Discussion:
[Shorewall-users] Q: Shorewall 5 + 2 x ISP + DMZ Setup
a***@starlett.lv
2017-04-28 20:40:59 UTC
Permalink
Hi !

I installed Shorewall 5.1.3.2 on OpenSuSE Leap 42.2, configured for:
2 x ISP
DMZ (with DNS, Web e-mail & ftp) on 192.168.1.2
local net 192.168.0.xxx
Asterisk VoIP box on local net 192.168.0.5 (right now can't be moved to DMZ)
Default route on Linux (/etc/sysconfig/network/ifroute-eth0) is not set
as suggested in Shorewall manual.

Unfortunately, I made something wrong. Anyone can suggest a correct
version ?
Many thanks in advance !

*** SHOREWALL.CONF ***
USE_DEFAULT_RT=No
# because /etc/sysconfig/network/ifroute-eth0 is not set.

*** PROVIDERS ***
LTC 1 0x1 main eth0 gw1.xx.xx.xx track,balance=1 eth0,eth1
BTC 2 0x2 main eth1 gw2.99.202.254 track,balance=5 eth0,eth1

gw1.. and gw2 are real IPs of ISP gateways.
LTC (eth0) is main ISP provider, BTC (eth1) backup one.

*** INTERFACES ***
net eth0 tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
net eth1 tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
loc eth2 tcpflags,nosmurfs,routefilter,logmartians
dmz eth3 tcpflags,nosmurfs,routefilter,logmartians

*** ZONES ***
fw firewall
net ipv4
loc ipv4
dmz ipv4

*** SNAT ***
MASQUERADE 192.168.0.0/16 eth0
MASQUERADE 192.168.0.0/16 eth1
Should I add "MASQUERADE 192.168.1.0/16 eth0" for DMZ ?

*** POLICY ***
net net DROP info
loc net ACCEPT
dmz net ACCEPT
loc dmz ACCEPT
loc $FW ACCEPT
dmz $FW ACCEPT
$FW net ACCEPT
dmz loc ACCEPT
net all DROP info
all all REJECT $LOG_LEVEL

*** RULES ***
Invalid(DROP) net all tcp
DNS(ACCEPT) $FW net
DNS(ACCEPT) $FW loc
DNS(ACCEPT) dmz net
Ping(DROP) net $FW
Ping(ACCEPT) loc $FW
Ping(ACCEPT) dmz $FW
Ping(ACCEPT) loc dmz
Ping(ACCEPT) dmz loc
Ping(ACCEPT) dmz net

# DNS/Web/Mail server running on DMZ 192.168.1.2
# Local PCs should see DNS server IP as 192.168.0.1
# Is that correct ?
DNAT all dmz:192.168.1.2 tcp 53

# I'm in doubt about this.
# Should I use this -> DNAT net dmz:192.168.1.2 tcp www
DNAT all dmz:192.168.1.2 tcp www
DNAT all dmz:192.168.1.2 tcp smtp
DNAT all dmz:192.168.1.2 tcp pop3
DNAT all dmz:192.168.1.2 tcp imap
DNAT all dmz:192.168.1.2 tcp ftp

# From the net side our VoIP service provider should see Asterisk as
running on external real IP.
DNAT net loc:192.168.0.2 udp 4000:4999
DNAT net loc:192.168.0.2 udp 5060
Additionally, is it possible to route all Asterisk traffic to our VoIP
provider through eth0 (provider LTC) only ?

