You are not logged in.
- Topics: Active | Unanswered
#1 2009-01-04 23:01:52
- brazzmonkey
- Member
- From: between keyboard and chair
- Registered: 2006-03-16
- Posts: 818
need help to set up a firewall (shorewall and internet sharing)
hello everyone,
i'm in the process of setting up a pc to be used as a firewall and sharing the internet.
basically my config is the following:
-- ADSL modem --- firewall --- switch --- pc1, pc2, pc3, wifi access point.
ADSL modem internal IP is 192.168.0.254
firewall external IP is 192.168.0.10
firewall internal IP is 192.168.0.11
pc1, pc2... have static IP, dhcp may be used for guests pc and wifi.
i closely followed this wiki article http://wiki.archlinux.org/index.php?title=NAT'ing_firewall_-_Share_your_broadband_connection (except the kernel compilation part, because i assume needed modules are already available), up to the shorewall part: i can't share the connection and i really don't know why. please lend me your eyeballs to help me find out what's wrong.
here's a few config files on the firewall:
$ cat /etc/hosts.allow
#
# /etc/hosts.allow
#
sshd sshd1 sshd2: 192.168.0.
vsftpd: 192.168.0
#nfsd: 192.168.0.
#portmap: 192.168.0.
#mountd: 192.168.0.$ cat /etc/rc.conf
#
# /etc/rc.conf - Main Configuration for Arch Linux
#
LOCALE="en_US.utf8"
HARDWARECLOCK="localtime"
USEDIRECTISA="no"
TIMEZONE="Europe/Paris"
KEYMAP="fr"
CONSOLEFONT=
CONSOLEMAP=
USECOLOR="yes"
# -----------------------------------------------------------------------
# HARDWARE
# -----------------------------------------------------------------------
MOD_AUTOLOAD="no"
#MOD_BLACKLIST=() #deprecated
MODULES=(sis900 8139too 3c59x winbond-840 ne2k-pci 8390 psmouse lp parport parport_pc mii !ac97_bus !snd !snd-mixer-oss !snd-pcm-oss !snd-seq-oss !snd-seq-device !snd-seq-midi-event !snd-seq !snd-page-alloc !snd-pcm !snd-rawmidi !snd-timer !snd !snd-mpu401-uart !snd-mpu401 !snd-ac97-codec !snd-trident !soundcore !snd-util-mem)
# Scan for LVM volume groups at startup, required if you use LVM
USELVM="no"
# -----------------------------------------------------------------------
# NETWORKING
# -----------------------------------------------------------------------
#
# HOSTNAME: Hostname of machine. Should also be put in /etc/hosts
#
HOSTNAME="harrypotter"
eth0="eth0 192.168.0.10 netmask 255.255.255.0 broadcast 192.168.0.255"
eth1="eth1 192.168.0.11 netmask 255.255.255.0 broadcast 192.168.0.255"
#eth2="eth2 192.168.0.11 netmask 255.255.255.0 broadcast 192.168.0.255"
#eth3="eth3 192.168.0.11 netmask 255.255.255.0 broadcast 192.168.0.255
INTERFACES=(eth0 eth1 !eth2 !eth3)
gateway="default gw 192.168.0.254"
ROUTES=(gateway)
DAEMONS=(syslog-ng network !netfs @acpid shorewall !iptables @crond !portmap !nfslock !nfsd @cups @sshd @vsftpd @dnsmasq)A few shorewall files
$ cat /etc/shorewall/shorewall.conf
###############################################################################
# S T A R T U P E N A B L E D
###############################################################################
STARTUP_ENABLED=Yes
###############################################################################
# V E R B O S I T Y
###############################################################################
VERBOSITY=1
