[Shorewall-users] Need some help with a new SNAT/DNAT/NAT + DMZ + Xen Host/Guest config.

Mon, 11 Mar 2013 00:26:14 -0700 

Hi.

I'm migrating to shorewall(6) mgmt of my various firewalls.

Simple configs have been easy with the great docs.

I've got a slightly more convoluted config, and have gotten 'lost' in
config'ing a SNAT/DNAT/NAT + DMZ + Xen Host/Guest set up with Static
IP/29.  Having some challenges wrapping my head around the 'best'
Shorewall approach :-/

Here's a 1st shot at explaining what I have and what I need help with:

I've a static x.x.x.17/29 from my ISP.

My setup is:

        ADSL modem, bridge mode
                |
                |
                |
        Box 1   |
              eth0
              Ext    x.x.x.17/24, Gateway x.x.x.1
                  firewall
                  split DNS -- listen on x.x.x.18 & 192.168.1.100
              Int    192.168.1.100/24
              eth1
                |
                |
                |
              port 1
            GBit Switch
              port 2--------------------------------port 3--------
              port(s) 4-...
                |                                      |              |
          Box2  |                                      |           
          Box(es) 4 ...
              eth0                                     |                
              eth0
              mail server, listen on 192.168.1.125     |                
              @ ip == 192.168.1.4 ...
                                                       |
                                                 Box 3
                                                      eth0
                                                      xen server
                                                          Dom0,
                                                          192.168.1.200
                                                              DomU #1
                                                              10.10.1.201,
                                                              www listen
                                                              on 80 &
                                                              443

I need to ensure the following source/destination IP & port mapping for
inbound & outbound traffic:

        Svr MAIL:
                net --> x.x.x.19:{25,143,587} -->
                192.168.1.100:{25,143,587}
                192.168.1.100:{25,143,587} --> x.x.x.19:{25,143,587} -->
                net

        Svr DNS:
                net --> x.x.x.18:53 --> 192.168.1.100:53
                192.168.1.100:53 --> x.x.x.18:53 --> net

        Svr WWW:
                net --> x.x.x.20:{80,443} --> 10.10.1.201:{80,443}
                10.10.1.201:{80,443} --> x.x.x.20:{80,443} --> net


and
        enable ping access from net to  Svr{MAIL,DNS,WWW}
        enable ssh access from @ LAN Desktops 192.168.1.4 ... to
        Svr{MAIL,DNS,WWW}
        default/fallback outbound src ip map for all lan-originated
        traffic is x.x.x.17

Is getting this all working 'simply' an issue of NAT? no proxy arp
required?

Iiuc, I wouldn't use a Shorewall DMZ zone for this config, would I?

With shorewall NAT setup, will the inbound/outbound routing -- between
the LAN segmentes AND enabling per-external-IP source mapping -- be
automatically generated?

Thanks,

DarylX

------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester  
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the  
endpoint security space. For insight on selecting the right partner to 
tackle endpoint security challenges, access the full report. 
http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to