*** ROUTES ***
Empty. I assume everything set in "providers". I am wrong here?
Tom Eastep
2017-04-28 23:04:53 UTC
Permalink
Post by a***@starlett.lv
Hi !
I installed Shorewall 5.1.3.2 on OpenSuSE Leap 42.2, configured
for: 2 x ISP DMZ (with DNS, Web e-mail & ftp) on 192.168.1.2 local
net 192.168.0.xxx Asterisk VoIP box on local net 192.168.0.5 (right
now can't be moved to DMZ) Default route on Linux
(/etc/sysconfig/network/ifroute-eth0) is not set as suggested in
Shorewall manual.
Unfortunately, I made something wrong. Anyone can suggest a
correct version ?
What doesn't work?
Post by a***@starlett.lv
Many thanks in advance !
*** SHOREWALL.CONF *** USE_DEFAULT_RT=No # because
/etc/sysconfig/network/ifroute-eth0 is not set.
Why do you believe that should preclude using USE_DEFAULT_RT=Yes
Post by a***@starlett.lv
*** PROVIDERS *** LTC 1 0x1 main eth0 gw1.xx.xx.xx track,balance=1
eth0,eth1 BTC 2 0x2 main eth1 gw2.99.202.254 track,balance=5
eth0,eth1
gw1.. and gw2 are real IPs of ISP gateways. LTC (eth0) is main ISP
provider, BTC (eth1) backup one.
Then why don't you specify 'primary' for eth0 and 'fallback' for eth1?
Post by a***@starlett.lv
*** INTERFACES *** net eth0
tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 net eth1
tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 loc eth2
tcpflags,nosmurfs,routefilter,logmartians dmz eth3
tcpflags,nosmurfs,routefilter,logmartians
I would change 'routefilter,logmartians' to 'rpfilter' and set
RPFILTER_LOG_LEVEL.
Post by a***@starlett.lv
*** ZONES *** fw firewall net ipv4 loc ipv4 dmz ipv4
*** SNAT *** MASQUERADE 192.168.0.0/16 eth0 MASQUERADE
192.168.0.0/16 eth1 Should I add "MASQUERADE 192.168.1.0/16 eth0"
for DMZ ?
Yes.
Post by a***@starlett.lv
*** POLICY *** net net DROP info loc net
ACCEPT dmz net ACCEPT loc dmz ACCEPT loc $FW
ACCEPT dmz $FW ACCEPT $FW net ACCEPT dmz
loc ACCEPT net all DROP info all all
REJECT $LOG_LEVEL
*** RULES *** Invalid(DROP) net all tcp
None of the rules below do anything since they duplicate your policies
(which are almost wide-open).
Post by a***@starlett.lv
DNS(ACCEPT) $FW net DNS(ACCEPT) $FW loc DNS(ACCEPT) dmz net
Ping(DROP) net $FW Ping(ACCEPT) loc
$FW Ping(ACCEPT) dmz $FW Ping(ACCEPT) loc
dmz Ping(ACCEPT) dmz loc Ping(ACCEPT) dmz
net
# DNS/Web/Mail server running on DMZ 192.168.1.2 # Local PCs should
see DNS server IP as 192.168.0.1 # Is that correct ?
Why do you want to have them use 192.168.0.1 rather than 192.168.1.2?
Post by a***@starlett.lv
DNAT all dmz:192.168.1.2 tcp 53
# I'm in doubt about this. # Should I use this -> DNAT net
dmz:192.168.1.2 tcp www DNAT all dmz:192.168.1.2 tcp
www DNAT all dmz:192.168.1.2 tcp smtp DNAT all
dmz:192.168.1.2 tcp pop3 DNAT all dmz:192.168.1.2
tcp imap DNAT all dmz:192.168.1.2 tcp ftp
# From the net side our VoIP service provider should see Asterisk
as running on external real IP. DNAT net loc:192.168.0.2 udp
4000:4999 DNAT net loc:192.168.0.2 udp 5060 Additionally, is it
possible to route all Asterisk traffic to our VoIP provider through
eth0 (provider LTC) only ?
If you make eth0 'primary', that will happen automatically.
Post by a***@starlett.lv
*** ROUTES *** Empty. I assume everything set in "providers". I am
wrong here?
If these suggestions don't help, please send the output of 'shorewall
dump' with your next report, collected as described at
http://www.shorewall.net/support.htm#Guidelines

- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.net \________________________________________________
a***@starlett.lv
2017-04-30 10:36:47 UTC
Permalink
Hi,

Thanks for clarification.
After tinkering with rules/providers and changing to
"USE_DEFAULT_RT=Yes" I've got IP traffic routed.

