Folks, I''m thinking about setting my modem in bridge mode to enable access to the other IP addresses in my block and I would appreciate some pointers : though I have looked around it''s confusing me. The short version: - switching modem to bridging mode means losing its NAT: how to replicate, preferably transparently c.f. present setup? - bridging also means losing PPP authentication: does the linux PPPoE daemon interact at all with Shorewall? - how to enable access and control of the "other" IPs through shorewall: linux virtual net interfaces and new "interfaces"? - adding in a wifi card as an access point to the config: just a new "interface" if IP addresses the same? The detail: At present the modem is running in basic (1 IP) + NAT with a single net wire to the main internet server/firewall - which is of course using Shorewall as well as email and web servers. I''m hoping for some pointers as my hesitancy is because it''s a server several others depend on and I seem to have no choice but to take it down while this happens... so I want to get it right first time :-) My shorewall is based on Ubuntu Linux 12.1 with Shorewall 4.4.26.1. I can supply specifics of the rules, conf, etc if that helps: "interfaces": "net" == "eth1" and "loc" == "eth2" ; I also have an "eth3" which is a wifi card I hope to set up sometime to replace a separate wifi router... "policy": Standard sorts of things. Default reject "rules": Various additional macros, a couple of "blacklist" hosts, but again "normal" "Shorewall.conf": largely default. "zones": fw == firewall, net = ipv4, loc = ipv4 I think I have to add an entry to "masq" like this to enable NAT, where the first IP is my internal net block and the second is my main internet IP: eth2 192.168.2.0/24 82.62.47.198 Is that all I need to do to emulate what my modem''s NAT is doing now? My ISP says that traffic to my other IPs is sent to the .198 address as a kind of "default gateway", so a client talking to a server running on 82.62.47.195 will still end up being sent through the .198 address ... confusing to me anyway... so: ...to use my multiple IPs I guess I need more zones and then use those zones in additional policies / rules? At present, the additional IPs will be given specific purposes and probably won''t leave the internet server host; I guess I need to set up some virtual interfaces somewhere? Any hints? I believe I have to enable the pppoe daemon on the server to dial/redial the ISP as required. Is that done without regards to any shorewall config, or do I have to tell shorewall about it in some way? Lastly, the eth3/wifi link is supposed to be so I can monitor/secure wifi connections separately from the wired ones. Does that complicate the setup or just add a new "interface"? I would like to be able to use the same IP addresses over WiFi, so shorewall will just be saying (if comes from/to eth3 then apply rules X else if eth2 then rules Y) - at least that''s my hope. Regards Ruth -- Software Manager & Engineer Tel: 01223 414180 Blog: http://www.ivimey.org/blog LinkedIn: http://uk.linkedin.com/in/ruthivimeycook/ ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb
On 02/25/2013 09:50 AM, Ruth Ivimey-Cook wrote:> Folks, > > I''m thinking about setting my modem in bridge mode to enable access to > the other IP addresses in my block and I would appreciate some pointers > : though I have looked around it''s confusing me. > > The short version: > > - switching modem to bridging mode means losing its NAT: how to > replicate, preferably transparently c.f. present setup? > - bridging also means losing PPP authentication: does the linux PPPoE > daemon interact at all with Shorewall? > - how to enable access and control of the "other" IPs through > shorewall: linux virtual net interfaces and new "interfaces"? > - adding in a wifi card as an access point to the config: just a new > "interface" if IP addresses the same? > > The detail: > > At present the modem is running in basic (1 IP) + NAT with a single net > wire to the main internet server/firewall - which is of course using > Shorewall as well as email and web servers. I''m hoping for some pointers > as my hesitancy is because it''s a server several others depend on and I > seem to have no choice but to take it down while this happens... so I > want to get it right first time :-) > > My shorewall is based on Ubuntu Linux 12.1 with Shorewall 4.4.26.1. I > can supply specifics of the rules, conf, etc if that helps: > > "interfaces": "net" == "eth1" and "loc" == "eth2" ; I also have an > "eth3" which is a wifi card I hope to set up sometime to replace a > separate wifi router... > "policy": Standard sorts of things. Default reject > "rules": Various additional macros, a couple of "blacklist" hosts, but > again "normal" > "Shorewall.conf": largely default. > "zones": fw == firewall, net = ipv4, loc = ipv4 > > I think I have to add an entry to "masq" like this to enable NAT, where > the first IP is my internal net block and the second is my main internet IP: > eth2 192.168.2.0/24 82.62.47.198 > > Is that all I need to do to emulate what my modem''s NAT is doing now?Should be.