我目前正在使用Debian Wheezy上的Shorewall 4.5.5.3开发三接口软件防火墙,而且我对loc(eth2)和dmz(eth1)接口有一些困难。 fw(eth0)界面似乎工作得很好,但我不能在loc或dmz区域ping PC。网络中的/ etc / network / interfaces设置可能有问题。
fw接口通过我的ISP在dhcp上运行,我使用静态IP配置了这些区域内的loc和dmz接口和PC。我尝试使用的配置是三接口和单IP配置。参考文件位于Shorewall网站上," Three-Interface Firewall"。我不知道如何处理关于eth1或eth2接口的网关,b / c Shorewall的文档并没有解释这一点。我假设它与eth0是相同的网关,但我不知道如何做到这一点,因为eth0在dhcp上。
/ etc / network / interfaces for firmware node:
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet dhcp
# Secondary network interface for dmz
auto eth1
iface eth1 inet static
address 10.10.1.1/24
netmask 255.255.255.0
# Tirtirary network interface for loc
auto eth2
iface eth2 inet static
address 10.10.2.1/24
netmask 255.255.255.0
/ etc / network / interface for dmz
# dmz network interface
auto eth0
iface eth0 inet static
address 10.10.1.2/24
netmask 255.255.255.0
gateway 10.10.1.1
从dmz开始,我的网络接口设置有问题吗?
当我重新启动网络时会发生这种情况:
Listening on LPF/eth0/HEX:...:...
Sending on LPF/eth0/HEX:...:...
Sending on Socket/fallback
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 6
DHCPREQUEST on eth0 to 255.255.255.255 port 67
DHCPOFFER from XY.IP...
DHCPACK from XY.IP...
suspect value in ^1/7078C526/res-5000-2.0 option - discarded
suspect value in ^1/FBEA1017/res-5000-2.0 option - discarded
bound to NEW.IP... -- renewal in 33594 seconds.
done.
我不理解"怀疑...... - 丢弃"线。这是否表明存在问题,或者是那些被拒绝的潜在IP?
这些是ifconfig的结果:
eth0 Link encap:Ethernet HWaddr MAC
inet addr:DHCP.IP Bcast:DHCP.BC Mask:DHCP.M
inet6 addr: inet6.IP Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:268607 errors:0 dropped:0 overruns:0 frame:0
TX packets:89830 errors:0 dropped:0 overruns:0 carrier:7
collisions:0 txqueuelen:1000
RX bytes:25066229 (23.9 MiB) TX bytes:10734393 (10.2 MiB)
Interrupt:17
eth1 Link encap:Ethernet HWaddr c0:4a:00:03:00:04
inet addr:10.10.1.1 Bcast:10.10.1.255 Mask:255.255.255.0
inet6 addr: fe80::c24a:ff:fe03:4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:82 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:4664 (4.5 KiB)
Interrupt:19 Base address:0xac00
eth2 Link encap:Ethernet HWaddr c0:4a:00:07:6a:31
inet addr:10.10.2.1 Bcast:10.10.2.255 Mask:255.255.255.0
inet6 addr: fe80::c24a:ff:fe07:6a31/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:48 errors:0 dropped:0 overruns:0 frame:0
TX packets:33 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2880 (2.8 KiB) TX bytes:2578 (2.5 KiB)
Interrupt:16 Base address:0xe800
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:41 errors:0 dropped:0 overruns:0 frame:0
TX packets:41 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4592 (4.4 KiB) TX bytes:4592 (4.4 KiB)
接口
net eth0 tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0
dmz eth1 tcpflags,nosmurfs,routefilter,logmartians
loc eth2 tcpflags,nosmurfs,routefilter,logmartians
伪装
eth0 10.10.1.0/24
eth0 10.10.2.0/24
PARAMS
ETH0_IP=$(find_first_interface_address eth0)
