From: Alexander W. <ale...@ad...> - 2005-06-26 10:43:30
|
On Sunday 26 June 2005 05:02, Derek Vincent wrote: > On Friday 24 June 2005 20:57, Derek Vincent wrote: > >>Hello all, > >> > >>I have shorewall setup with 3 SNAT entries for external IP address's to > >>a single IP internal address. I am wondering how to limit access based > >>on the source IP address. > >>ex. > >> EXT IP 1 access only to port 25 > >> EXT IP 2 access only to port 443 > >> EXT IP 3 access only to port 80 > >> > >>I have the SNAT setup correctly and I have 3 accept line in the rules > >>file (25,80,443) but I can hit all the services from all 3 external IP > >>address (as expected). > >> > >>I though about using DNAT instead of ACCEPT but I am not sure if you can > >>or are supposed to mix the DNAT and SNAT. > > > >Hi Derek, > > > >I can only guess, because I don't really understand the way you > > implemented the SNAT (MASQ?)/Accept combination. > > > >But I think the correct way would be DNAT. Something like this in the > > rules file: > > > >DNAT net:$EXT_IP1 loc:$INT_IP:PORT PROTO PORTS ORIG_DEST > > > >e.g.: > >DNAT net:212.185.120.194 dmz:192.168.40.2 tcp http,https - =20 > > 194.231.186.177 > > > >See the examples on top of the rules file and read FAQ30 > >http://www.shorewall.net/FAQ.htm#faq30 > > > >HTH, > >Alex > > Apologies, I am not using SNAT for this. > > What I have setup is just entries in the NAT table and the ACCEPTS in > the rule file. > > snipit from NAT file: > ## .132 =3D=3D webmail.clockwork.ca > 207.35.34.132 eth0:0 192.168.111.17 no no > ## .134 =3D=3D mail.clockwork.ca > 207.35.34.134 eth0:2 192.168.111.17 no no > ## .135 =3D=3D exposed.clockwork.ca (www) > 207.35.34.135 eth0:3 192.168.111.17 no no > > And the following are the ACCEPT entries from RULES: > ACCEPT net loc:192.168.111.17 tcp 443 - > ACCEPT net loc:192.168.111.17 tcp 25 - > ACCEPT net loc:192.168.111.17 tcp 80 - > > So what I am looking for is a way to control access to specific ports > based on the external nated address. Then your access rule should be something like this (Orig Destination colum= n): ACCEPT =A0net =A0 =A0 =A0 =A0 =A0 =A0 loc:192.168.111.17 =A0 =A0 =A0tcp =A0= =A0 80 =A0 =A0 =A0207.35.34.135 I haven't used one-to-one NAT by myself yet, so I'm not 100% sure.=20 Just a hint: I would have used proxy-arp instead of one-to-one NAT for this kind of setu= p. HTH, Alex |