###############################################################################
# C O M P I L E R
# (setting this to 'perl' requires installation of Shorewall-perl)
###############################################################################
SHOREWALL_COMPILER=
###############################################################################
# L O G G I N G
###############################################################################
LOGFILE=/var/log/messages
STARTUP_LOG=/var/log/shorewall_start
LOG_VERBOSITY=
LOGFORMAT="Shorewall:%s:%s:"
LOGTAGONLY=No
LOGRATE=
LOGBURST=
LOGALLNEW=
BLACKLIST_LOGLEVEL=
MACLIST_LOG_LEVEL=info
TCP_FLAGS_LOG_LEVEL=info
RFC1918_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
LOG_MARTIANS=Yes
###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
###############################################################################
IPTABLES=
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/sh
#SUBSYSLOCK=/var/lock/subsys/shorewall
SUBSYSLOCK=/var/run
MODULESDIR=
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
RESTOREFILE=
IPSECFILE=zones
LOCKFILE=
###############################################################################
# D E F A U L T A C T I O N S / M A C R O S
###############################################################################
DROP_DEFAULT="Drop"
REJECT_DEFAULT="Reject"
ACCEPT_DEFAULT="none"
QUEUE_DEFAULT="none"
NFQUEUE_DEFAULT="none"
###############################################################################
# R S H / R C P C O M M A N D S
###############################################################################
RSH_COMMAND='ssh ${root}@${system} ${command}'
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
###############################################################################
# F I R E W A L L O P T I O N S
###############################################################################
IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=No
RETAIN_ALIASES=No
TC_ENABLED=Internal
TC_EXPERT=No
CLEAR_TC=Yes
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=No
ROUTE_FILTER=No
DETECT_DNAT_IPADDRS=No
MUTEX_TIMEOUT=60
ADMINISABSENTMINDED=Yes
BLACKLISTNEWONLY=Yes
DELAYBLACKLISTLOAD=No
MODULE_SUFFIX=
DISABLE_IPV6=Yes
BRIDGING=No
DYNAMIC_ZONES=No
PKTTYPE=Yes
RFC1918_STRICT=No
MACLIST_TABLE=filter
MACLIST_TTL=
SAVE_IPSETS=No
MAPOLDACTIONS=No
FASTACCEPT=No
IMPLICIT_CONTINUE=No
HIGH_ROUTE_MARKS=No
USE_ACTIONS=Yes
OPTIMIZE=1
EXPORTPARAMS=No
EXPAND_POLICIES=No
EXPAND_POLICIES=Yes
KEEP_RT_TABLES=No
DELETE_THEN_ADD=Yes
MULTICAST=No
DONT_LOAD=
AUTO_COMMENT=Yes
MANGLE_ENABLED=Yes
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVEeth0 is 192.168.0.10 (firewall external)
eth1 is 192.168.0.10 (firewall internal)
# cat /etc/shorewall/interfaces
#
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,tcpflags,routefilter,nosmurfs,logmartians
loc eth1 detect tcpflags,nosmurfs,dhcp
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE# cat /etc/shorewall/masq
###############################################################################
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
eth0 eth1 192.168.0.10
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVEthe next one is quite permissive because i'm currently trying to figure out what's wrong...
