我目前正在Debian Wheezy上使用Shorewall 4.5.5.3开发一个三接口软件防火墙,而我在loc(eth2)和dmz(eth1)接口上遇到了一些困难。 fw(eth0)接口似乎工作得很好,但我不能在loc或dmz区域上ping PC。 networking中的/ etc / network / interfaces设置可能有问题。
fw接口通过ISP运行在dhcp上,我使用静态IP在这些区域内configuration了loc和dmz接口和PC。 我试图使用的configuration是三接口和单个IPconfiguration。 参考文档位于Shorewall网站“ 三接口防火墙 ”上。 我不知道如何处理eth1或eth2接口上的网关,Shorewall文档没有解释这一点。 我认为这将是eth0相同的网关,但我不知道如何做,因为eth0是在dhcp。
/ etc / network / interfaces用于固件节点:
# The loopback network interface auto lo iface lo inet loopback # The primary network interface auto eth0 iface eth0 inet dhcp # Secondary network interface for dmz auto eth1 iface eth1 inet static address 10.10.1.1/24 netmask 255.255.255.0 # Tirtirary network interface for loc auto eth2 iface eth2 inet static address 10.10.2.1/24 netmask 255.255.255.0 / etc / network / interfaces为dmz
# dmz network interface auto eth0 iface eth0 inet static address 10.10.1.2/24 netmask 255.255.255.0 gateway 10.10.1.1
从dmz开始,我的networking接口设置有问题吗?
这是当我重新启动我的networking时发生的事情:
Listening on LPF/eth0/HEX:...:... Sending on LPF/eth0/HEX:...:... Sending on Socket/fallback DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 6 DHCPREQUEST on eth0 to 255.255.255.255 port 67 DHCPOFFER from XY.IP... DHCPACK from XY.IP... suspect value in ^1/7078C526/res-5000-2.0 option - discarded suspect value in ^1/FBEA1017/res-5000-2.0 option - discarded bound to NEW.IP... -- renewal in 33594 seconds. done.
我不明白“嫌疑人 – 丢弃”的行。 这是否表明存在问题,还是那些被拒绝的潜在知识产权?
这些是ifconfig的结果:
eth0 Link encap:Ethernet HWaddr MAC inet addr:DHCP.IP Bcast:DHCP.BC Mask:DHCP.M inet6 addr: inet6.IP Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:268607 errors:0 dropped:0 overruns:0 frame:0 TX packets:89830 errors:0 dropped:0 overruns:0 carrier:7 collisions:0 txqueuelen:1000 RX bytes:25066229 (23.9 MiB) TX bytes:10734393 (10.2 MiB) Interrupt:17 eth1 Link encap:Ethernet HWaddr c0:4a:00:03:00:04 inet addr:10.10.1.1 Bcast:10.10.1.255 Mask:255.255.255.0 inet6 addr: fe80::c24a:ff:fe03:4/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:82 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:4664 (4.5 KiB) Interrupt:19 Base address:0xac00 eth2 Link encap:Ethernet HWaddr c0:4a:00:07:6a:31 inet addr:10.10.2.1 Bcast:10.10.2.255 Mask:255.255.255.0 inet6 addr: fe80::c24a:ff:fe07:6a31/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:48 errors:0 dropped:0 overruns:0 frame:0 TX packets:33 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2880 (2.8 KiB) TX bytes:2578 (2.5 KiB) Interrupt:16 Base address:0xe800 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:41 errors:0 dropped:0 overruns:0 frame:0 TX packets:41 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:4592 (4.4 KiB) TX bytes:4592 (4.4 KiB)
接口
net eth0 tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0 dmz eth1 tcpflags,nosmurfs,routefilter,logmartians loc eth2 tcpflags,nosmurfs,routefilter,logmartians
伪装
eth0 10.10.1.0/24 eth0 10.10.2.0/24
PARAMS
ETH0_IP=$(find_first_interface_address eth0)
政策
loc net ACCEPT net all DROP info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info
routestopped
eth1 - eth2 -
规则
SECTION NEW # Don't allow connection pickup from the net Invalid(DROP) net all # Accept DNS connections from the firewall to the Internet DNS(ACCEPT) $FW net # Accept SSH connections from the local network to the firewall and DMZ SSH(ACCEPT) loc $FW SSH(ACCEPT) loc dmz # DMZ DNS access to the Internet DNS(ACCEPT) dmz net # Drop Ping from the "bad" net zone. Ping(DROP) net $FW # Make ping work bi-directionally between the dmz, net, Firewall and local zone # (assumes that the loc-> net policy is ACCEPT). Ping(ACCEPT) loc $FW Ping(ACCEPT) dmz $FW Ping(ACCEPT) loc dmz Ping(ACCEPT) dmz loc Ping(ACCEPT) dmz net Ping(ACCEPT) loc net ACCEPT $FW net icmp ACCEPT $FW loc icmp ACCEPT $FW dmz icmp # Allow connection to web server from loc to dmz DNAT loc dmz:10.10.1.2 tcp - 80,443 $ETH0_IP # Allow DNS connection to internal server from net DNS(ACCEPT) loc dmz:10.10.1.3 DNS(ACCEPT) $FW dmz:10.10.1.3 DNS(ACCEPT) loc dmz:10.10.1.4 DNS(ACCEPT) $FW dmz:10.10.1.4 # Allow SMTPS traffic to internal server from net SMTPS(ACCEPT) dmz:10.10.1.2 $FW POP3S(ACCEPT) $FW dmz:10.10.1.2 # Allow SSH and SFTP on web server SSH(ACCEPT) $FW dmz:10.10.1.2 SSH(ACCEPT) net $FW