> > My ISP says that traffic to my other IPs is sent to the .198 address as > a kind of "default gateway", so a client talking to a server running on > 82.62.47.195 will still end up being sent through the .198 address ... > confusing to me anyway... so: > > ...to use my multiple IPs I guess I need more zones and then use those > zones in additional policies / rules? At present, the additional IPs > will be given specific purposes and probably won''t leave the internet > server host; I guess I need to set up some virtual interfaces somewhere? > Any hints?How are you using them now? Once we know that, we will be able to advise you.> > I believe I have to enable the pppoe daemon on the server to dial/redial > the ISP as required. Is that done without regards to any shorewall > config, or do I have to tell shorewall about it in some way?Your ''net'' interface will be ppp0. You should really review http://www.shorewall.net/two-interface.htm again; it talks about PPP.> > Lastly, the eth3/wifi link is supposed to be so I can monitor/secure > wifi connections separately from the wired ones. Does that complicate > the setup or just add a new "interface"? I would like to be able to use > the same IP addresses over WiFi, so shorewall will just be saying (if > comes from/to eth3 then apply rules X else if eth2 then rules Y) - at > least that''s my hope.The above article also discusses the addition of a wireless segment. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb
Hi Tom>> ...to use my multiple IPs I guess I need more zones and then use those >> zones in additional policies / rules? At present, the additional IPs >> will be given specific purposes and probably won''t leave the internet >> server host; I guess I need to set up some virtual interfaces somewhere? >> Any hints? > How are you using them now? Once we know that, we will be able to advise > you.At the moment, the additional IPs are not being used: all traffic is sent to just one IP on the modem and NATed from there into the internet server. I would like to be able to split off some services - mail and web probably - onto other addresses.>> I believe I have to enable the pppoe daemon on the server to dial/redial >> the ISP as required. Is that done without regards to any shorewall >> config, or do I have to tell shorewall about it in some way? > Your ''net'' interface will be ppp0. You should really review > http://www.shorewall.net/two-interface.htm again; it talks about PPP.Ok, I will do that. Thanks. Regards Ruth ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb
On 2/25/13 5:19 PM, "Ruth Ivimey-Cook" <ruth@ivimey.org> wrote:>Hi Tom > >>> ...to use my multiple IPs I guess I need more zones and then use those >>> zones in additional policies / rules? At present, the additional IPs >>> will be given specific purposes and probably won''t leave the internet >>> server host; I guess I need to set up some virtual interfaces >>>somewhere? >>> Any hints? >> How are you using them now? Once we know that, we will be able to advise >> you. >At the moment, the additional IPs are not being used: all traffic is >sent to just one IP on the modem and NATed from there into the internet >server. > >I would like to be able to split off some services - mail and web >probably - onto other addresses.Services on the firewall or on servers behind the firewall? -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb
Unwound my work stack to carry on with this...had a chance to review the docs again and there''s one point I''m not sure about. For clarity, the question was about using a Zyxel modem in Bridge mode, which automatically disables NAT and how to configure shorewall to take over the role. Tom Eastep wrote:> On 02/25/2013 09:50 AM, Ruth Ivimey-Cook wrote: >> I think I have to add an entry to "masq" like this to enable NAT, where >> the first IP is my internal net block and the second is my main internet IP: >> eth2 192.168.1.0/24 82.62.47.198 >> >> Is that all I need to do to emulate what my modem''s NAT is doing now? > Should be.My router has a "default server" in its NAT setup. NATs everything on 192.168.1.0/24 but has a default server set as 192.168.1.2. This is needed because my internal network runs on another IP block - say 192.168.8.0/24 - so that only the "DMZ" zone between the router and the firewall is 192.168.1.0/24. I''m thinking that essentially I loose the 192.168.1.0/24 zone because what is left of it will be firewall-internal, but I''m not sure, and in any case how do I talk to the modem if it''s no longer got an IP? So: if I do need both IP zones, is the old default server setting still necessary, and how to I talk to the modem config if it no longer has an IP of its own? Sorry, rather confused as you can see, Ruth -- Software Manager & Engineer Tel: 01223 414180 Blog: http://www.ivimey.org/blog LinkedIn: http://uk.linkedin.com/in/ruthivimeycook/ ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb
Robert K Coffman Jr. -Info From Data Corp.
