Hola a todos, alguien me podria ayudar, quiero montar un firewall y un proxy pero quiero saber si estoy haciendo bien los pasos del manual, porque la verdad no me queda

les platico ya instale el squid y este trabaja bien porque ya hice pruebas con mis terminales y todas pueden navegar en internet, pero no he podido hacer que usen el servicio de pop y smtp(configurar sus O. Express) leyendo el manual me indica que debo poner un firewall (shorewall o firestater) en la misma maquina y hacer un NAT para que pueda funcionar, la verdad ya intente con los dos (shorewall o firestater) y no he podido hacer que trabaje el O. Express, tambien cheque en el foro y suguieren que detenga el squid para ver si hay algun problema pero ya lo hice y sigo igual, les pongo lo que hace el shorewall cuando le doy service shorewall restart:

]# service shorewall start
make: *** No hay ninguna regla para construir el objetivo `/etc/shorewall/interfaces (copia)', necesario para `/var/lib/shorewall/restore-base'. Alto.
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Starting Shorewall...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Extended Multi-port Match: Available
Connection Tracking Match: Available
Packet Type Match: Available
Policy Match: Available
Physdev Match: Available
IP range Match: Available
Recent Match: Available
Owner Match: Available
Ipset Match: Not available
CONNMARK Target: Available
Connmark Match: Available
Raw Table: Available
CLASSIFY Target: Available
FORWARD Mangle Chain: Available
Determining Zones...
IPv4 Zones: net loc dmz
Firewall Zone: fw
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
net Zone: eth0:0.0.0.0/0
loc Zone: eth1:0.0.0.0/0
dmz Zone: eth2:0.0.0.0/0
Processing /etc/shorewall/init ...
Pre-processing Actions...
Pre-processing /usr/share/shorewall/action.Drop...
..Expanding Macro /usr/share/shorewall/macro.Auth...
..End Macro
..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
..End Macro
..Expanding Macro /usr/share/shorewall/macro.SMB...
..End Macro
..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
..End Macro
..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
..End Macro
Pre-processing /usr/share/shorewall/action.Reject...
Pre-processing /usr/share/shorewall/action.Limit...
Deleting user chains...
Processing /etc/shorewall/continue ...
Processing /etc/shorewall/routestopped ...
Setting up Accounting...
Creating Interface Chains...
Configuring Proxy ARP
Setting up NAT...
Setting up NETMAP...
Adding Common Rules
Processing /etc/shorewall/initdone ...
IP Forwarding Enabled
Setting up IPSEC...
Processing /etc/shorewall/rules...
Rule "ACCEPT net fw tcp 80,25,110 " added.
Rule "REDIRECT loc 8080 tcp 80 " added.
Rule "REDIRECT dmz 8080 tcp 80 " added.
Processing /etc/shorewall/tunnels...
Processing Actions...
Generating Transitive Closure of Used-action List...
Processing /usr/share/shorewall/action.Drop for Chain Drop...
..Expanding Macro /usr/share/shorewall/macro.Auth...
Rule "REJECT - - tcp 113 - -" added.
..End Macro
Rule "dropBcast " added.
..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
Rule "ACCEPT - - icmp fragmentation-needed - -" added.
Rule "ACCEPT - - icmp time-exceeded - -" added.
..End Macro
Rule "dropInvalid " added.
..Expanding Macro /usr/share/shorewall/macro.SMB...
Rule "DROP - - udp 135,445 - -" added.
Rule "DROP - - udp 137:139 - -" added.
Rule "DROP - - udp 1024: 137 -" added.
Rule "DROP - - tcp 135,139,445 - -" added.
..End Macro
..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
Rule "DROP - - udp 1900 - -" added.
..End Macro
Rule "dropNotSyn - - tcp " added.
..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
Rule "DROP - - udp - 53 -" added.
..End Macro
Processing /usr/share/shorewall/action.Reject for Chain Reject...
..Expanding Macro /usr/share/shorewall/macro.Auth...
Rule "REJECT - - tcp 113 - -" added.
..End Macro
Rule "dropBcast " added.
..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
Rule "ACCEPT - - icmp fragmentation-needed - -" added.
Rule "ACCEPT - - icmp time-exceeded - -" added.
..End Macro
Rule "dropInvalid " added.
..Expanding Macro /usr/share/shorewall/macro.SMB...
Rule "REJECT - - udp 135,445 - -" added.
Rule "REJECT - - udp 137:139 - -" added.
Rule "REJECT - - udp 1024: 137 -" added.
Rule "REJECT - - tcp 135,139,445 - -" added.
..End Macro
..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
Rule "DROP - - udp 1900 - -" added.
..End Macro
Rule "dropNotSyn - - tcp " added.
..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
Rule "DROP - - udp - 53 -" added.
..End Macro
Processing /etc/shorewall/policy...
Policy ACCEPT for fw to net using chain fw2net
Policy DROP for net to fw using chain net2all
Policy REJECT for loc to fw using chain all2all
Policy ACCEPT for loc to net using chain loc2net
Policy REJECT for dmz to fw using chain all2all
Policy ACCEPT for dmz to net using chain dmz2net
Masqueraded Networks and Hosts:
To 0.0.0.0/0 (all) from 10.0.0.0/24 through eth0
To 0.0.0.0/0 (all) from 10.0.1.0/24 through eth0
Processing /etc/shorewall/tos...
Processing /etc/shorewall/ecn...
Setting up Traffic Control Rules...
Validating /etc/shorewall/tcdevices...
Validating /etc/shorewall/tcclasses...
Activating Rules...
Processing /etc/shorewall/start ...
Shorewall Started
Processing /etc/shorewall/started ...
~]#

