bluegrass
6th November 2006, 05:54
I have configured one of my servers to be used as the firewall and proxy at the same time for some of my client workstations. I have used the Debian Sarge as my OS, Shorewall as my firewall, Squid and SquidGuard for my proxy.
After configuring the server, and upon testing the internet access of my client workstations, it was successful. Now I am testing the access from the internet, I was trying to forward all HTTP access from the internet to one of my local server, but it seems that I have misconfigured or there are some other configurations that I should make, because the access can not be successful.
The server have two-interfaces:
eth0: 203.177.xx.xxx
eth1: 192.168.0.4
Here are the shorewall configuration files:
/etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect
loc eth1 detect maclist
/etc/shorewall/zones
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
/etc/shorewall/policy
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
loc net REJECT info
loc $FW REJECT info
loc all REJECT info
$FW net ACCEPT info
$FW loc REJECT info
$FW all REJECT info
net $FW REJECT info
net loc REJECT info
net all DROP info
all all REJECT info
/etc/shorewall/rules
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
ACCEPT net:203.177.xx.xxx/27 $FW tcp 22 #SSH
ACCEPT net:203.177.xx.xxx/27 $FW tcp 10000 #Webmin
ACCEPT net:203.177.xx.xxx/27 $FW udp 10000 #Webmin
ACCEPT net:203.177.xx.xxx/27 $FW icmp 8 #PING
#ACCEPT net $FW tcp 80
DNAT:info net loc:192.168.0.5 tcp 80
ACCEPT loc net tcp 80
ACCEPT $FW loc:192.168.0.5 tcp 80
ACCEPT $FW loc:192.168.0.5 tcp 22
ACCEPT $FW net tcp 80
ACCEPT loc:192.168.0.1/23 $FW tcp 22
I have checked whether NAT is enabled on my kernel and here are the results:
/etc/shorewall# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
/etc/shorewall# cat /proc/sys/net/ipv4/ip_forward
1
/etc/shorewall# cat /etc/network/options
ip_forward=yes
spoofprotect=yes
syncookies=no
When I try the connection, from a PC who uses another Public IP, and connect my browser to the server's Public IP address, the supposed Web Page is not displayed and an Error in connection is displayed.
Is/Are there any other configuration files I should configure?
After configuring the server, and upon testing the internet access of my client workstations, it was successful. Now I am testing the access from the internet, I was trying to forward all HTTP access from the internet to one of my local server, but it seems that I have misconfigured or there are some other configurations that I should make, because the access can not be successful.
The server have two-interfaces:
eth0: 203.177.xx.xxx
eth1: 192.168.0.4
Here are the shorewall configuration files:
/etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect
loc eth1 detect maclist
/etc/shorewall/zones
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
/etc/shorewall/policy
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
loc net REJECT info
loc $FW REJECT info
loc all REJECT info
$FW net ACCEPT info
$FW loc REJECT info
$FW all REJECT info
net $FW REJECT info
net loc REJECT info
net all DROP info
all all REJECT info
/etc/shorewall/rules
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
ACCEPT net:203.177.xx.xxx/27 $FW tcp 22 #SSH
ACCEPT net:203.177.xx.xxx/27 $FW tcp 10000 #Webmin
ACCEPT net:203.177.xx.xxx/27 $FW udp 10000 #Webmin
ACCEPT net:203.177.xx.xxx/27 $FW icmp 8 #PING
#ACCEPT net $FW tcp 80
DNAT:info net loc:192.168.0.5 tcp 80
ACCEPT loc net tcp 80
ACCEPT $FW loc:192.168.0.5 tcp 80
ACCEPT $FW loc:192.168.0.5 tcp 22
ACCEPT $FW net tcp 80
ACCEPT loc:192.168.0.1/23 $FW tcp 22
I have checked whether NAT is enabled on my kernel and here are the results:
/etc/shorewall# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
/etc/shorewall# cat /proc/sys/net/ipv4/ip_forward
1
/etc/shorewall# cat /etc/network/options
ip_forward=yes
spoofprotect=yes
syncookies=no
When I try the connection, from a PC who uses another Public IP, and connect my browser to the server's Public IP address, the supposed Web Page is not displayed and an Error in connection is displayed.
Is/Are there any other configuration files I should configure?