# cat /etc/shorewall/policy
###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
# Policies for traffic originating from the local LAN (loc)
#
# If you want to force clients to access the Internet via a proxy server
# on your firewall, change the loc to net policy to REJECT info.
loc net ACCEPT
#loc $FW REJECT info
loc $FW ACCEPT info
loc all REJECT info
#
# Policies for traffic originating from the firewall ($FW)
#
# If you want open access to the Internet from your firewall, change the
# $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL.
# This may be useful if you run a proxy server on the firewall.
#$FW net REJECT info
$FW net ACCEPT info
$FW loc ACCEPT info
$FW all REJECT info
#
# Policies for traffic originating from the Internet zone (net)
#
net $FW ACCEPT info
net loc ACCEPT info
net all ACCEPT info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE# cat /etc/shorewall/rules
#############################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT PORT(S) DEST LIMIT GROUP
#
# Accept DNS connections from the firewall to the network
#
DNS/ACCEPT $FW net
DNS/ACCEPT loc $FW
DNS/ACCEPT $FW loc
DNS/ACCEPT net $FW
#
# Accept SSH connections from the local network for administration
#
#SSH/ACCEPT loc $FW
# SSH from local zone
ACCEPT loc $FW TCP 2210
ACCEPT loc $FW TCP 2211
# CUPS from local zone
ACCEPT loc $FW TCP 631
ACCEPT net $FW TCP 631
ACCEPT $FW loc TCP 631
ACCEPT $FW net TCP 631
# SSH from internet zone
ACCEPT net $FW TCP 2210
ACCEPT net $FW TCP 2211
#
# Allow Ping from the local network
#
#Ping/ACCEPT loc $FW
#
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
#
#Ping/DROP net $FW
# Ping to/from local network
ACCEPT net loc icmp
ACCEPT loc net icmp
# Ping to firewall
ACCEPT net $FW icmp
ACCEPT loc $FW icmp
# Ping from firewall
ACCEPT $FW loc icmp
ACCEPT $FW net icmp
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVErc.conf as an example for pc1
$ cat /etc/rc.conf
#
# /etc/rc.conf - Main Configuration for Arch Linux
#
LOCALE="en_US.utf8"
HARDWARECLOCK="localtime"
USEDIRECTISA="no"
TIMEZONE="Europe/Paris"
KEYMAP="fr"
CONSOLEFONT=
CONSOLEMAP=
USECOLOR="yes"
# -----------------------------------------------------------------------
# HARDWARE
# -----------------------------------------------------------------------
MOD_AUTOLOAD="yes"
#MOD_BLACKLIST=() #deprecated
MODULES=(sky2 slhc !ipw3945 iwl3945 snd-mixer-oss snd-pcm-oss snd-hwdep snd-page-alloc snd-pcm snd-timer snd snd-hda-intel soundcore)
# Scan for LVM volume groups at startup, required if you use LVM
USELVM="no"
# -----------------------------------------------------------------------
# NETWORKING
# -----------------------------------------------------------------------
#
HOSTNAME="acer9814"
eth0="eth0 192.168.0.50 netmask 255.255.255.0 broadcast 192.168.0.255"
#wlan0="dhcp"
INTERFACES=(eth0 !wlan0)
gateway="default gw 192.168.0.11"
ROUTES=(gateway)
# -----------------------------------------------------------------------
# DAEMONS
# -----------------------------------------------------------------------
#
DAEMONS=(syslog-ng !network hal !netfs !wicd @crond @alsa @keytouch @dnsmasq)thanks for any help or guidance.
what goes up must come down
Offline
#2 2009-01-05 14:23:59
- scrawler
- Member
- Registered: 2005-06-07
- Posts: 318
Re: need help to set up a firewall (shorewall and internet sharing)
This isn't much help, I know, but why don't you just put ipcop on the machine?
Offline
#3 2009-01-05 20:54:18
- brazzmonkey
- Member
- From: between keyboard and chair
- Registered: 2006-03-16
- Posts: 818
Re: need help to set up a firewall (shorewall and internet sharing)
well, that's actually one of my plans...
the point is, all my family's computers run arch, so using arch for the router as well would make sense (i feel this would be easier for me to maintain...).
now, i'm very bad when it comes to networking, but setting up a router didn't sound too difficult for me. Plus it could help me improve my skills in networking. So i really hope I could find someone to help me diagnose and sort this out...
what goes up must come down
Offline
#4 2009-01-07 09:20:14
- brazzmonkey
- Member
- From: between keyboard and chair
- Registered: 2006-03-16
- Posts: 818
Re: need help to set up a firewall (shorewall and internet sharing)
In fact ipcop doesn't fit my needs, because its sole purpose is being a firewall. And I plan to use my router computer for other services (local ftp, printer sharing, and whatever comes to my mind). So I have to choose a more versatile distro, hence arch is my preferred choice.
Anyone with network skills, please give me a hand. It seems my eth1 doesn't get incoming local traffic...
what goes up must come down
Offline
#5 2009-01-07 13:30:30
- Execute_Method
- Member
- From: Tennessee
- Registered: 2008-07-26
- Posts: 105
Re: need help to set up a firewall (shorewall and internet sharing)
eth0="eth0 192.168.0.10 netmask 255.255.255.0 broadcast 192.168.0.255"ADSL modem internal IP is 192.168.0.254
firewall external IP is 192.168.0.10your external interface shouldn't be a static unless you have a static IP from your ISP (and the ip schema of your extint. suggests that is not the case). Most ISPs use automatic configuration, and DHCP.
A ?? I have is does you adsl modem have a built in router? If so, you need to set it to bridge mode.
Also, how are you checking if you are connected locally, are you trying to ping the $FW ? If so, you need to enable
Ping/ACCEPT loc $FW
Ping/DROP net $FWHave you tried connecting via dhcp from one of your other PCs?
