Discussion:
[Shorewall-users] need help, can't find examples like this
Robert Grizilo
2017-01-30 20:16:50 UTC
Permalink
My setup:

+-------------------------------------------+
| |
| 5.6.7.8 (some remote server) |
| |
| INTERNET |
| |
| eth0 (1.2.3.4/24) eth0:0 (1.2.3.5/24) |
| |
+-----------------+-------------------------+
|
|
+--------+--------+
| SHOREWALL |
+--+---+---+------+
| | |
| | +- eth1 ofc - 192.168.10.1/24
| |
| +- eth2 vip - 10.0.0.194/30 <---------------------------->
10.0.0.193/30
|
+- eth3 hom - 192.168.0.1/24

+-----------------+ +--------------+ +--------------+
| :interfaces | | :zones | | :masq |
| net eth0 detect | | fw firewall | | eth0 eth1 |
| ofc eth1 detect | | net ipv4 | | eth0 eth3 |
| vip eth2 detect | | ofc ipv4 | +--------------+
| hom eth3 detect | | vip ipv4 |
+-----------------+ | hom ipv4 |
+--------------+
+---------------------+ +------------------------------------------+
| :policy | | :rules |
| fw all ACCEPT | | ACCPET net fw:1.2.3.4 tcp 22 - - 3/min:9 |
| ofc all ACCEPT | +------------------------------------------+
| hom fw ACCEPT |
| hom net ACCPET |
| |
| net all DROP info |
| all all REJECT info |
+---------------------+

i need:

on 1.2.3.5 incoming only from 5.6.7.8 is allowed
all proto comming from 5.6.7.8 to 1.2.3.5 snat as 10.0.0.194 and send it to
10.0.0.193
all proto comming from 10.0.0.193 to 10.0.0.194 snat as 1.2.3.5 and send it to
5.6.7.8

(and if possible when restarting shorewall dont break active connections between
them)

thnx!

i'we searched alot, but (probably) don't know how to ask
Tom Eastep
2017-01-31 00:01:39 UTC
Permalink
+-------------------------------------------+ | | | 5.6.7.8
(some remote server) | | | | INTERNET
| | | | eth0 (1.2.3.4/24) eth0:0 (1.2.3.5/24) | | |
+-----------------+-------------------------+ | |
+--------+--------+ | SHOREWALL | +--+---+---+------+ | |
| | | +- eth1 ofc - 192.168.10.1/24 | | | +- eth2 vip
- 10.0.0.194/30 <----------------------------> 10.0.0.193/30 | +-
eth3 hom - 192.168.0.1/24
+-----------------+ +--------------+ +--------------+ |
:interfaces | | :zones | | :masq | | net eth0
detect | | fw firewall | | eth0 eth1 | | ofc eth1 detect | |
net ipv4 | | eth0 eth3 | | vip eth2 detect | | ofc ipv4 |
+--------------+ | hom eth3 detect | | vip ipv4 |
+-----------------+ | hom ipv4 | +--------------+
+---------------------+
+------------------------------------------+ | :policy | | :rules |
| fw all ACCEPT | | ACCPET net fw:1.2.3.4 tcp 22 - - 3/min:9
| | ofc all ACCEPT |
+------------------------------------------+ | hom fw ACCEPT | |
hom net ACCPET | | | | net all DROP info
| | all all REJECT info | +---------------------+
on 1.2.3.5 incoming only from 5.6.7.8 is allowed all proto comming
from 5.6.7.8 to 1.2.3.5 snat as 10.0.0.194 and send it to
10.0.0.193
/etc/shorewall/rules:

DNAT net:5.6.7.8 xxx:10.0.0.193 - - 1.2.3.5
DROP:yyy net fw:1.2.3.5

xxx is the zone that 10.0.0.193 is in and yyy is whatever log level
you choose to log other traffic to 1.2.3.5 at.

/etc/shorewall/masq:

eth?:10.0.0.193 5.6.7.8 10.0.0.194

Where eth? is the interface to 10.0.0.193.
all proto comming from 10.0.0.193 to 10.0.0.194 snat as 1.2.3.5
and send it to 5.6.7.8
/etc/shorewall/rules:

DNAT xxx:10.0.0.193 net:5.6.7.8 - - 10.0.0.194

/etc/shorewall/masq:

eth0:5.6.7.8 10.0.0.193 1.2.3.5
(and if possible when restarting shorewall dont break active
connections between them)
Shouldn't be an issue.

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Robert Grizilo
2017-01-31 08:27:41 UTC
Permalink
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
Tom Eastep
2017-01-31 16:04:44 UTC
Permalink
Tom Eastep thanks a lot sorry to bother you but... i have an error
and
ERROR: SOURCE/DEST PORT(S) not allowed without PROTO
/etc/shorewall/rules
if I change "- -" with "tcp all" or "udp all" or "icmp all" the
result is the same
My bad -- you need three dashes rather than two.

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Robert Grizilo
2017-02-01 13:15:49 UTC
Permalink
Post by Tom Eastep
My bad -- you need three dashes rather than two.
Thanks again i really appreciate it.

Robert Grizilo,
Rijeka,
Croatia

Loading...