gracias

---

Sabio no es aquel que dedica su vida a aprender sino el que la dedica a enseñar.

¿Que pusiste en /etc/shorewall/interfaces?

Gracias Joel

esto es lo que puse

###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect
loc eth1 detect
dmz eth2 detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


por cierto envie un correo solicitando una propuesta de algunos servicios que se quieren implementar en la empresa, sabes algo al respecto?


gracias de antemano

---

Sabio no es aquel que dedica su vida a aprender sino el que la dedica a enseñar.

En el directorio de shorewall hay un archivo rules que tienes como copia, sugiero lo elimines para poder depurar tu problema (/etc/shorewall/interfaces (copia))

Hola Oscar!

Leyendo lo que escribiste anteriormente y viendo la salida del "shorewall start" ...

si lo que quieres es permitir el trafico SNMP y POP3 de la red local a Internet y que los usuarios usen el outlook, .lo que tienes que hacer es poner un par de lineas en /etc/shorewall/rules con tu editor favorito (vi, ee, emacs, nano, ...)

SNMP/ACCEPT loc net
POP3/ACCEPT loc net

Si no tienes habilitado el seguimiento de conexiones agrega 2 mas ...

SNMP/ACCEPT net loc
SNMP/ACCEPT net loc
POP3/ACCEPT net loc

:wq

root@ -#shorewall check

y si no marca error ...

root@ -#shorewall clear
root@ -#shorewall start


Ademas veo que tienes el puerto 113 Bloqueado, edita el archivo /usr/share/shorewall/macro.Auth y cambia donde dice REJECT por PARAM.
Y en /etc/shorewall/rules agregas ...

Auth/ACCEPT loc net


Guardas y ...

root@ -#shorewall clear
root@ -#shorewall start


Espero esto te sirva.
Hasta pronto.

Atte Ismael.