2013-Mar-04 22:03 UTC
Re: Pointers for seting up PPPoE + NAT
Ruth, Not sure what you mean by a "default server" so I''m not sure I can help on that point. On the modem - when you bridge it, usually you do lose IP access to it (I''ve seen exceptions.) You shouldn''t need to configure it beyond the bridging. Your shorewall firewall should then be configured to do the PPP auth. - Bob ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb
Robert Thanks for your reply> Not sure what you mean by a "default server" so I''m not sure I can help > on that point.That''s what it''s called in the config... There are options for sending traffic for specific ports to other IPs, so e.g. you can send port 80 traffic to IP1, port 25 traffic to IP2... there''s also a default IP (the default server) to send anything for ports not otherwise listed. I guess it''s a kind of simplistic routing table. I found that leaving this out of the modem''s config means it doesn''t route properly when the internal IP is not that of the gateway. I guess I replace this with a simple routing rule on the gateway and it''s not really a shorewall thing?> On the modem - when you bridge it, usually you do lose IP access to it > (I''ve seen exceptions.) You shouldn''t need to configure it beyond the > bridging. Your shorewall firewall should then be configured to do the > PPP auth.Ok.. at least I''m not misunderstanding something. It seems a strange the manufacturers dont find a better solution... Regards Ruth -- Software Manager & Engineer Tel: 01223 414180 Blog: http://www.ivimey.org/blog LinkedIn: http://uk.linkedin.com/in/ruthivimeycook/ ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb
On 03/04/2013 02:45 PM, Ruth Ivimey-Cook wrote:> Robert > > Thanks for your reply >> Not sure what you mean by a "default server" so I''m not sure I can help >> on that point. > That''s what it''s called in the config... There are options for sending > traffic for specific ports to other IPs, so e.g. you can send port 80 > traffic to IP1, port 25 traffic to IP2... there''s also a default IP (the > default server) to send anything for ports not otherwise listed. I guess > it''s a kind of simplistic routing table. > > I found that leaving this out of the modem''s config means it doesn''t > route properly when the internal IP is not that of the gateway. > > I guess I replace this with a simple routing rule on the gateway and > it''s not really a shorewall thing? > >> On the modem - when you bridge it, usually you do lose IP access to it >> (I''ve seen exceptions.) You shouldn''t need to configure it beyond the >> bridging. Your shorewall firewall should then be configured to do the >> PPP auth. > Ok.. at least I''m not misunderstanding something. It seems a strange the > manufacturers dont find a better solution...It sounds to me like you pretty much want to follow the Three-interface Shorewall Quickstart Guide. It will require three NICs in the Shorewall box in order to retain your DMZ. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb
Hi Ruth, I will answer as best I can the parts I''m familiar with for
you. I used to have a static /28 subnet with a prior ISP so I have
experience with some of these points.
With the default server your questions lead me to believe that you are
presuming that you cannot keep on having shorewall take over the routers
job here and preform the same job, every NAT rule is separate and can
either specify an IP address or specify and IP and port such that you
can easily have some odd ports go to one location and the remainder go
to a default endpoint. The way to go about this in shorewall would be
about the order you place the rules in the file, with a few exceptions
noted in the documentation (like tcrules) iptables rules are first match
wins, this means if you wrote your shorewall rules like this it would work.
1 DNAT net loc:IP1 tcp 25
- &netiface
2 DNAT net loc:IP2 tcp 80
- &netiface
3 DNAT net loc:DEFIP - -
- &netiface
You can use the IP instead of &ifname if you prefer it simply expands to
the primary IP address on ifname which is useful if there is any chance
that the IP address could change or just for readability. Do note the
ordering is important when any of these rules match the packet is done
so you need your most specific/highest priority rules first and lower
priority wide defaults last.
On 04/03/13 20:53, Ruth Ivimey-Cook wrote:> Unwound my work stack to carry on with this...had a chance to review the
> docs again and there''s one point I''m not sure about. For
clarity, the
> question was about using a Zyxel modem in Bridge mode, which
> automatically disables NAT and how to configure shorewall to take over
> the role.
>
> Tom Eastep wrote:
>> On 02/25/2013 09:50 AM, Ruth Ivimey-Cook wrote:
>>> I think I have to add an entry to "masq" like this to
enable NAT, where
>>> the first IP is my internal net block and the second is my main
internet IP:
>>> eth2 192.168.1.0/24 82.62.47.198
>>>
>>> Is that all I need to do to emulate what my modem''s NAT is
doing now?