shorewall.conf
# Only change in this file: IP_FORWARDING=On
区
fw firewall net ipv4 loc ipv4 dmz ipv4
护岸检查
Checking... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Loading Modules... Checking /etc/shorewall/zones... Checking /etc/shorewall/interfaces... Determining Hosts in Zones... Locating Action Files... Checking /usr/share/shorewall/action.Drop for chain Drop... Checking /usr/share/shorewall/action.Broadcast for chain Broadcast... Checking /usr/share/shorewall/action.Invalid for chain Invalid... Checking /usr/share/shorewall/action.NotSyn for chain NotSyn... Checking /usr/share/shorewall/action.Reject for chain Reject... Checking /etc/shorewall/policy... Adding Anti-smurf Rules Adding rules for DHCP Checking TCP Flags filtering... Checking Kernel Route Filtering... Checking Martian Logging... Checking Accept Source Routing... Checking /etc/shorewall/masq... Checking MAC Filtration -- Phase 1... Checking /etc/shorewall/rules... Checking /usr/share/shorewall/action.Invalid for chain %Invalid... Checking MAC Filtration -- Phase 2... Applying Policies... Checking /etc/shorewall/routestopped... Shorewall configuration verified
shorewall开始
Compiling... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Loading Modules... Compiling /etc/shorewall/zones... Compiling /etc/shorewall/interfaces... Determining Hosts in Zones... Locating Action Files... Compiling /usr/share/shorewall/action.Drop for chain Drop... Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast... Compiling /usr/share/shorewall/action.Invalid for chain Invalid... Compiling /usr/share/shorewall/action.NotSyn for chain NotSyn... Compiling /usr/share/shorewall/action.Reject for chain Reject... Compiling /etc/shorewall/policy... Adding Anti-smurf Rules Adding rules for DHCP Compiling TCP Flags filtering... Compiling Kernel Route Filtering... Compiling Martian Logging... Compiling Accept Source Routing... Compiling /etc/shorewall/masq... Compiling MAC Filtration -- Phase 1... Compiling /etc/shorewall/rules... Compiling /usr/share/shorewall/action.Invalid for chain %Invalid... Compiling MAC Filtration -- Phase 2... Applying Policies... Generating Rule Matrix... Creating iptables-restore input... Compiling /etc/shorewall/routestopped... Shorewall configuration compiled to /var/lib/shorewall/.start Starting Shorewall.... Initializing... Setting up Route Filtering... Setting up Martian Logging... Setting up Accept Source Routing... Setting up Traffic Control... Preparing iptables-restore input... Running /sbin/iptables-restore... IPv4 Forwarding Enabled done.
在terminal:ping 10.10.1.2
PING 10.10.1.2 (10.10.1.2) 56(84) bytes of data. From 10.10.1.1 icmp_seq=1 Destination Host Unreachable From 10.10.1.1 icmp_seq=2 Destination Host Unreachable From 10.10.1.1 icmp_seq=3 Destination Host Unreachable
在dmzterminal:ping 10.10.1.1
connect: network not reachable
我不知道什么是缺失/错误。 任何帮助,将不胜感激。
我发现了一个答案,我的问题,这是dmz的networkingconfiguration。 dmz位于Dell Power Edge 1950上,我在10.10.1.2/24上运行硬件节点,在OpenVZ上运行venet0虚拟节点。 我并不担心连接到OpenVZ节点,但甚至无法连接到硬件节点。 修改networking信息并删除/ 24的CIDR添加后,一切都落到了位置。 我在硬件节点上运行CentOS 6.5,我猜它不喜欢CIDR寻址。
我现在正在从fw ping dmz,所以网关是开放的,快乐的日子:
> ping 10.10.2.1 PING 10.10.2.1 (10.10.2.1) 56(84) bytes of data. 64 bytes from 10.10.2.1: icmp_req=1 ttl=64 time=0.056 ms 64 bytes from 10.10.2.1: icmp_req=2 ttl=64 time=0.027 ms 64 bytes from 10.10.2.1: icmp_req=3 ttl=64 time=0.026 ms 64 bytes from 10.10.2.1: icmp_req=4 ttl=64 time=0.025 ms
configuration是坚实的,所以我希望它可以帮助别人build立一个Shorewall界面。