From: Gary B. <inh...@gm...> - 2005-04-19 13:26:03
|
s/fw/$FW On 4/19/05, Marc Schillinger <m.s...@po...> wrote: >=20 >=20 > Hi, >=20 > I'm trying to enable ssh (when that works, want to add:pop3s,smtp,web) fr= om > the internet to the firewall but it does not work. > I managed to DNAT ftp to a host in the loc network (192.168.0.50) success= ful > but I don't know why SSH: >=20 > Does not work for me: > ACCEPT net fw tcp 22 >=20 > Works from the loc network: > ACCEPT loc fw tcp 22 >=20 > I have tried also with (no success): > AllowSSH net fw >=20 > I have setup the "two interface example" with modifications: > Eth1 is the interface connected to adsl (ppp0) and eth0 the interface > connected to LAN. >=20 > (I tried the connections from the internet (job) + I used web services th= at > check a firewall for open ports > http://probe.hackerwatch.org/probe/probe.asp or > https://grc.com/x/ne.dll?bh0bkyd2) >=20 > Please help me I'm desperate! >=20 > My shorewall config files (I posted only the files that have something se= t): >=20 > INTERFACES: > -------------------------------------------------------------------------= --- > ------------------ > #ZONE INTERFACE BROADCAST OPTIONS > net ppp0 - dhcp,norfc1918,tcpflags > loc eth0 detect tcpflags > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE >=20 > MASQ: > -------------------------------------------------------------------------= --- > ------------------ > #INTERFACE SUBNET ADDRESS > eth1 eth0 213.155.200.43 > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE >=20 > MODULES: > -------------------------------------------------------------------------= --- > ------------------ > # >=20 > loadmodule ip_tables > loadmodule iptable_filter > loadmodule ip_conntrack > loadmodule ip_conntrack_ftp > loadmodule ip_conntrack_tftp > loadmodule ip_conntrack_irc > loadmodule iptable_nat > loadmodule ip_nat_ftp > loadmodule ip_nat_tftp > loadmodule ip_nat_irc >=20 > NAT: > -------------------------------------------------------------------------= --- > ------------------ > #EXTERNAL INTERFACE INTERNAL ALL > LOCAL > # INTERFACES > #213.155.200.43 ppp0 192.168.0.50 yes yes > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE >=20 > POLICY: > -------------------------------------------------------------------------= --- > ------------------ > #SOURCE DEST POLICY LOG LEVEL LIMIT:BUR= ST > loc net ACCEPT > # If you want open access to the Internet from your Firewall > # remove the comment from the following line. > fw net ACCEPT > net all DROP info > # THE FOLLOWING POLICY MUST BE LAST > all all REJECT info > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE >=20 > ROUTESTOPED: > -------------------------------------------------------------------------= --- > ------------------ > #INTERFACE HOST(S) > eth0 - > #eth1 IP POINTERCOM > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE >=20 > ROULES: > -------------------------------------------------------------------------= --- > ------------------ > ACCEPT fw net tcp 53 > ACCEPT fw net udp 53 > AllowDNS loc fw > AllowDNS fw net > # Allow Ping To And From Firewall > # > ACCEPT loc fw icmp 8 > ACCEPT net fw icmp 8 > ACCEPT fw loc icmp > ACCEPT fw net icmp > # > # Accept SSH connections from the local + internet network for > administration > # > ACCEPT loc fw tcp 22 > ACCEPT net fw tcp 22 > # > # > # Accept WEBMIN connections from the local to firewall > # > ACCEPT loc fw tcp 10000 > # > # ACCEPT FTP TO loc LAN PC > DNAT net loc:192.168.0.50 tcp 21 21 > # > # INCOMING > #AllowPing net fw > #AllowSSH net fw > #AllowSSH loc fw > #AllowDNS net fw > #AllowFTP net fw > #AllowWeb net fw > #AllowSMTP net fw > #AllowPOP3 net fw > #AllowIMAP net fw > #REDIRECT net 22 tcp 22 > # > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE >=20 > SHOREWALL.CONF: > -------------------------------------------------------------------------= --- > ------------------ > LOGFILE=3D/var/log/firewall > LOGFORMAT=3D"Shorewall:%s:%s:" > LOGRATE=3D > LOGBURST=3D > BLACKLIST_LOGLEVEL=3D > LOGNEWNOTSYN=3Dinfo > MACLIST_LOG_LEVEL=3Dinfo > TCP_FLAGS_LOG_LEVEL=3Dinfo > RFC1918_LOG_LEVEL=3Dinfo > SMURF_LOG_LEVEL=3Dinfo > PATH=3D/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin > SHOREWALL_SHELL=3D/bin/sh > SUBSYSLOCK=3D/var/lock/subsys/shorewall > STATEDIR=3D/var/lib/shorewall > MODULESDIR=3D > CONFIG_PATH=3D/etc/shorewall:/usr/share/shorewall > RESTOREFILE=3D > FW=3Dfw > IP_FORWARDING=3DOn > ADD_IP_ALIASES=3DYes > ADD_SNAT_ALIASES=3DNo > TC_ENABLED=3DNo > CLEAR_TC=3DYes > MARK_IN_FORWARD_CHAIN=3DNo > CLAMPMSS=3Dyes > ROUTE_FILTER=3DYes > DETECT_DNAT_IPADDRS=3DNo > MUTEX_TIMEOUT=3D60 > NEWNOTSYN=3DYes > ADMINISABSENTMINDED=3DYes > BLACKLISTNEWONLY=3DYes > MODULE_SUFFIX=3D > DISABLE_IPV6=3DNo > BRIDGING=3DNo > DYNAMIC_ZONES=3DNo > PKTTYPE=3DYes > BLACKLIST_DISPOSITION=3DDROP > MACLIST_DISPOSITION=3DREJECT > TCP_FLAGS_DISPOSITION=3DDROP > #LAST LINE -- DO NOT REMOVE >=20 > START: > -------------------------------------------------------------------------= --- > ------------------ > run_iptables -I INPUT -i eth0 -j LOG --log-prefix BANDWIDTH_IN: --log-lev= el > debug > run_iptables -I FORWARD -i eth0 -j LOG --log-prefix BANDWIDTH_IN: > --log-level debug > run_iptables -I FORWARD -o eth0 -j LOG --log-prefix BANDWIDTH_OUT: > --log-level debug > run_iptables -I OUTPUT -o eth0 -j LOG --log-prefix BANDWIDTH_OUT: > --log-level debug > run_iptables -I INPUT -i ppp0 -j LOG --log-prefix BANDWIDTH_IN: --log-lev= el > debug > run_iptables -I FORWARD -i ppp0 -j LOG --log-prefix BANDWIDTH_IN: > --log-level debug > run_iptables -I FORWARD -o ppp0 -j LOG --log-prefix BANDWIDTH_OUT: > --log-level debug > run_iptables -I OUTPUT -o ppp0 -j LOG --log-prefix BANDWIDTH_OUT: > --log-level debug >=20 > TOS: > -------------------------------------------------------------------------= --- > ------------------ > #SOURCE DEST PROTOCOL SOURCE PORTS DEST PORTS T= OS > all all tcp - ssh 1= 6 > all all tcp ssh - 1= 6 > all all tcp - ftp 1= 6 > all all tcp ftp - 1= 6 > all all tcp ftp-data - 8 > all all tcp - ftp-data 8 > #LAST LINE -- Add your entries above -- DO NOT REMOVE >=20 > ZONES: > -------------------------------------------------------------------------= --- > ------------------ > #ZONE DISPLAY COMMENTS > net Net Internet > loc Local Local Networks > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE >=20 > Thanks for any help, > Marc >=20 >=20 > _______________________________________________ > Shorewall-users mailing list > Post: Sho...@li... > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shore= wall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >=20 >=20 > |