                    eth2  
> nat
> ---
>  eth1     yes        yes

You probably want "no no" in the last two columns. If you want to access
the server by its external IP address from your local network, add this

DNAT-	loc	net:	all	-	-

I think you'll be happier with the way that works.

> policy
> ------
> loc             net             ACCEPT
> fw              net             ACCEPT
> dmz             net             ACCEPT
> net             all             DROP            info
> all             all             REJECT          info
> rules
> -----
> ACCEPT          fw              net             tcp     53
> ACCEPT          fw              net             udp     53
> ACCEPT          loc             fw              tcp     22
> ACCEPT          loc             dmz             tcp     22
> ACCEPT          dmz             net             tcp     53
> ACCEPT          dmz             net             udp     53
> ACCEPT          net             fw              icmp    8
> ACCEPT          loc             fw              icmp    8
> ACCEPT          dmz             fw              icmp    8
> ACCEPT          loc             dmz             icmp    8
> ACCEPT          dmz             loc             icmp    8
> ACCEPT          dmz             net             icmp    8
> ACCEPT          fw              loc             icmp    8
> ACCEPT          fw              dmz             icmp    8
> ACCEPT          net             dmz             icmp    8       
> ACCEPT          net             loc             icmp    8       
> #configure port forwarding for websrvr
> DNAT            net             dmz:        tcp     80,443
> ACCEPT          loc             dmz:        tcp     80,443
> #allow https and imap to mail server
> ACCEPT          net             dmz:       tcp     143,443

Do you also need port 25 open here or is it only IMAP[S] that this
server provides?

Is this a new server or was it previously parallel to the firewall? If
the latter, see the warning at
http://www.shorewall.net/shorewall_setup_guide.htm##NAT regarding ARP
cache problems.

Other that what I've mentioned, I don't see anything wrong with your

Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep at shorewall.net

More information about the Shorewall-users mailing list