Re: [Vserver] Shorewall problems

From: Dusan Vejnovic <Dusan.Vejnovic_at_mors.si>
Date: Mon 20 Nov 2006 - 18:08:07 GMT
Message-id: <7662874246.7424676628@mors.si>

In the shorewall doc write that snat is done with masquerading rule, like:
- masq
eth1 eth0 89.x.x.x

Dusan

----- Original Message -----
From: Herbert Poetzl <herbert@13thfloor.at>
Date: Monday, November 20, 2006 6:47 pm
Subject: Re: [Vserver] Shorewall problems

> On Fri, Nov 17, 2006 at 12:25:20PM +0100, Dusan Vejnovic wrote:
> > Hi!!!
> > I have two NICs, one for internal and one for external use. For
> > firewall I use shorewall. I set up vserver for web server. And my
> > problem: I can access my web server from my internal network. But
> when> I connect from outside there not responding from web vserver.
>
> well, I know zilch about shorewall, but I do not see
> any SNAT rule in that list below, but if you want
> the guest to answer with a public ip (which is not
> assigned to the guest) then you need to SNAT the
> private ip on outgoing packets ...
>
> > Please help!!!
>
> anyway, a tcpdump -vvnei eth1 port 80
>
> should give some useful hints when you try to connect
> from outside
>
> HTH,
> Herbert
>
> > ----------------------------------------------------
> > My configuration of shorewall.
> > eth0: internal network (loc, dmz)
> > eth1: external network (net)
> >
> > - interfaces
> > - eth0
> > net eth1 detect
> tcpflags,dhcp,routefilter,norfc1918,nosmurfs,logmartians
> > - zones
> > fw firewall
> > net ipv4
> > loc ipv4
> > dmz ipv4
> >
> > - policy
> > loc net ACCEPT
> > loc dmz ACCEPT
> > loc $FW REJECT info
> > loc all REJECT info
> > $FW net ACCEPT
> > $FW dmz REJECT info
> > $FW loc REJECT info
> > $FW all REJECT info
> > dmz net ACCEPT
> > dmz $FW REJECT info
> > dmz loc REJECT info
> > dmz all REJECT info
> > net dmz DROP info
> > net $FW DROP info
> > net loc DROP info
> > net all DROP info
> > all all REJECT info
> >
> > - masq
> > eth1 eth0 89.x.x.x
> >
> > - hosts
> > loc eth0:192.168.0.1-192.168.0.19,192.168.0.100-192.168.0.150
> routeback,tcpflags> dmz eth0:192.168.0.20-
> 192.168.0.99,192.168.0.151-192.168.0.253 routeback,tcpflags
> >
> > - rules
> > ACCEPT $FW net tcp 53
> > ACCEPT $FW net udp 53
> > ACCEPT net $FW tcp 53
> > ACCEPT net $FW udp 53
> > ACCEPT loc $FW tcp 53
> > ACCEPT loc $FW udp 53
> > ACCEPT dmz net tcp 53
> > ACCEPT dmz net udp 53
> > ACCEPT dmz $FW tcp 53
> > ACCEPT dmz $FW udp 53
> > DEST LIMIT GROUP
> > ACCEPT loc $FW tcp 22
> > ACCEPT loc $FW udp 22
> > ACCEPT loc dmz tcp 22
> > ACCEPT loc dmz udp 22
> > DEST LIMIT GROUP
> > DNAT loc dmz:192.168.0.35 tcp 80 -
> 89.x.x.x> DNAT loc dmz:192.168.0.35 udp 80 -
> 89.x.x.x
> > DNAT loc dmz:192.168.0.35 tcp 443 -
> 89.x.x.x> DNAT loc dmz:192.168.0.35 udp 443 -
> 89.x.x.x
> > DNAT net dmz:192.168.0.35 tcp 80
> > DNAT net dmz:192.168.0.35 udp 80
> > DNAT net dmz:192.168.0.35 tcp 443
> > DNAT net dmz:192.168.0.35 udp 443
> > REDIRECT loc 3128 tcp 80 - !192.168.0.35
> > REDIRECT loc 3128 udp 80 - !192.168.0.35
> >
> > _______________________________________________
> > Vserver mailing list
> > Vserver@list.linux-vserver.org
> > http://list.linux-vserver.org/mailman/listinfo/vserver
> _______________________________________________
> Vserver mailing list
> Vserver@list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
>
>

_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Received on Mon Nov 20 18:10:40 2006

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Mon 20 Nov 2006 - 18:10:47 GMT by hypermail 2.1.8