Hola Ismael, Gracias por tu comentario, ya puse en practica lo que mencionaste pero sigo igual, no se que hacer por que ya me estan presionando en montar este firewall con servicio de pop3 y smtp, tengo alguna duda con tu comentario, el SNMP es diferente a SMTP y para que debo de habilitar el puerto 113?, pongo de nueva cuenta mi shorewall

[root@serverwall ~]# shorewall start
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Starting Shorewall...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Extended Multi-port Match: Available
Connection Tracking Match: Available
Packet Type Match: Available
Policy Match: Available
Physdev Match: Available
IP range Match: Available
Recent Match: Available
Owner Match: Available
Ipset Match: Not available
CONNMARK Target: Available
Connmark Match: Available
Raw Table: Available
CLASSIFY Target: Available
FORWARD Mangle Chain: Available
Determining Zones...
IPv4 Zones: net loc dmz
Firewall Zone: fw
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
net Zone: eth0:0.0.0.0/0
loc Zone: eth1:0.0.0.0/0
WARNING: Zone dmz is empty
Processing /etc/shorewall/init ...
Pre-processing Actions...
Pre-processing /usr/share/shorewall/action.Drop...
..Expanding Macro /usr/share/shorewall/macro.Auth...
..End Macro
..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
..End Macro
..Expanding Macro /usr/share/shorewall/macro.SMB...
..End Macro
..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
..End Macro
..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
..End Macro
Pre-processing /usr/share/shorewall/action.Reject...
Pre-processing /usr/share/shorewall/action.Limit...
Deleting user chains...
Processing /etc/shorewall/continue ...
Processing /etc/shorewall/routestopped ...
Setting up Accounting...
Creating Interface Chains...
Configuring Proxy ARP
Setting up NAT...
Setting up NETMAP...
Adding Common Rules
Processing /etc/shorewall/initdone ...
IP Forwarding Enabled
Setting up IPSEC...
Processing /etc/shorewall/rules...
Rule "ACCEPT net fw tcp 80,25,110 " added.
..Expanding Macro /usr/share/shorewall/macro.SMTP...
Rule "ACCEPT loc net tcp 25 - - - -" added.
..End Macro
..Expanding Macro /usr/share/shorewall/macro.POP3...
Rule "ACCEPT loc net tcp 110 - - - -" added.
Rule "ACCEPT loc net tcp 995 - - - -" added.
..End Macro
..Expanding Macro /usr/share/shorewall/macro.SMTP...
Rule "ACCEPT net loc tcp 25 - - - -" added.
..End Macro
..Expanding Macro /usr/share/shorewall/macro.SMTP...
Rule "ACCEPT net loc tcp 25 - - - -" added.
..End Macro
..Expanding Macro /usr/share/shorewall/macro.POP3...
Rule "ACCEPT net loc tcp 110 - - - -" added.
Rule "ACCEPT net loc tcp 995 - - - -" added.
..End Macro
..Expanding Macro /usr/share/shorewall/macro.Auth...
Rule "ACCEPT loc net tcp 113 - - - -" added.
..End Macro
Rule "REDIRECT loc 3128 tcp 80 " added.
Rule "REDIRECT dmz 3128 tcp 80 " added.
Processing /etc/shorewall/tunnels...
Processing Actions...
Generating Transitive Closure of Used-action List...
Processing /usr/share/shorewall/action.Drop for Chain Drop...
..Expanding Macro /usr/share/shorewall/macro.Auth...
Rule "REJECT - - tcp 113 - -" added.
..End Macro
Rule "dropBcast " added.
..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
Rule "ACCEPT - - icmp fragmentation-needed - -" added.
Rule "ACCEPT - - icmp time-exceeded - -" added.
..End Macro
Rule "dropInvalid " added.
..Expanding Macro /usr/share/shorewall/macro.SMB...
Rule "DROP - - udp 135,445 - -" added.
Rule "DROP - - udp 137:139 - -" added.
Rule "DROP - - udp 1024: 137 -" added.
Rule "DROP - - tcp 135,139,445 - -" added.
..End Macro
..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
Rule "DROP - - udp 1900 - -" added.
..End Macro
Rule "dropNotSyn - - tcp " added.
..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
Rule "DROP - - udp - 53 -" added.
..End Macro
Processing /usr/share/shorewall/action.Reject for Chain Reject...
..Expanding Macro /usr/share/shorewall/macro.Auth...
Rule "REJECT - - tcp 113 - -" added.
..End Macro
Rule "dropBcast " added.
..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
Rule "ACCEPT - - icmp fragmentation-needed - -" added.
Rule "ACCEPT - - icmp time-exceeded - -" added.
..End Macro
Rule "dropInvalid " added.
..Expanding Macro /usr/share/shorewall/macro.SMB...
Rule "REJECT - - udp 135,445 - -" added.
Rule "REJECT - - udp 137:139 - -" added.
Rule "REJECT - - udp 1024: 137 -" added.
Rule "REJECT - - tcp 135,139,445 - -" added.
..End Macro
..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
Rule "DROP - - udp 1900 - -" added.
..End Macro
Rule "dropNotSyn - - tcp " added.
..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
Rule "DROP - - udp - 53 -" added.
..End Macro
Processing /etc/shorewall/policy...
Policy ACCEPT for fw to net using chain fw2net
Policy DROP for net to fw using chain net2all
Policy DROP for net to loc using chain net2all
Policy REJECT for loc to fw using chain all2all
Policy ACCEPT for loc to net using chain loc2net
Policy REJECT for dmz to fw using chain all2all
Masqueraded Networks and Hosts:
To 0.0.0.0/0 (all) from 10.0.0.0/24 through eth0
Processing /etc/shorewall/tos...
Processing /etc/shorewall/ecn...
Setting up Traffic Control Rules...
Validating /etc/shorewall/tcdevices...
Validating /etc/shorewall/tcclasses...
Activating Rules...
Processing /etc/shorewall/start ...
Shorewall Started
Processing /etc/shorewall/started ...
[root@serverwall ~]#

