On 09/25/2017 09:09 AM, Rommel Rodriguez Toirac wrote:
> Hello;
> I have configured a network with shorewall as firewall in a host bastion
> mode and I want to configure a DMZ.
> This is a little view of what I have done.
>
> I declared three zones in my network; in the 192.168.41.0/24 IP range
> are my internal network (the shorewall firewall use the 172.16.120.1 IP
> to masquerade it) and in the 172.16.120.0/24 my external. The DMZ are in
> 192.168.14.0/24 IP range.
>
> The services of email and web browser depend of a first level network
> that are installed in other center (center offices); I mean, there are a
> central email server for all in and out email and a central proxy for
> access to web. For that I have an asigment IP for my email and proxy
> servers that are authorized.
>
> My network serve to a thirth level network (municipal offices). email
> (pop3 and smtp), instant messages, FTP, web are some of the services
> used form then.
>
> This is my working around to try the DMZ config.
>
> - Declared the zones and the interfaces. Four zones: for the internal
> network (loc), for the external network (net), for the DMZ network (dmz)
> and for the firewall it seft (fw). The interfaces are assignet to the
> corresponding zones using the interfaces identifications.
>
> fw firewall
> net ipv4
> loc ipv4
> dmz ipv4
>
> net enp4s1 tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
> loc enp5s0 tcpflags,nosmurfs,routefilter,logmartians
> dmz enp7s0 tcpflags,nosmurfs,routefilter,logmartians
>
>
> - Configure the policy. The must simple: allow from the firewall access
> to every network; from the internal network can access to the external
> network and to the DMZ; from the DMZ can access to the local or internal
> network and to the external. From the external network is not allowed
> the access, this will be controlled for the firewall rules. If something
> is needed from the internal network and from the DMZ network to the
> firewall, it will be controlled from the firewall rules
> In the last places if something is missing it will be rejected.
>
> fw net ACCEPT info
> fw dmz ACCEPT info
> fw loc ACCEPT info
> loc net ACCEPT info
> loc dmz ACCEPT info
> dmz loc ACCEPT info
> dmz net ACCEPT info
> net all DROP info
> all all REJECT info
>
> - Rules. Here declared the service needed from my users (in my internal
> network and in the municipal offices) for example the access to the
> instant messages service, to the email services, the access to the DNS
> services and consult to the external DNS from my network
>
> ?SECTION ALL
> ?SECTION ESTABLISHED
> ?SECTION RELATED
> ?SECTION INVALID
> ?SECTION UNTRACKED
> ?SECTION NEW
>
> DNS(DNAT):info net dmz:192.168.14.12
> FTP(DNAT):info net dmz:192.168.14.13
> Squid(DNAT):info net dmz:192.168.14.18
> DNAT:info net dmz:192.168.14.15tcp5222,5223,5269
> DNAT:info net dmz:192.168.14.8tcppop3,pop3s,smtp,smtps
> DNAT:info net dmz:192.168.14.14tcphttp,https
>
> DNS(ACCEPT) loc dmz:192.168.14.12tcp
> DNS(ACCEPT) loc dmz:192.168.14.12udp
> FTP(ACCEPT):info loc dmz:192.168.14.13
> Squid(ACCEPT):info loc dmz:192.168.14.18
> ACCEPT:info loc dmz:192.168.14.15tcp5222,5223,5269
> ACCEPT:info loc dmz:192.168.14.8tcppop3,pop3s,smtp,smtps
> ACCEPT:info loc dmz:192.168.14.14tcphttp,https
>
> DNS(ACCEPT) dmz net tcp
> DNS(ACCEPT) dmz loc tcp
> DNS(ACCEPT) dmz net udp
> DNS(ACCEPT) dmz loc udp
>
> NTP(ACCEPT):info dmz loc:192.168.41.16
> ACCEPT:info dmz loc:192.168.41.16tcp111,2049,20048,43810,52834
> ACCEPT:info dmz loc:192.168.41.16udp111,2049,20048,47934,54948
> SMB(ACCEPT):info dmz loc:192.168.41.16
>
> - As I mentioned early, my network have an authorized IP address from
> where can access to the email service and proxy in the central servers,
> to make this possible I use the snat.
> With snat I masquerade my network too.
>
> SNAT(172.16.120.8) 192.168.14.8 enp4s1 25,110
> SNAT(172.16.120.2) 192.168.14.18 enp4s1 3128
> SNAT(172.16.120.1) 192.168.41.0/24 enp4s1
>
>
> Using this config the firewall is not working fine. For example, the
> users in the municipal offices can not access to service in my network.
> The access to the services in central offices I still can not probe it.
> Is well planed this config? Is posible that using this config in central
> offices server the packect send from the email server of my network were
> identified with the IP 172.16.120.8 and proxies with 172.16.120.2? Is
> that correct?
>
> Thank for your attentions and sorry for my horrible English.
>
>
Please forward to output of 'shorewall dump' collected as described at
http://www.shorewall.org/support.htm#Guidelines.
Thanks,
-Tom
--
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
shorewall_dump.tar.gz
Description: Binary data
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