>> Should be.
> My router has a "default server" in its NAT setup. NATs
everything on
> 192.168.1.0/24 but has a default server set as 192.168.1.2. This is
> needed because my internal network runs on another IP block - say
> 192.168.8.0/24 - so that only the "DMZ" zone between the router
and the
> firewall is 192.168.1.0/24.
>
> I''m thinking that essentially I loose the 192.168.1.0/24 zone
because
> what is left of it will be firewall-internal, but I''m not sure,
and in
> any case how do I talk to the modem if it''s no longer got an IP?
>
> So: if I do need both IP zones, is the old default server setting still
> necessary, and how to I talk to the modem config if it no longer has an
> IP of its own?
>
> Sorry, rather confused as you can see,
> Ruth
>
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
Sorry about the numbers there I added them as I was planning to write an explanation of each then decided it probably wasn''t required and forgot to remove them. Oh well they serve as identifiers if anyone has any further queries related to them. On 04/03/13 23:09, Matt Joyce wrote:> Hi Ruth, I will answer as best I can the parts I''m familiar with for > you. I used to have a static /28 subnet with a prior ISP so I have > experience with some of these points. > > With the default server your questions lead me to believe that you are > presuming that you cannot keep on having shorewall take over the routers > job here and preform the same job, every NAT rule is separate and can > either specify an IP address or specify and IP and port such that you > can easily have some odd ports go to one location and the remainder go > to a default endpoint. The way to go about this in shorewall would be > about the order you place the rules in the file, with a few exceptions > noted in the documentation (like tcrules) iptables rules are first match > wins, this means if you wrote your shorewall rules like this it would work. > > 1 DNAT net loc:IP1 tcp 25 > - &netiface > 2 DNAT net loc:IP2 tcp 80 > - &netiface > 3 DNAT net loc:DEFIP - - > - &netiface > > You can use the IP instead of &ifname if you prefer it simply expands to > the primary IP address on ifname which is useful if there is any chance > that the IP address could change or just for readability. Do note the > ordering is important when any of these rules match the packet is done > so you need your most specific/highest priority rules first and lower > priority wide defaults last. > > On 04/03/13 20:53, Ruth Ivimey-Cook wrote: >> Unwound my work stack to carry on with this...had a chance to review the >> docs again and there''s one point I''m not sure about. For clarity, the >> question was about using a Zyxel modem in Bridge mode, which >> automatically disables NAT and how to configure shorewall to take over >> the role. >> >> Tom Eastep wrote: >>> On 02/25/2013 09:50 AM, Ruth Ivimey-Cook wrote: >>>> I think I have to add an entry to "masq" like this to enable NAT, where >>>> the first IP is my internal net block and the second is my main internet IP: >>>> eth2 192.168.1.0/24 82.62.47.198 >>>> >>>> Is that all I need to do to emulate what my modem''s NAT is doing now? >>> Should be. >> My router has a "default server" in its NAT setup. NATs everything on >> 192.168.1.0/24 but has a default server set as 192.168.1.2. This is >> needed because my internal network runs on another IP block - say >> 192.168.8.0/24 - so that only the "DMZ" zone between the router and the >> firewall is 192.168.1.0/24. >> >> I''m thinking that essentially I loose the 192.168.1.0/24 zone because >> what is left of it will be firewall-internal, but I''m not sure, and in >> any case how do I talk to the modem if it''s no longer got an IP? >> >> So: if I do need both IP zones, is the old default server setting still >> necessary, and how to I talk to the modem config if it no longer has an >> IP of its own? >> >> Sorry, rather confused as you can see, >> Ruth >> > > > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_feb > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb
Hi Matt> Sorry about the numbers there I added them as I was planning to write an > explanation of each then decided it probably wasn''t required and forgot > to remove them. Oh well they serve as identifiers if anyone has any > further queries related to them.No problem, and what you''ve done here does I think help a lot. I will have to pull my courage together and actually do it now! (this is all on the one-and-only internet access for the site and there are external servers here, so being down at all is to be avoided... ) Best regards, Ruth> > On 04/03/13 23:09, Matt Joyce wrote: >> Hi Ruth, I will answer as best I can the parts I''m familiar with for >> you. I used to have a static /28 subnet with a prior ISP so I have >> experience with some of these points. >> >> With the default server your questions lead me to believe that you are >> presuming that you cannot keep on having shorewall take over the routers >> job here and preform the same job, every NAT rule is separate and can >> either