Gracias

---

Sabio no es aquel que dedica su vida a aprender sino el que la dedica a enseñar.

Perdon Oscar, quice decir SMTP en lugar de SNMP jejejejeje.

Estaba medio abatido ese dia por la gripe y no sabia lo que escribia jejejeje sorry.

Olvida el mensaje anterior... dime ofreces algun servicio a tus usuarios para que puedan consultar su correo via web, algo como webmail con squirrelmail por ejemplo? si es asi prueba entrar a una cuenta desde una maquina cliente via web y si entras quiere decir que el problema lo tienes localmente, es decir que es problema del outlook, quiza debas poner que error te marca el outlook al tratar de conectar al servidor de correo.

Mientras haces eso haz un
root@-# tail -f /var/log/messages

Y si es problema del firewall ahi podras ver lo que te esta bloqueando, claro esto siempre y cuando tengas en tu archivo policy algo como esto:

$FW loc DROP info
$FW net DROP info

Segun las zonas que tengas y asi con todas las politicas que tengas le debes poner "info" al final, para que puedas ver en el log las conexiones, que te esta bloqueando el firewall. Con esto podras ver el puerto que necesitas abrir.

Atte Ismael

P.D. Perdon por hacerles perder el tiempo.

Hola de nueva cuenta, disculpen que vuela a retomar esta pregunta pero sigo sin tener exito, el porque hasta ahora vuelvo es porque estuve haciendo prueba (instalando y desinstalando -CentOS 4.5 , 5, Shorewall 3.x y squid), para ver que es lo que estaba pasando, me estaba enfocando a que erá el shorewall, he incluso lo instale desde http://www.shorewall.net, he seguido el manual con detalle para ver si no me equivocaba al tratar de montar el servicio del shorewall, pero al parecer todo esta bien excepto que no puedo enviar ni recibir correos con el O. Express y cuando entro a una cuenta de correo por web me manda un error

ERROR

The requested URL could not be retrieved


While trying to retrieve the URL: http://dhgtechnology.com:2095/


The following error was encountered:


* Connection to Failed


The system returned:


(13) Permission denied


The remote host or network may be down. Please try the request again.


Your cache administrator is Webmaster.

