[Shorewall-users] DMZ with static NAT + port forwarding

Tom Eastep teastep at shorewall.net
Sat Jun 14 14:29:07 PDT 2003


On Fri, 2003-06-13 at 02:55, Gokul Poduval wrote:

>    I am trying to install shorewall to act as a firewall in a similar
> fashion to the three interface setup as mentioned in shorewall docs. The
> only problem is that I have two machines (say A and B), offering https
> service outside, and I want to put both of them in a DMZ
> (192.168.24.0/24). I have multiple IPs, therefore I was thinking of
> using port forwarding for A and static NAT for B. I do not want to use
> proxy ARP because then I would need to assign a public ip to B, while it
> resides in a 192.168.24.0/24 network.
>    I had initially installed Mandrake 9.1, but I have upgraded the
> shorewall version with the RPM on the sf.net, and I have also
> overwritten the /etc/shorewall/* files with three-interfacs.tgz. I am
> able to successfully setup port forwarding to access machine A, but I
> cannot access machine B at its public ip. One potential problem could be
> that machines in DMZ need masquerading, hence the DMZ is defined in masq
> file. But shorewall docs say that machines requiring static NAT should
> not be defined in masq. Could that be a problem ?

No -- you can use static NAT on some systems in a subnet and masquerade
the rest. See http://www.shorewall.net/shorewall_setup_guide.htm and
http://www.shorewall.net/myfiles.htm.

> (Please cc your answers to me, I havent suscribed to the list yet)
> 
> Here are my configuation files (the ones I modified, the others are
> untouched)
> 
> zones
> -------
> net     Net             Internet
> loc     Local           Local Networks
> dmz     DMZ             Demilitarized Zone
> 
> interfaces
> ----------
> net     eth1            detect          routefilter,norfc1918,tcpflags
> loc     eth2            detect
> dmz     eth0            detect
> 
> masq
> ----
> eth1                    eth0            203.125.210.98
> eth1                    eth2            203.125.210.98
> 
> nat
> ---
> 203.125.210.99  eth1            192.168.24.16   yes        yes
> 

You probably want "no no" in the last two columns. If you want to access
the server by its external IP address from your local network, add this
rule:

DNAT-	loc	net:192.168.24.16	all	-	-	203.125.210.99

I think you'll be happier with the way that works.

> policy
> ------
> loc             net             ACCEPT
> fw              net             ACCEPT
> dmz             net             ACCEPT
> net             all             DROP            info
> all             all             REJECT          info
> 
> rules
> -----
> ACCEPT          fw              net             tcp     53
> ACCEPT          fw              net             udp     53
> 
> ACCEPT          loc             fw              tcp     22
> ACCEPT          loc             dmz             tcp     22
> 
> ACCEPT          dmz             net             tcp     53
> ACCEPT          dmz             net             udp     53
> 
> ACCEPT          net             fw              icmp    8
> ACCEPT          loc             fw              icmp    8
> ACCEPT          dmz             fw              icmp    8
> ACCEPT          loc             dmz             icmp    8
> ACCEPT          dmz             loc             icmp    8
> ACCEPT          dmz             net             icmp    8
> ACCEPT          fw              loc             icmp    8
> ACCEPT          fw              dmz             icmp    8
> ACCEPT          net             dmz             icmp    8       
> ACCEPT          net             loc             icmp    8       
> 
> 
> #configure port forwarding for websrvr
> DNAT            net             dmz:192.168.24.8        tcp     80,443
> ACCEPT          loc             dmz:192.168.24.8        tcp     80,443
> 
> #allow https and imap to mail server
> ACCEPT          net             dmz:192.168.24.16       tcp     143,443

Do you also need port 25 open here or is it only IMAP[S] that this
server provides?

Is this a new server or was it previously parallel to the firewall? If
the latter, see the warning at
http://www.shorewall.net/shorewall_setup_guide.htm##NAT regarding ARP
cache problems.

Other that what I've mentioned, I don't see anything wrong with your
configuration.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep at shorewall.net



More information about the Shorewall-users mailing list