Re: [Shorewall-users] Problem accesing from outside

[Rommel Rodriguez Toirac]

Hello all;

 here I send some configs and traces of my shorewall firewall.

I have been made some workaround, so maybe this is a little diferent to the one that I send in the shorewall-dump.tar.gz; but still the problem is present.

This are the situation. 

Our networks are private.

(municipals network use provinces network services)

Some network that are outside of my office network use some service in these; for example, my smtp service is used like pasarell for the email service in this offices, they use mailboxes accessed with pop3 service, they use the FTP server an use the jabber service that we serve. 

(municipals offices have his own DNS and Domain)

Our municipals offices have his own DNS services and his Domain, managent with the Windows 2008 Active Directory, so the resolution of his PCs name and IP numbers are locally for they.

(IP address and PC names unknow)

In the municipal offices, the DNS service have a Forwarder configured, for all PCs names or IP number unknow for they, to be send to my bind server. The Forwarder IP number is the IP of the net (or internet) interfaces in my shorewall config [172.16.120.1] This is with the intention of configure all services in municipals netowrks using DNS names and not IP numbers. For example, to access to my FTP server, use ftp.gtm.onat.gob.cu and not a number.

(bind with views in my DMZ)

In the DMZ (provincial network) I have configured a DNS service with bind using views listtening to the request of the municipals networks.

When I point to ftp.gtm.onat.gob.cu from some PC in municipal network, nothing happen, neather shorewall log the event. When I point to 172.16.120.1 the connection is stablished with no problems. Nothing that I try to access with PC or alias names of my network is success, everything must be done with IP address.

Nevertheless, I made a test with nslookup from a PC in a municipal network and this is the answer:

###nslookup from gtm08

C:\Users\Administrador>nslookup

Servidor predeterminado:  gtm08.cai.gtm.onat.gob.cu

Address:  172.16.123.11

> gtmem

Servidor:  gtm08.cai.gtm.onat.gob.cu

Address:  172.16.123.11

Respuesta no autoritativa:

Nombre:  gtmem.gtm.onat.gob.cu

Address:  192.168.14.4

> mail.gtm.onat.gob.cu

Servidor:  gtm08.cai.gtm.onat.gob.cu

Address:  172.16.123.11

Respuesta no autoritativa:

Nombre:  gtmem.gtm.onat.gob.cu

Address:  192.168.14.4

Aliases:  mail.gtm.onat.gob.cu

What I made wrong? Where is my mistake? Shorewall or bind or Windows 2008 DNS config? Why is impossible to uses PC names or alias in services access from outside my network?

###rules

#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER

?SECTION ALL

?SECTION ESTABLISHED

?SECTION RELATED

?SECTION INVALID

?SECTION UNTRACKED

?SECTION NEW

DNAT:info net dmz:192.168.14.6 tcp 53

DNAT:info net dmz:192.168.14.6 udp 53

ACCEPT:info dmz net udp 53

ACCEPT:info dmz net tcp 53

ACCEPT:info loc dmz tcp 53

ACCEPT:info loc dmz udp 53

ACCEPT:info $FW dmz udp 53

ACCEPT:info $FW dmz tcp 53

ACCEPT:info $FW loc udp 53

ACCEPT:info $FW loc tcp 53

ACCEPT:info $FW net udp 53

ACCEPT:info $FW net tcp 53

DNAT:info net dmz:192.168.14.7 tcp 21,20

DNAT:info net dmz:192.168.14.7 udp 21,20

ACCEPT:info dmz net tcp 21,20

ACCEPT:info dmz net udp 21,20

ACCEPT:info loc dmz tcp 21,20

ACCEPT:info loc dmz udp 21,20

DNAT:info net dmz:192.168.14.5 tcp 3128

ACCEPT:info dmz net tcp 3128

ACCEPT:info loc dmz tcp 3128

DNAT:info net dmz:192.168.14.3 tcp 5222,5223,5269

ACCEPT:info dmz net tcp 5222,5223,5269

ACCEPT:info loc dmz tcp 5222,5223,5269

DNAT:info net dmz:192.168.14.4 tcp 25,110,143,465,993,995

ACCEPT:info dmz net tcp 25,110,143,465,993,995

ACCEPT:info loc dmz tcp 25,110,143,465,993,995

DNAT:info net dmz:192.168.14.8 tcp 80,443

ACCEPT:info dmz net tcp 80,443

ACCEPT:info loc dmz tcp 80,443

SMB(ACCEPT):info loc dmz tcp

NTP(ACCEPT):info dmz loc:192.168.41.16

ACCEPT:info dmz loc:192.168.41.16 tcp 111,2049,20048,43810,52834

ACCEPT:info dmz loc:192.168.41.16 udp 111,2049,20048,47934,54948

SMB(ACCEPT):info dmz loc:192.168.41.16

NTP(ACCEPT) $FW loc:192.168.41.16

Ping(ACCEPT) dmz $FW,loc,net

Ping(ACCEPT) $FW loc,dmz,net

Ping(ACCEPT) loc:192.168.41.6 $FW,dmz,loc

SSH(ACCEPT) loc:192.168.41.6 dmz

SSH(ACCEPT) loc:192.168.41.6 fw

ACCEPT loc:192.168.41.6 dmz:192.168.14.2,192.168.14.9 tcp 8006

  

