Hi everbody,
I installed and configured the shorewall on my SuSE 7.3-Server by using the
guid on web. I took the two-interface-sample and made some changes for my
system. But the masquerading won''t work. I looked in the FAQs in in the
archiev of this mailinglist. But nothing of theses advices helped me. So
this posting here is my last chance, I hope you will help me!
My linux-server is the gateway to the web for my two local machines with
Win2k. Yes, I set the default gateway and the nameservers. I set the
nameservers in /etc/resolv.conf, too.
Please look at my configuration files I attached here. Perhaps there is a
stupid mistake in there, but I don''t know where.
eth0 (192.168.0.99) point to the web, eth1 (192.168.100.1) to the local net.
My provider gives me a dynamic IP for the connection to the web.
best regards
Stephan
My files:
/etc/shorewall/interfaces:
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect norfc1918,routefilter,dhcp
loc eth1 192.168.100.1 routestopped
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/shorewall/masq:
#INTERFACE SUBNET ADDRESS
eth0 192.168.100.0/24
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
/etc/shorewall/rules:
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
#
# Accept DNS connections from the firewall to the network
#
ACCEPT fw net tcp 53
ACCEPT fw net udp 53
#
# Accept SSH connections from the local network for administration
#
ACCEPT loc fw tcp 22
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/shorewall/shorewall.conf:
############################################################################
##
# /etc/shorewall/shorewall.conf V1.3 - Change the following variables to
# match your setup
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# This file should be placed in /etc/shorewall
#
# (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
############################################################################
##
#
# NAME OF THE FIREWALL ZONE
#
# Name of the firewall zone -- if not set or if set to an empty string,
"fw"
# is assumed.
#
FW=fw
#
# SUBSYSTEM LOCK FILE
#
# Set this to the name of the lock file expected by your init scripts. For
# RedHat, this should be /var/lock/subsys/shorewall. On Debian, it
# should be /var/state/shorewall. If your init scripts don''t use lock
files,
# set this to "".
#
SUBSYSLOCK=/var/lock/subsys/shorewall
#
# SHOREWALL TEMPORARY STATE DIRECTORY
#
# This is the directory where the firewall maintains state information while
# it is running
#
STATEDIR=/var/lib/shorewall
#
# ALLOW RELATED CONNECTIONS
#
# Set this to "yes" or "Yes" if you want to accept all
connection requests
# that are related to already established connections. For example, you want
# to accept FTP data connections. If you say "no" here, then to accept
# these connections between particular zones or hosts, you must include
# explicit "related" rules in /etc/shorewall/rules.
#
ALLOWRELATED=yes
#
# KERNEL MODULE DIRECTORY
#
# If your netfilter kernel modules are in a directory other than
# /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that
# directory in this variable. Example: MODULESDIR=/etc/modules.
MODULESDIR
#
# LOG RATE LIMITING
#
# The next two variables can be used to control the amount of log output
# generated. LOGRATE is expressed as a number followed by an optional
# `/second'', `/minute'', `/hour'', or `/day''
suffix and specifies the maximum
# rate at which a particular message will occur. LOGBURST determines the
# maximum initial burst size that will be logged. If set empty, the default
# value of 5 will be used.
#
# Example:
#
# LOGRATE=10/minute
# LOGBURST=5
#
# If BOTH variables are set empty then logging will not be rate-limited.
#
LOGRATELOGBURST
#
# LEVEL AT WHICH TO LOG ''UNCLEAN'' PACKETS
#
# This variable determines the level at which Mangled/Invalid packets are
logged
# under the ''dropunclean'' interface option. If you set this
variable to an
# empty value (e.g., LOGUNCLEAN= ), Mangled/Invalid packets will be dropped
# silently.
#
# The value of this variable also determines the level at which
Mangled/Invalid
# packets are logged under the ''logunclean'' interface option.
If the
variable
# is empty, these packets will still be logged at the ''info''
level.
