Pravidlo pro Shorewall
Roman Mraz
roman.mraz na lim.cz
Čtvrtek Listopad 10 14:05:49 CET 2011
Zdravim,
nejak jsem se zamotal do pravidel shorewallu a potreboval bych poradit.
Mam nize uvedenou topologii a konfiguraci. Mam problem vytvorit pravidlo
tak, abych i ze serveru X ve VLAN 2 mohl posilat maily jako by chodily z
venku, tzn. posilat je stale na adresu mail.firma.cz
Z VLAN 1 a 3 to lze a chodi to, viz. rules nize, ale z VLAN 2 dostanu v
logu hlasku
Nov 7 05:14:41 oak vmunix: [2178681.317061]
Shorewall:dmz2all:REJECT:IN=vlan2 OUT=
MAC=00:0c:f2:a7:93:05:00:50:56:7e:5b:68:08:00 SRC=192.168.2.20
DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=6076 DF PROTO=TCP
SPT=36758 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Neporadi nekdo jak na to?
Diky
Roman Mraz
Topologie:
==========
=====192.168.1.x====
| 10 20 |
| ---- ---- |
| | A | | B | |
/ | ---- ---- |
/ =======VLAN 1=======
/
/ =====192.168.2.x=====
1.2.3.4 ----- / | 10 20 |
ISP ----------| FW | ----- | ------ ---- |
----- \ | | MAIL | | X | |
\ | ------ ---- |
\ =======VLAN 2=======
\
\ ========192.168.3.x=========
| 10 20 30 |
| ---- ---- ---- |
| | C | | D | | E | |
| ---- ---- ---- |
===========VLAN 3===========
/etc/shorewall/interfaces
net eth1 detect
tcpflags,routefilter,norfc1918,nosmurfs,logmartians
loc vlan1 detect tcpflags,detectnets,nosmurfs,dhcp
dmz vlan2 detect tcpflags,detectnets,nosmurfs
guest vlan3 detect tcpflags,detectnets,nosmurfs,dhcp
/etc/shorewall/params
MAIL_SRV_OUT=1.2.3.4
MAIL_SRV=192.168.2.10
/etc/shorewall/masq
eth1 vlan1
eth1 vlan2
eth1 vlan3
/etc/shorewall/zones
fw firewall
net ipv4
loc ipv4
dmz ipv4
guest ipv4
/etc/shorewall/policy
loc net ACCEPT
loc all REJECT info
guest net ACCEPT
guest all REJECT info
$FW net ACCEPT
$FW all REJECT info
dmz net ACCEPT
dmz all REJECT info
net all DROP info
all all REJECT info
/etc/shorewall/rules
SECTION NEW
.....
DNAT loc dmz:$MAIL_SRV tcp imap,smtp,ssmtp,imaps
- $MAIL_SRV_OUT
DNAT guest dmz:$MAIL_SRV tcp smtp,ssmtp,imaps
- $MAIL_SRV_OUT
.....
Další informace o konferenci Linux