I''m a little unsure of what I need in a config file, here is what I''m trying to do... I have a RH7.3 box that acts as my firewall to a local LAN. Its connected to the world through eth0, my LAN is on eth1. Eth0 is a static IP, the lan is on 192.123.60.xx. I have a serial modem also connected to the Linux box so I can dial in from a laptop, it''s a ppp0 interface. I need to masquerade the local LAN and ppp0 to the outside world. The ppp0 connection is only for web and mail, sometimes ssh for maintenance. One of the windows box''s on my LAN uses a VPN to connect to work, it this complicates thinks we can leave it off for now. Last, the Linux box also acts as a nameserver, web server and file server to the local LAN (behind the firewall) . I hope I did ok on the explanation? Would my ppp0 connections be considered a DMZ? Also, to keep thins simple, my ppp0 connection is set to the IP address of 192.123.60.198, the local LAN is lower numbers, 192.123.60.2 through .20. 192.123.60.1 is the address of the eth1 card in the Linux box. I''m looking for help on what type of config I need, I hope others are doing something similar? Thanks in advance! Ken
On Wed, 7 Aug 2002, Ken wrote:> I''m a little unsure of what I need in a config file, here is what I''m trying > to do... > > I have a RH7.3 box that acts as my firewall to a local LAN. Its connected to > the world through eth0, my LAN is on eth1. Eth0 is a static IP, the lan is > on 192.123.60.xx.Those are public IPs -- So you are are not masquerading?> > I have a serial modem also connected to the Linux box so I can dial in from > a laptop, it''s a ppp0 interface. I need to masquerade the local LAN and ppp0 > to the outside world. The ppp0 connection is only for web and mail, > sometimes ssh for maintenance.I guess you are Masquerading -- in that case, I would change my internal lan to 192.168.60.xx. ---> > One of the windows box''s on my LAN uses a VPN to connect to work, it this > complicates thinks we can leave it off for now. >That is totally transparent to the firewall.> Last, the Linux box also acts as a nameserver, web server and file server to > the local LAN (behind the firewall) . > > I hope I did ok on the explanation?Yes.> Would my ppp0 connections be considered > a DMZ?I personally would just make it part of my local network. In /etc/shorewall/interfaces: loc ppp0 - In /etc/shorewall/policy: loc loc ACCEPT In /etc/shorewall/masq: eth0 192.168.60.0/24 <your external IP address> The above line should replace the line from the sample config if you used the two-interface sample as a basis.> Also, to keep thins simple, my ppp0 connection is set to the IP > address of 192.123.60.198, the local LAN is lower numbers, 192.123.60.2 > through .20. 192.123.60.1 is the address of the eth1 card in the Linux box. >Ok.> I''m looking for help on what type of config I need, I hope others are doing > something similar? >I think you can probably manage the loc->fw accept rules for your servers; you shouldn''t need much else. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Still a little unsure here... Your advise to me was this; I personally would just make it part of my local network. In /etc/shorewall/interfaces: loc ppp0 - In /etc/shorewall/policy: loc loc ACCEPT In /etc/shorewall/masq: eth0 192.168.60.0/24 <your external IP address> I don''t see where the interface eth1 (connected to my local LAN) is covered above. Just to be sure I didn''t confuse you in the first message, I''ve got the following... eth0 (on a static IP - connected to the ISP) eth1 (local LAN, IP range from 192.123.60.1 to .30) eth1 is actually 192.123.60.1 (I know these should be 192.168.x.x - I''ll fix that later) ttyS1 (my ppp0 modem - dialin connection) This is my first exposure to IPtables and shorewall, can I get a little hand-holding on this one please? The ppp0 connection is only for web and mail. The LAN is for everything, ssh, ftp, the works. The RH7.3 box does DNS, FTP, HTP & firewall (soon I hope :) Thanks in advance!!! Ken --- On Wed, 7 Aug 2002, Ken wrote:> I''m a little unsure of what I need in a config file, here is what I''mtrying> to do... > > I have a RH7.3 box that acts as my firewall to a local LAN. Its connectedto> the world through eth0, my LAN is on eth1. Eth0 is a static IP, the lan is > on 192.123.60.xx.Those are public IPs -- So you are are not masquerading?> > I have a serial modem also connected to the Linux box so I can dial infrom> a laptop, it''s a ppp0 interface. I need to masquerade the local LAN andppp0> to the outside world. The ppp0 connection is only for web and mail, > sometimes ssh for maintenance.I guess you are Masquerading -- in that case, I would change my internal lan to 192.168.60.xx. ---> > One of the windows box''s on my LAN uses a VPN to connect to work, it this > complicates thinks we can leave it off for now. >That is totally transparent to the firewall.> Last, the Linux box also acts as a nameserver, web server and file serverto> the local LAN (behind the firewall) . > > I hope I did ok on the explanation?Yes.> Would my ppp0 connections be considered > a DMZ?I personally would just make it part of my local network. In /etc/shorewall/interfaces: loc ppp0 - In /etc/shorewall/policy: loc loc ACCEPT In /etc/shorewall/masq: eth0 192.168.60.0/24 <your external IP address> The above line should replace the line from the sample config if you used the two-interface sample as a basis.> Also, to keep thins simple, my ppp0 connection is set to the IP > address of 192.123.60.198, the local LAN is lower numbers, 192.123.60.2 > through .20. 192.123.60.1 is the address of the eth1 card in the Linuxbox.>Ok.> I''m looking for help on what type of config I need, I hope others aredoing> something similar? >I think you can probably manage the loc->fw accept rules for your servers; you shouldn''t need much else. -Tom --