specify an IP address or specify and IP and port such that you >> can easily have some odd ports go to one location and the remainder go >> to a default endpoint. The way to go about this in shorewall would be >> about the order you place the rules in the file, with a few exceptions >> noted in the documentation (like tcrules) iptables rules are first match >> wins, this means if you wrote your shorewall rules like this it would work. >> >> 1 DNAT net loc:IP1 tcp 25 >> - &netiface >> 2 DNAT net loc:IP2 tcp 80 >> - &netiface >> 3 DNAT net loc:DEFIP - - >> - &netiface >> >> You can use the IP instead of &ifname if you prefer it simply expands to >> the primary IP address on ifname which is useful if there is any chance >> that the IP address could change or just for readability. Do note the >> ordering is important when any of these rules match the packet is done >> so you need your most specific/highest priority rules first and lower >> priority wide defaults last. >>-- Software Manager & Engineer Tel: 01223 414180 Blog: http://www.ivimey.org/blog LinkedIn: http://uk.linkedin.com/in/ruthivimeycook/ ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb
I can understand that, provided you get everything configured first it
should be no more than the time it takes to switch cables around just to
forewarn you there will be a brief interruption when you make the switch
for at least any connection where DNAT is involved even if the IP''s
don''t change. The reason being that a network device performing DNAT
is
stateful (It needs to remember which active connection maps where), when
the device performing the NAT changes is no longer has the state
information from the existing device so each connection needs to be
established again.
I find especially if there are a large number of actions or if it is
particularly critical to get it right first time it is worth before you
even start sitting down and writing your ruleset out in description form
first but do it so that each bullet point is one rule ie:
* All traffic with destination <IP> and port <port> in interface
<name> DNAT to <IP> on <port>
If you have something like that you can then go through an verify that
the rules in your shorewall configuration match, can be a bit much to be
useful as an IPtables rule comment but I find it can be a handy
reference to actually include them in the config files like:
# Rule 1: Accept TCP traffic from the internet zone destination
198.51.100.54 port 80.
?COMMENT Rule 1: Accept HTTP
ACCEPT net 198.51.100.54 tcp 80
Shorewall will completely ignore the # comment, the second one is added
to the rule and will show up in shorewall show etc makes it easy to
identify and find which rule generates what, especially if you number
them in order.
On 05/03/13 18:46, Ruth Ivimey-Cook wrote:> Hi Matt
>> Sorry about the numbers there I added them as I was planning to write
an
>> explanation of each then decided it probably wasn''t required
and forgot
>> to remove them. Oh well they serve as identifiers if anyone has any
>> further queries related to them.
> No problem, and what you''ve done here does I think help a lot.
>
> I will have to pull my courage together and actually do it now! (this is
> all on the one-and-only internet access for the site and there are
> external servers here, so being down at all is to be avoided... )
>
> Best regards,
> Ruth
>
>> On 04/03/13 23:09, Matt Joyce wrote:
>>> Hi Ruth, I will answer as best I can the parts I''m
familiar with for
>>> you. I used to have a static /28 subnet with a prior ISP so I have
>>> experience with some of these points.
>>>
>>> With the default server your questions lead me to believe that you
are
>>> presuming that you cannot keep on having shorewall take over the
routers
>>> job here and preform the same job, every NAT rule is separate and
can
>>> either specify an IP address or specify and IP and port such that
you
>>> can easily have some odd ports go to one location and the remainder
go
>>> to a default endpoint. The way to go about this in shorewall would
be
>>> about the order you place the rules in the file, with a few
exceptions
>>> noted in the documentation (like tcrules) iptables rules are first
match
>>> wins, this means if you wrote your shorewall rules like this it
would work.
>>>
>>> 1 DNAT net loc:IP1 tcp 25
>>> - &netiface
>>> 2 DNAT net loc:IP2 tcp 80
>>> - &netiface
>>> 3 DNAT net loc:DEFIP - -
>>> - &netiface
>>>
>>> You can use the IP instead of &ifname if you prefer it simply
expands to
>>> the primary IP address on ifname which is useful if there is any
chance
>>> that the IP address could change or just for readability. Do note
the
>>> ordering is important when any of these rules match the packet is
done
>>> so you need your most specific/highest priority rules first and
lower
>>> priority wide defaults last.
>>>
>
------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in
the
endpoint security space. For insight on selecting the right partner to
tackle endpoint security challenges, access the full report.
http://p.sf.net/sfu/symantec-dev2dev