Hope this helps a little.
Last edited by Execute_Method (2009-01-07 13:38:26)
Offline
#6 2009-01-07 13:47:31
- Execute_Method
- Member
- From: Tennessee
- Registered: 2008-07-26
- Posts: 105
Re: need help to set up a firewall (shorewall and internet sharing)
# cat /etc/shorewall/masq
###############################################################################
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
eth0 eth1 192.168.0.10
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVEhttp://www.shorewall.net/two-interface.htm
(remember that packets whose destination address is reserved by RFC 1918 can't be routed across the internet so the remote host can't address its response to computer 1)
http://www.shorewall.net/manpages/shorewall-masq.html
ADDRESS (Optional) - [-|NONAT|[SAME:[nodst:]][address-or-address-range[,address-or-address-range]...][:lowport-highport][:random]|detect|random]
If you specify an address here, SNAT will be used and this will be the source address.
You should either set the Address to a non rfc1918 IP, or just leave it blank.
Offline
#7 2009-01-07 22:00:42
- brazzmonkey
- Member
- From: between keyboard and chair
- Registered: 2006-03-16
- Posts: 818
Re: need help to set up a firewall (shorewall and internet sharing)
thanks for taking time to help me Execute_Method.
your external interface shouldn't be a static unless you have a static IP from your ISP (and the ip schema of your extint. suggests that is not the case). Most ISPs use automatic configuration, and DHCP.
A ?? I have is does you adsl modem have a built in router? If so, you need to set it to bridge mode.
I have a static IP from my ISP (78.225.x.x). Indeed, my modem has a built-in router, with DHCP enabled and my PC MAC adresses registered so that they all get a sstatic IP. Is it mandatory to set my router in bridged mode ?
Also, how are you checking if you are connected locally, are you trying to ping the $FW ? If so, you need to enable
Ping/ACCEPT loc $FW Ping/DROP net $FW
isn't this the same as :
# Ping to/from local network
ACCEPT net loc icmp
ACCEPT loc net icmp
# Ping to firewall
ACCEPT net $FW icmp
ACCEPT loc $FW icmp
# Ping from firewall
ACCEPT $FW loc icmp
ACCEPT $FW net icmp? I thought it was.
Have you tried connecting via dhcp from one of your other PCs?
Yes I have. It didn't work either. I will check again, though.
(remember that packets whose destination address is reserved by RFC 1918 can't be routed across the internet so the remote host can't address its response to computer 1)
sorry, i don't really understand the meaning of this...
ADDRESS (Optional) - [-|NONAT|[SAME:[nodst:]][address-or-address-range[,address-or-address-range]...][:lowport-highport][:random]|detect|random]
If you specify an address here, SNAT will be used and this will be the source address.
You should either set the Address to a non rfc1918 IP, or just leave it blank.
I already tried leaving it blank, but it didn't change anything.
I'll try to set my modem in bridged mode, use DHCP for eth0 and blank the adress of masq file, and will let you know how it goes.
Thanks again for trying to help.
what goes up must come down
Offline
#8 2009-01-07 22:39:27
- brazzmonkey
- Member
- From: between keyboard and chair
- Registered: 2006-03-16
- Posts: 818
Re: need help to set up a firewall (shorewall and internet sharing)
I'll try to set my modem in bridged mode, use DHCP for eth0 and blank the adress of masq file, and will let you know how it goes.
ok, I did all that.
- modem set to bridge mode : eth0 gets my external IP (the one provided by my ISP) -> OK
- one of my computers is set to get its IP by DHCP : it gets a random 192.168.0.x IP number, and its gateway is 192.168.0.11 (router's eth1) -> OK
but i can't access internet neither from my PC, nor from my router. Am I supposed to open some more ports (80 and so on ?).
I can't ping the router either...
what goes up must come down
Offline
#9 2009-01-09 08:41:16
- brazzmonkey
- Member
- From: between keyboard and chair
- Registered: 2006-03-16
- Posts: 818
Re: need help to set up a firewall (shorewall and internet sharing)
OK, don't bother, I won't use this PC as a router. I spent way too much time to get it running properly.
Thanks for trying to help anyway.
what goes up must come down
Offline