HeCSa | 1 Jan 21:19 2009
Picon

HELP! Trying to masq some machines

Hello!
I'm trying to build some configuration with some troubles, maybe it's 
simple.
My network has a machine acting as a firewall / proxy server between 
internal and external zones.
Then, my machine has two interfaces, eth0 connected to Internet with a 
static IP address, and eth1, connected to the internal network, with a 
static IP address too.
Let's assume that external IP is 200.200.200.200. Internal IP addresses 
are (really) 192.9.201.0 based.
I'm using, as firewall / proxy, a machine with Ubuntu Server 8.04 LTS. 
Shorewall version is 4.0.6, squid is 2.6STABLE18, using squidguard and 
dansguardian to restrict access to some pages.
The proxy port I'm using is 8008.
The problem I have is that some machines need to use some internet based 
services, and then need to access directly the internet without using 
the proxy. Let's assume that the IP addess of one of this machines is 
192.9.201.100. All other machines in the 192.9.201.0 network are going 
to access the web via the squid/squidguard/dansguardian system.
Well...I don't really understand how to configure my shorewall to let 
this!!!
I''m copying my shorewall configuration files, located under 
/etc/shorewall. Please, can anybody help me with this, or guide me on 
the right direction? I'm really confused!!!
Following, my config files:

a) /etc/shorewall/zones:
fw firewall
lan ipv4
wan ipv4
(Continue reading)

Roberto C. Sánchez | 1 Jan 21:59 2009

Re: HELP! Trying to masq some machines

On Thu, Jan 01, 2009 at 06:19:25PM -0200, HeCSa wrote:
> Hello!
> I'm trying to build some configuration with some troubles, maybe it's 
> simple.
<SNIP>
> I'm using, as firewall / proxy, a machine with Ubuntu Server 8.04 LTS. 
> Shorewall version is 4.0.6, squid is 2.6STABLE18, using squidguard and 
> dansguardian to restrict access to some pages.
<SNIP>
> Well...I don't really understand how to configure my shorewall to let 
> this!!!

First, start by reading this page:

http://www.shorewall.net/Shorewall_Squid_Usage.html

Also, have a look at NONAT in the shorewall-rules man page, as it seems
you will need that.

> I''m copying my shorewall configuration files, located under 

Please don't do that.  We don't have time to go through your
configuration files.  Especially since they do not tell the whole story.
Please read the information at the above link.  If, after that, you
cannot make it work the way you think it should work, then please ask
your question in accordance with the guidelines located here:

http://www.shorewall.net/support.htm

Regards,
(Continue reading)

HeCSa | 2 Jan 02:36 2009
Picon

Re: HELP! Trying to masq some machines

Roberto:
    The problem was the line with the "REDIRECT".
    If I comment this line, and then add a line with "ACCEPT" for 
192.9.201.100, all works as desired.
    Thanks for your lines. I discovered the "dump" command, never used 
in the past by me.
    Best regards,

HeCSa.

Roberto C. Sánchez wrote:
> On Thu, Jan 01, 2009 at 06:19:25PM -0200, HeCSa wrote:
>   
>> Hello!
>> I'm trying to build some configuration with some troubles, maybe it's 
>> simple.
>>     
> <SNIP>
>   
>> I'm using, as firewall / proxy, a machine with Ubuntu Server 8.04 LTS. 
>> Shorewall version is 4.0.6, squid is 2.6STABLE18, using squidguard and 
>> dansguardian to restrict access to some pages.
>>     
> <SNIP>
>   
>> Well...I don't really understand how to configure my shorewall to let 
>> this!!!
>>     
>
> First, start by reading this page:
(Continue reading)

Shorewall Guy | 2 Jan 03:13 2009
Picon
Picon

Re: HELP! Trying to masq some machines

HeCSa wrote:
> Roberto:
>     The problem was the line with the "REDIRECT".
>     If I comment this line, and then add a line with "ACCEPT" for 
> 192.9.201.100, all works as desired.
>     Thanks for your lines. I discovered the "dump" command, never used 
> in the past by me.

Roberto was trying to tell you to insert this BEFORE the REDIRECT rule:

NONAT	loc:192.9.201.100	net	

If you only have a few hosts that need this exception, you can also make
the SOURCE of your REDIRECT rule:

	loc:!192.9.2.1.100,...

------------------------------------------------------------------------------
HeCSa | 2 Jan 04:29 2009
Picon

Re: HELP! Trying to masq some machines

Excellent!
It's working now as I was tryimg!
Thanks a lot, and best regards.

HeCSa.

Shorewall Guy wrote:
> HeCSa wrote:
>   
>> Roberto:
>>     The problem was the line with the "REDIRECT".
>>     If I comment this line, and then add a line with "ACCEPT" for 
>> 192.9.201.100, all works as desired.
>>     Thanks for your lines. I discovered the "dump" command, never used 
>> in the past by me.
>>     
>
> Roberto was trying to tell you to insert this BEFORE the REDIRECT rule:
>
> NONAT	loc:192.9.201.100	net	
>
> If you only have a few hosts that need this exception, you can also make
> the SOURCE of your REDIRECT rule:
>
> 	loc:!192.9.2.1.100,...
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users <at> lists.sourceforge.net
(Continue reading)


Gmane