Hi Ken, I don''t claim to know anything here, still learning via lurking ;). But... --- Ken <ken@ramblernet.com> wrote: [snip]> eth0 (on a static IP - connected to the ISP) > eth1 (local LAN, IP range from 192.123.60.1 to .30) > eth1 is actually 192.123.60.1 > (I know these should be 192.168.x.x - I''ll fix that later)you might want to fix this sooner than later as 192.123.x.x is owned by Kraft General Foods (unless you''re working within Kraft''s network.) http://ws.arin.net/cgi-bin/whois.pl?queryinput=192.123.60.1 I don''t know if this''ll fix anything for you but it might be causing some of your problems. /me goes back to silent lurking ;) -- Cass __________________________________________________ Do You Yahoo!? Yahoo! Health - Feel better, live better http://health.yahoo.com
On Wed, 7 Aug 2002, Ken wrote:> Still a little unsure here... > > Your advise to me was this; > I personally would just make it part of my local network. In > /etc/shorewall/interfaces: > loc ppp0 - > In /etc/shorewall/policy: > loc loc ACCEPT > In /etc/shorewall/masq: > eth0 192.168.60.0/24 <your external IP address> > > I don''t see where the interface eth1 (connected to my local LAN) is covered > above. >Well, I guess I expected you to figure out the obvious stuff yourself; especially since I provide sample configurations that handle the simple two-interface case along with step-by-step instructions.> Just to be sure I didn''t confuse you in the first message, I''ve got the > following... > > eth0 (on a static IP - connected to the ISP) > eth1 (local LAN, IP range from 192.123.60.1 to .30) > eth1 is actually 192.123.60.1 > (I know these should be 192.168.x.x - I''ll fix that later) > ttyS1 (my ppp0 modem - dialin connection) > > This is my first exposure to IPtables and shorewall, can I get a little > hand-holding on this one please? >Ken -- most people who install Shorewall are being exposed to Shorewall and iptables (and often Linux) for the first time and there are 100s of downloads every day. Given those facts, I can''t hold everyone''s hand so in the interest of fairness, I hold no one''s hand.> The ppp0 connection is only for web and mail. > The LAN is for everything, ssh, ftp, the works. > The RH7.3 box does DNS, FTP, HTP & firewall (soon I hope :) >If you start with the two-interface quickstart guide and: a) make the changes indicated in that guide for a static IP. b) test it to be sure that you can access the web from your local lan with all services. c) follow the instructions in the guide for adding servers on your firewall. d) Test those services. e) Make the changes that I offered in my earlier mail. f) Test dialin access Then a) It will work. b) You will have some understanding of how Shorewall works. And if something doesn''t work, THEN post on the list with details and we''ll be happy to help. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom, I appreciate you assistance and respect your helping and not doing... I have everything working, as far as I can tell, except for https connections from my server, also the firewall. SSL connections from behind the server to the net work. Again, Thank You. Ken --- If you start with the two-interface quickstart guide and: a) make the changes indicated in that guide for a static IP. b) test it to be sure that you can access the web from your local lan with all services. c) follow the instructions in the guide for adding servers on your firewall. d) Test those services. e) Make the changes that I offered in my earlier mail. f) Test dialin access Then a) It will work. b) You will have some understanding of how Shorewall works. And if something doesn''t work, THEN post on the list with details and we''ll be happy to help.
On Wed, 7 Aug 2002, Ken wrote:> Tom, I appreciate you assistance and respect your helping and not doing... > > I have everything working, as far as I can tell, except for https > connections from my server, also the firewall. SSL connections from behind > the server to the net work. >When something doesn''t work, check your log ("shorewall show log"). That will probably tell you which rule(s) you are missing. http://www.shorewall.net/troubleshoot.htm gives an example of decyphering the log messages.> Again, Thank You.You''re welcome. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
I''ve just learned that the virtual hosts (using apache) are not visible to the outside world. They are however visible from my LAN. The non virtual pages are visible from both. Apache was set up correctly before using shorewall, so my guess is a rule file is not there or incorrect? Virtual port is 443 so should I add: ACCEPT net fw tcp 443 to correct the problem? I cant find the rejected requests but I''m now getting phone calls :) Much Thanks! KR
On Thu, 8 Aug 2002, Ken wrote:> I''ve just learned that the virtual hosts (using apache) are not visible to > the outside world. They are however visible from my LAN. The non virtual > pages are visible from both. Apache was set up correctly before using > shorewall, so my guess is a rule file is not there or incorrect? > > Virtual port is 443 so should I add: > ACCEPT net fw tcp 443 to correct the problem? >That would be a good choice.> I cant find the rejected requests but I''m now getting phone calls :) >"shorewall show log"? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net