###zones

#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS

fw firewall

net ipv4

loc ipv4

dmz ipv4

###interfaces

#ZONE INTERFACE OPTIONS

net enp4s1 tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0

loc enp5s0 tcpflags,nosmurfs,routefilter,logmartians

dmz enp7s0 tcpflags,nosmurfs,routefilter,logmartians

###policy

#SOURCE DEST POLICY LOGLEVEL LIMIT CONNLIMIT

loc net ACCEPT info

net all DROP info

all all REJECT info

###snat

#ACTION SOURCE DEST PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY

#

SNAT(172.16.120.1) 192.168.14.0/24 enp4s1

SNAT(172.16.120.1) 192.168.41.0/24 enp4s1

###shorewall.conf

STARTUP_ENABLED=Yes

VERBOSITY=1

PAGER=

FIREWALL=

BLACKLIST_LOG_LEVEL=

INVALID_LOG_LEVEL=

LOG_BACKEND=

LOG_MARTIANS=Yes

LOG_VERBOSITY=2

LOGALLNEW=

LOGFILE=/var/log/messages

LOGFORMAT="Shorewall:%s:%s:"

LOGTAGONLY=No

LOGLIMIT=

MACLIST_LOG_LEVEL=info

RELATED_LOG_LEVEL=

RPFILTER_LOG_LEVEL=info

SFILTER_LOG_LEVEL=info

SMURF_LOG_LEVEL=info

STARTUP_LOG=/var/log/shorewall-init.log

TCP_FLAGS_LOG_LEVEL=info

UNTRACKED_LOG_LEVEL=info

ARPTABLES=

CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"

GEOIPDIR=/usr/share/xt_geoip/LE

IPTABLES=

IP=

IPSET=

LOCKFILE=

MODULESDIR=

NFACCT=

PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"

PERL=/usr/bin/perl

RESTOREFILE=restore

SHOREWALL_SHELL=/bin/sh

SUBSYSLOCK=/v

Rommel Rodriguez Toirac
romme...@nauta.cu

El oct. 27, 2017 10:55 AM, Rommel Rodriguez Toirac <romme...@nauta.cu> escribió:

El oct. 26, 2017 7:10 PM, Bill Shirley <bill@ultrapoly.polymerindustries.biz> escribió:

You don't have any name servers for gob.cu:
; <<>> DiG 9.10.3-P4-RedHat-9.10.3-9.P4.fc22 <<>> gob.cu ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1071
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;gob.cu.                IN    NS

;; AUTHORITY SECTION:
cu.            3600    IN    SOA    ns.ceniai.net.cu. cu-tech.ceniai.inf.cu. 2017102605 3600 1800 1209600 3600

;; Query time: 154 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Oct 26 19:56:46 EDT 2017
;; MSG SIZE  rcvd: 104

This above query should answer with the name server like the one below:
; <<>> DiG 9.10.3-P4-RedHat-9.10.3-9.P4.fc22 <<>> example.com ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57752
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;example.com.            IN    NS

;; ANSWER SECTION:
example.com.        86400    IN    NS b.iana-servers.net.
example.com.        86400    IN    NS a.iana-servers.net.

;; ADDITIONAL SECTION:
a.iana-servers.net.    109216    IN    A    199.43.135.53
b.iana-servers.net.    109216    IN    A    199.43.133.53
a.iana-servers.net.    109216    IN    AAAA 2001:500:8f::53
b.iana-servers.net.    109216    IN    AAAA 2001:500:8d::53

;; Query time: 43 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Oct 26 20:04:54 EDT 2017
;; MSG SIZE  rcvd: 176
See the ANSWER SECTION.

Your DNS is not set up.

Hope this helps,
Bill

On 10/:03 PM, Rommel Rodriguez Toirac wrote:
>  Hello all;
> I finally test the config of my firewall using it like a DMZ but have some problems.
>  For example, in the DMZ I have a DNS server, the access to it is allowed from the internal netwok or loc zone and from
> outside or net zone; in the DMZ also is the FTP, jabber, web and email servers. Happen that from outside or net zone I can not
> access to any of this servers using the name, IP or alias of the server.
>  In my municipal networks, in the DNS servers, I add and server forwarder, this was the IP of my external interfaces. This is
> for all requests that can not be found in his network, send to me.
>   From a municipal network when I try to access to the email server of my network poiting to the alias (mail.gtm.gob.cu) never
> connect. This happend with all request made to a name, or alias. If I use the IP addres of the server everything work fine.
>  I know, these is problem of DNS, but I configure the DNS to allow acces from the outside network and from inside network
> using views.
>  Attached I send the shorewall dump.
>  I try to be sure that is not problem of shorewall that deny the access to the DMZ zone where are the DNS server and all other
> servers.
>  Thank for the attention and forgive my bad English.
>
>

Our network is separated in three (3): national level, provincial level and municipal level. All of they are considered as privated network and domain.  For example my network is administrated here for me, and the networks of my municipals are administrated in his own places. That why you don't have answers.

  My problems is that my network provide services to our municipals networks and they acces to this services just for IP address, if I configure to access by name, is imposible.

 I don't know if now is a little more clear.

named.tgz
Description: GNU Unix tar archive

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users