政策
loc net ACCEPT
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
routestopped
eth1 -
eth2 -
规则
SECTION NEW
# Don't allow connection pickup from the net
Invalid(DROP) net all
# Accept DNS connections from the firewall to the Internet
DNS(ACCEPT) $FW net
# Accept SSH connections from the local network to the firewall and DMZ
SSH(ACCEPT) loc $FW
SSH(ACCEPT) loc dmz
# DMZ DNS access to the Internet
DNS(ACCEPT) dmz net
# Drop Ping from the "bad" net zone.
Ping(DROP) net $FW
# Make ping work bi-directionally between the dmz, net, Firewall and local zone
# (assumes that the loc-> net policy is ACCEPT).
Ping(ACCEPT) loc $FW
Ping(ACCEPT) dmz $FW
Ping(ACCEPT) loc dmz
Ping(ACCEPT) dmz loc
Ping(ACCEPT) dmz net
Ping(ACCEPT) loc net
ACCEPT $FW net icmp
ACCEPT $FW loc icmp
ACCEPT $FW dmz icmp
# Allow connection to web server from loc to dmz
DNAT loc dmz:10.10.1.2 tcp - 80,443 $ETH0_IP
# Allow DNS connection to internal server from net
DNS(ACCEPT) loc dmz:10.10.1.3
DNS(ACCEPT) $FW dmz:10.10.1.3
DNS(ACCEPT) loc dmz:10.10.1.4
DNS(ACCEPT) $FW dmz:10.10.1.4
# Allow SMTPS traffic to internal server from net
SMTPS(ACCEPT) dmz:10.10.1.2 $FW
POP3S(ACCEPT) $FW dmz:10.10.1.2
# Allow SSH and SFTP on web server
SSH(ACCEPT) $FW dmz:10.10.1.2
SSH(ACCEPT) net $FW
shorewall.conf
# Only change in this file:
IP_FORWARDING=On
区
fw firewall
net ipv4
loc ipv4
dmz ipv4
海岸检查
Checking...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Checking /etc/shorewall/zones...
Checking /etc/shorewall/interfaces...
Determining Hosts in Zones...
Locating Action Files...
Checking /usr/share/shorewall/action.Drop for chain Drop...
Checking /usr/share/shorewall/action.Broadcast for chain Broadcast...
Checking /usr/share/shorewall/action.Invalid for chain Invalid...
Checking /usr/share/shorewall/action.NotSyn for chain NotSyn...
Checking /usr/share/shorewall/action.Reject for chain Reject...
Checking /etc/shorewall/policy...
Adding Anti-smurf Rules
Adding rules for DHCP
Checking TCP Flags filtering...
Checking Kernel Route Filtering...
Checking Martian Logging...
Checking Accept Source Routing...
Checking /etc/shorewall/masq...
Checking MAC Filtration -- Phase 1...
Checking /etc/shorewall/rules...
Checking /usr/share/shorewall/action.Invalid for chain %Invalid...
Checking MAC Filtration -- Phase 2...
Applying Policies...
Checking /etc/shorewall/routestopped...
Shorewall configuration verified
海岸墙开始
Compiling...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Compiling /etc/shorewall/zones...
Compiling /etc/shorewall/interfaces...
Determining Hosts in Zones...
Locating Action Files...
Compiling /usr/share/shorewall/action.Drop for chain Drop...
Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast...
Compiling /usr/share/shorewall/action.Invalid for chain Invalid...
Compiling /usr/share/shorewall/action.NotSyn for chain NotSyn...
Compiling /usr/share/shorewall/action.Reject for chain Reject...
Compiling /etc/shorewall/policy...
Adding Anti-smurf Rules
Adding rules for DHCP
Compiling TCP Flags filtering...
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling Accept Source Routing...
Compiling /etc/shorewall/masq...
Compiling MAC Filtration -- Phase 1...
Compiling /etc/shorewall/rules...
Compiling /usr/share/shorewall/action.Invalid for chain %Invalid...
Compiling MAC Filtration -- Phase 2...
Applying Policies...
Generating Rule Matrix...
Creating iptables-restore input...
Compiling /etc/shorewall/routestopped...
Shorewall configuration compiled to /var/lib/shorewall/.start
Starting Shorewall....
Initializing...
Setting up Route Filtering...
Setting up Martian Logging...
Setting up Accept Source Routing...
Setting up Traffic Control...
Preparing iptables-restore input...
Running /sbin/iptables-restore...
IPv4 Forwarding Enabled
done.
:ping 10.10.1.2
PING 10.10.1.2 (10.10.1.2) 56(84) bytes of data.
From 10.10.1.1 icmp_seq=1 Destination Host Unreachable
From 10.10.1.1 icmp_seq=2 Destination Host Unreachable
From 10.10.1.1 icmp_seq=3 Destination Host Unreachable
:ping 10.10.1.1
connect: network not reachable
我不知道遗失/错误的原因。任何帮助将不胜感激。
答案 0 :(得分:1)
我找到了问题的答案,这是dmz上的网络配置。 dmz位于Dell Power Edge 1950上,我在10.10.1.2/24上运行硬件节点,在OpenVZ上运行venet0虚拟节点。我当时并不担心连接到OpenVZ节点,但甚至无法连接到硬件节点。在修改网络信息并删除/ 24的CIDR添加后,一切都已到位。我在硬件节点上运行CentOS 6.5,我猜它不喜欢CIDR寻址。
我现在正在从fw ping dmz,所以网关是开放的,快乐的日子:
> ping 10.10.2.1
PING 10.10.2.1 (10.10.2.1) 56(84) bytes of data.
64 bytes from 10.10.2.1: icmp_req=1 ttl=64 time=0.056 ms
64 bytes from 10.10.2.1: icmp_req=2 ttl=64 time=0.027 ms
64 bytes from 10.10.2.1: icmp_req=3 ttl=64 time=0.026 ms
64 bytes from 10.10.2.1: icmp_req=4 ttl=64 time=0.025 ms
配置稳固,所以我希望它可以帮助其他人设置Shorewall界面。