Now some tricky stuff. DNS, Web, Mail and ftp are running on DMZ
192.168.1.2, while Squid transparent proxy on the same PC as firewall.
Internal loc zone is 192.168.0.xx.
I made these rules for www, pop3, imap and ftp (*_all_* because of 2 ISP
connections)

||*|DNAT all dmz:192.168.1.2 tcp www
|*|*DNAT all dmz:192.168.1.2 tcp pop3*
.... etc|
|
BTW, is it possible to make rules like these:|
||*|DNAT all dmz:192.168.1.2 tcp www, ftp, pop3, imap, 53|*

Will this rule work for transparent proxy (where 192.168.1.2 - IP of our
web server running on DMZ.) ?

*REDIRECT loc 3128 tcp www - !192.168.1.2*

How I can set Squid (running on firewall) to use DNS server running on
DMZ 192.168.1.2 ?

*|DNAT all dmz:192.168.1.2 tcp 53
|*||*DNAT all dmz:192.168.1.2 udp 53*

||Or Squid option

*dns_nameservers 192.168.1.2*


PS. From loc zone 192.168.0.xx services like web, mail should be
accessible via normal domain names, e.g. www.domain.com,
mail.domain.com, etc.
Post by Tom Eastep
Post by a***@starlett.lv
Hi !
I installed Shorewall 5.1.3.2 on OpenSuSE Leap 42.2, configured
for: 2 x ISP DMZ (with DNS, Web e-mail & ftp) on 192.168.1.2 local
net 192.168.0.xxx Asterisk VoIP box on local net 192.168.0.5 (right
now can't be moved to DMZ) Default route on Linux
(/etc/sysconfig/network/ifroute-eth0) is not set as suggested in
Shorewall manual.
Unfortunately, I made something wrong. Anyone can suggest a
correct version ?
What doesn't work?
Post by a***@starlett.lv
Many thanks in advance !
*** SHOREWALL.CONF *** USE_DEFAULT_RT=No # because
/etc/sysconfig/network/ifroute-eth0 is not set.
Why do you believe that should preclude using USE_DEFAULT_RT=Yes
Post by a***@starlett.lv
*** PROVIDERS *** LTC 1 0x1 main eth0 gw1.xx.xx.xx track,balance=1
eth0,eth1 BTC 2 0x2 main eth1 gw2.99.202.254 track,balance=5
eth0,eth1
gw1.. and gw2 are real IPs of ISP gateways. LTC (eth0) is main ISP
provider, BTC (eth1) backup one.
Then why don't you specify 'primary' for eth0 and 'fallback' for eth1?
Post by a***@starlett.lv
*** INTERFACES *** net eth0
tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 net eth1
tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 loc eth2
tcpflags,nosmurfs,routefilter,logmartians dmz eth3
tcpflags,nosmurfs,routefilter,logmartians
I would change 'routefilter,logmartians' to 'rpfilter' and set
RPFILTER_LOG_LEVEL.
Post by a***@starlett.lv
*** ZONES *** fw firewall net ipv4 loc ipv4 dmz ipv4
*** SNAT *** MASQUERADE 192.168.0.0/16 eth0 MASQUERADE
192.168.0.0/16 eth1 Should I add "MASQUERADE 192.168.1.0/16 eth0"
for DMZ ?
Yes.
Post by a***@starlett.lv
*** POLICY *** net net DROP info loc
net
Post by a***@starlett.lv
ACCEPT dmz net ACCEPT loc dmz ACCEPT
loc $FW
Post by a***@starlett.lv
ACCEPT dmz $FW ACCEPT $FW net ACCEPT dmz
loc ACCEPT net all DROP info
all all
Post by a***@starlett.lv
REJECT $LOG_LEVEL
*** RULES *** Invalid(DROP) net all tcp
None of the rules below do anything since they duplicate your policies
