Re: [Shorewall-users] My shorewall config

Mon, 25 Sep 2017 15:33:16 -0700 

On 09/25/2017 09:09 AM, Rommel Rodriguez Toirac wrote:
>  Hello;
> I have configured a network with shorewall as firewall in a host bastion
> mode and I want to configure a DMZ. 
>  This is a little view of what I have done.
>  
>  I declared three zones in my network; in the 192.168.41.0/24 IP range
> are my internal network (the shorewall firewall use the 172.16.120.1 IP
> to masquerade it) and in the 172.16.120.0/24 my external. The DMZ are in
> 192.168.14.0/24 IP range.
>  
>  The services of email and web browser depend of a first level network
> that are installed in other center (center offices); I mean, there are a
> central email server for all in and out email and a central proxy for
> access to web. For that I have an asigment IP for my email and proxy
> servers that are authorized.
>  
>  My network serve to a thirth level network (municipal offices). email
> (pop3 and smtp), instant messages, FTP, web are some of the services
> used form then.
> 
>  This is my working around to try the DMZ config.
>  
>  - Declared the zones and the interfaces. Four zones: for the internal
> network (loc), for the external network (net), for the DMZ network (dmz)
> and for the firewall it seft (fw). The interfaces are assignet to the
> corresponding zones using the interfaces identifications.
>  
> fw  firewall
> net ipv4
> loc ipv4
> dmz ipv4
> 
> net enp4s1  tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
> loc enp5s0  tcpflags,nosmurfs,routefilter,logmartians
> dmz enp7s0  tcpflags,nosmurfs,routefilter,logmartians
> 
>  
>  - Configure the policy. The must simple: allow from the firewall access
> to every network; from the internal network can access to the external
> network and to the DMZ; from the DMZ can access to the local or internal
> network and to the external. From the external network is not allowed
> the access, this will be controlled for the firewall rules. If something
> is needed from the internal network and from the DMZ network to the
> firewall, it will be controlled from the firewall rules
>   In the last places if something is missing it will be rejected.
>  
> fw  net ACCEPT  info
> fw  dmz ACCEPT  info
> fw  loc ACCEPT  info
> loc net ACCEPT  info
> loc dmz ACCEPT  info
> dmz loc ACCEPT  info
> dmz net ACCEPT  info
> net all DROP    info
> all all REJECT  info
> 
>  - Rules. Here declared the service needed from my users (in my internal
> network and in the municipal offices) for example the access to the
> instant messages service, to the email services, the access to the DNS
> services and consult to the external DNS from my network
>  
> ?SECTION ALL
> ?SECTION ESTABLISHED
> ?SECTION RELATED
> ?SECTION INVALID
> ?SECTION UNTRACKED
> ?SECTION NEW
> 
> DNS(DNAT):info    net  dmz:192.168.14.12
> FTP(DNAT):info    net  dmz:192.168.14.13
> Squid(DNAT):info    net     dmz:192.168.14.18
> DNAT:info           net     dmz:192.168.14.15tcp5222,5223,5269
> DNAT:info           net     dmz:192.168.14.8tcppop3,pop3s,smtp,smtps
> DNAT:info           net     dmz:192.168.14.14tcphttp,https
> 
> DNS(ACCEPT)         loc     dmz:192.168.14.12tcp
> DNS(ACCEPT)         loc     dmz:192.168.14.12udp
> FTP(ACCEPT):info    loc     dmz:192.168.14.13
> Squid(ACCEPT):info  loc     dmz:192.168.14.18
> ACCEPT:info         loc     dmz:192.168.14.15tcp5222,5223,5269
> ACCEPT:info         loc     dmz:192.168.14.8tcppop3,pop3s,smtp,smtps
> ACCEPT:info         loc     dmz:192.168.14.14tcphttp,https
> 
> DNS(ACCEPT)         dmz     net                 tcp
> DNS(ACCEPT)         dmz     loc                 tcp
> DNS(ACCEPT)         dmz     net                 udp
> DNS(ACCEPT)         dmz     loc                 udp
> 
> NTP(ACCEPT):info    dmz     loc:192.168.41.16
> ACCEPT:info         dmz     loc:192.168.41.16tcp111,2049,20048,43810,52834
> ACCEPT:info         dmz     loc:192.168.41.16udp111,2049,20048,47934,54948
> SMB(ACCEPT):info    dmz     loc:192.168.41.16
> 
>  - As I mentioned early, my network have an authorized IP address from
> where can access to the email service and proxy in the central servers,
> to make this possible I use the snat. 
>   With snat I masquerade my network too.
>   
> SNAT(172.16.120.8)  192.168.14.8    enp4s1  25,110
> SNAT(172.16.120.2)  192.168.14.18   enp4s1  3128
> SNAT(172.16.120.1)  192.168.41.0/24 enp4s1
>   
>    
>  Using this config the firewall is not working fine. For example, the
> users in the municipal offices can not access to service in my network.
> The access to the services in central offices I still can not probe it.
> Is well planed this config? Is posible that using this config in central
> offices server the packect send from the email server of my network were
> identified with the IP 172.16.120.8 and proxies with 172.16.120.2? Is
> that correct?
>  
>   Thank for your attentions and sorry for my horrible English.
>     
> 

Please forward to output of 'shorewall dump' collected as described at
http://www.shorewall.org/support.htm#Guidelines.

Thanks,

-Tom
-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to