Generated Thu, 27 Sep 2007 19:39:37 GMT by serverwall.mkt (squid/2.6.STABLE6)


he incluso en el manual dice que en conveniente dar las IP cuando se detiene el cortafuego para que no afecte el servicio del squid, ahi es donde me day cuenta que sigue haciendo lo mismo, sera que el Squid no esta funcionando con el shorewall

cheque la bitacora de mensajes y esto es lo que tiene,

Dec 10 12:13:55 fireserver setroubleshoot: SELinux is preventing the squid daemon from connecting to network port 2095 For complete SELinux messages. run sealert -l e02053fc-5a7b-409e-9b0f-973cd4ed0350
Dec 10 12:13:55 fireserver last message repeated 2 times
Dec 10 12:16:53 fireserver kernel: Shorewall:all2all:REJECT:IN=eth1 OUT= MAC=00:30:84:0b:60:1c:00:0b:6a:04:05:5c:08:00 SRC=10.0.0.13 DST=10.0.0.98 LEN=64 TOS=0x00 PREC=0x00 TTL=128 ID=38880 PROTO=UDP SPT=1035 DPT=53 LEN=44
Dec 10 12:21:53 fireserver kernel: Shorewall:all2all:REJECT:IN=eth1 OUT= MAC=00:30:84:0b:60:1c:00:0b:6a:04:05:5c:08:00 SRC=10.0.0.13 DST=10.0.0.98 LEN=64 TOS=0x00 PREC=0x00 TTL=128 ID=39385 PROTO=UDP SPT=1035 DPT=53 LEN=44
Dec 10 12:26:53 fireserver kernel: Shorewall:all2all:REJECT:IN=eth1 OUT= MAC=00:30:84:0b:60:1c:00:0b:6a:04:05:5c:08:00 SRC=10.0.0.13 DST=10.0.0.98 LEN=64 TOS=0x00 PREC=0x00 TTL=128 ID=64072 PROTO=UDP SPT=1035 DPT=53 LEN=44
Dec 10 12:27:49 fireserver setroubleshoot: SELinux is preventing the squid daemon from connecting to network port 2095 For complete SELinux messages. run sealert -l e02053fc-5a7b-409e-9b0f-973cd4ed0350
Dec 10 12:27:49 fireserver last message repeated 2 times
Dec 10 12:28:21 fireserver kernel: Shorewall:all2all:REJECT:IN=eth1 OUT= MAC=00:30:84:0b:60:1c:00:0b:6a:04:05:5c:08:00 SRC=10.0.0.13 DST=10.0.0.98 LEN=64 TOS=0x00 PREC=0x00 TTL=128 ID=64640 PROTO=UDP SPT=1035 DPT=53 LEN=44
Dec 10 12:46:24 fireserver kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=10.0.0.98 DST=224.0.0.251 LEN=106 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=86


espero me puedan ayudar

gracias

---

Sabio no es aquel que dedica su vida a aprender sino el que la dedica a enseñar.

en el archivo masq que tienes?

Gracias por contestar, en el manual de este foro me indica que debo de poner algo asi

#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
eth0 192.168.0.0/24
eth0 192.168.1.0/24
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


yo puse esto

#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
eth0 10.0.0.0/24
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


he incluso hice esto, que también me aconsejaron en http://www.com-sl.org/staticpages/index.php?page=config-shorewall


#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
eth1 eth0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

y viceversa


#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
eth0 eth1
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


pero ninguna de las formas me queda


saludos

---

Sabio no es aquel que dedica su vida a aprender sino el que la dedica a enseñar.

con respecto a masq ...

Para enmascarar la red local.
En la columna interface se pone el nombre de la interfaz conectada a Internet (por ejemplo: eth0, eth1 ...)
En la columna subnet, tienes de 2 sopas, puedes poner el nombre de la interfaz conectada a la red local (eth0, eth1 ...) o poner una subred (192.168.1.0/24, 10.0.0.0/24)


vi /etc/shorewall/masq

#Interface Subnet
eth0 eth1

o

#Interface Subnet
eth0 192.168.1.0/24

Aunque no creo que vaya por ahi tu problema.

Con respecto a esto:

"While trying to retrieve the URL: http://dhgtechnology.com:2095/"

Quiere decir que se intento una conexion por el puerto 2095, pero ese puerto esta bloqueado, si asi esta configurado, debes abrirlo.

Que tienes en rules?
y en policy?