(which are almost wide-open).
Post by a***@starlett.lv
DNS(ACCEPT) $FW net DNS(ACCEPT) $FW loc
DNS(ACCEPT) dmz net
Post by a***@starlett.lv
Ping(DROP) net $FW Ping(ACCEPT) loc
$FW Ping(ACCEPT) dmz $FW Ping(ACCEPT) loc
dmz Ping(ACCEPT) dmz loc Ping(ACCEPT) dmz
net
# DNS/Web/Mail server running on DMZ 192.168.1.2 # Local PCs should
see DNS server IP as 192.168.0.1 # Is that correct ?
Why do you want to have them use 192.168.0.1 rather than 192.168.1.2?
Post by a***@starlett.lv
DNAT all dmz:192.168.1.2 tcp 53
# I'm in doubt about this. # Should I use this -> DNAT net
dmz:192.168.1.2 tcp www DNAT all dmz:192.168.1.2 tcp
www DNAT all dmz:192.168.1.2 tcp smtp DNAT all
dmz:192.168.1.2 tcp pop3 DNAT all dmz:192.168.1.2
tcp imap DNAT all dmz:192.168.1.2 tcp ftp
# From the net side our VoIP service provider should see Asterisk
as running on external real IP. DNAT net loc:192.168.0.2 udp
4000:4999 DNAT net loc:192.168.0.2 udp 5060
Additionally, is it
Post by a***@starlett.lv
possible to route all Asterisk traffic to our VoIP provider through
eth0 (provider LTC) only ?
If you make eth0 'primary', that will happen automatically.
Post by a***@starlett.lv
*** ROUTES *** Empty. I assume everything set in "providers". I am
wrong here?
If these suggestions don't help, please send the output of 'shorewall
dump' with your next report, collected as described at
http://www.shorewall.net/support.htm#Guidelines
-Tom
Tom Eastep
2017-05-01 18:27:11 UTC
Permalink
Post by a***@starlett.lv
Hi,
Thanks for clarification.
After tinkering with rules/providers and changing to
"USE_DEFAULT_RT=Yes" I've got IP traffic routed.
Now some tricky stuff. DNS, Web, Mail and ftp are running on DMZ
192.168.1.2, while Squid transparent proxy on the same PC as firewall.
Internal loc zone is 192.168.0.xx.
I made these rules for www, pop3, imap and ftp (*_all_* because of 2
ISP connections)
||*|DNAT all dmz:192.168.1.2 tcp www
|*|*DNAT all dmz:192.168.1.2 tcp pop3*
.... etc|
|
BTW, is it possible to make rules like these:|
||*|DNAT all dmz:192.168.1.2 tcp www, ftp, pop3, imap, 53|*
|*Yes:

DNAT all dmz:192.168.1.2 tcp www,ftp,pop3,imap,53

*|
Post by a***@starlett.lv
Will this rule work for transparent proxy (where 192.168.1.2 - IP of
our web server running on DMZ.) ?
*REDIRECT loc 3128 tcp www - !192.168.1.2*
*Yes*
Post by a***@starlett.lv
How I can set Squid (running on firewall) to use DNS server running on
DMZ 192.168.1.2 ?
*|DNAT all dmz:192.168.1.2 tcp 53
|*||*DNAT all dmz:192.168.1.2 udp 53*
||Or Squid option
*dns_nameservers 192.168.1.2*
*That is the best way.*
Post by a***@starlett.lv
PS. From loc zone 192.168.0.xx services like web, mail should be
accessible via normal domain names, e.g. www.domain.com,
mail.domain.com, etc.
They will be if you use the DNAT rules you show above.

-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.net \________________________________________________
Loading...