#
LOGUNCLEAN=info
#
# LOG FILE LOCATION
#
# This variable tells the /sbin/shorewall program where to look for
Shorewall
# log messages. If not set or set to an empty string (e.g.,
LOGFILE="") then
# /var/log/messages is assumed.
#
# WARNING: The LOGFILE variable simply tells the ''shorewall''
program where
to
# look for Shorewall messages.It does NOT control the destination
for
# these messages. For information about how to do that, see
#
# http://www.shorewall.net/FAQ.htm#faq6
LOGFILE=/var/log/messages
#
# ENABLE NAT SUPPORT
#
# You probally want yes here. Only gateways not doing NAT in any form, like
# SNAT,DNAT masquerading, port forwading etc. should say "no" here.
#
NAT_ENABLED=Yes
#
# ENABLE MANGLE SUPPORT
#
# If you say "no" here, Shorewall will ignore the /etc/shorewall/tos
file
# and will not initialize the mangle table when starting or stopping
# your firewall. You must enable mangling if you want Traffic Shaping
# (see TC_ENABLED below).
#
MANGLE_ENABLED=Yes
#
# ENABLE IP FORWARDING
#
# If you say "On" or "on" here, IPV4 Packet Forwarding is
enabled. If you
# say "Off" or "off", packet forwarding will be disabled.
You would only
want
# to disable packet forwarding if you are installing Shorewall on a
# standalone system or if you want all traffic through the Shorewall system
# to be handled by proxies.
#
# If you set this variable to "Keep" or "keep", Shorewall
will neither
# enable nor disable packet forwarding.
#
IP_FORWARDING=On
#
# AUTOMATICALLY ADD NAT IP ADDRESSES
#
# If you say "Yes" or "yes" here, Shorewall will
automatically add IP
addresses
# for each NAT external address that you give in /etc/shorewall/nat. If you
say
# "No" or "no", you must add these aliases youself.
#
ADD_IP_ALIASES=Yes
#
# AUTOMATICALLY ADD SNAT IP ADDRESSES
#
# If you say "Yes" or "yes" here, Shorewall will
automatically add IP
addresses
# for each SNAT external address that you give in /etc/shorewall/masq. If
you say
# "No" or "no", you must add these aliases youself.
#
ADD_SNAT_ALIASES=No
#
ADD_SNAT_ALIASES=No
#
# ENABLE TRAFFIC SHAPING
#
# If you say "Yes" or "yes" here, Traffic Shaping is enabled
in the
firewall. If
# you say "No" or "no" then traffic shaping is not enabled.
If you enable
traffic
# shaping you must have iproute[2] installed (the "ip" and
"tc" utilities)
and
# you must enable packet mangling above.
#
TC_ENABLED=No
#
# BLACKLIST DISPOSITION
#
# Set this variable to the action that you want to perform on packets from
# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
# DROP is assumed.
#
BLACKLIST_DISPOSITION=DROP
#
# BLACKLIST LOG LEVEL
#
# Set this variable to the syslogd level that you want blacklist packets
logged
# (beward of DOS attacks resulting from such logging). If not set, no
logging
# of blacklist packets occurs.
#
BLACKLIST_LOGLEVEL
#
# MSS CLAMPING
#
# Set this variable to "Yes" or "yes" if you want the TCP
"Clamp MSS to
PMTU"
# option. This option is most commonly required when your internet
# interface is some variant of PPP (PPTP or PPPoE). Your kernel must
# have CONFIG_IP_NF_TARGET_TCPMSS set.
#
# [From the kernel help:
#
# This option adds a `TCPMSS'' target, which allows you to alter the
# MSS value of TCP SYN packets, to control the maximum size for that
# connection (usually limiting it to your outgoing interface''s MTU
# minus 40).
#
# This is used to overcome criminally braindead ISPs or servers which
# block ICMP Fragmentation Needed packets. The symptoms of this
# problem are that everything works fine from your Linux
# firewall/router, but machines behind it can never exchange large
# packets:
# 1) Web browsers connect, then hang with no data received.
# 2) Small mail works fine, but large emails hang.
# 3) ssh works fine, but scp hangs after initial handshaking.
# ]
#
# If left blank, or set to "No" or "no", the option is not
enabled.
#
CLAMPMSS=yes
#
# ROUTE FILTERING
#
# Set this variable to "Yes" or "yes" if you want kernel
route filtering on
all
# interfaces (anti-spoofing measure).
#
# If this variable is not set or is set to the empty value, "No" is
assumed.
# In that case, you can still enable route filtering on individual
interfaces
# in the /etc/shorewall/interfaces file.
ROUTE_FILTER=No
#
# NAT BEFORE RULES
#
# Shorewall has traditionally processed static NAT rules before port
forwarding
# rules. If you would like to reverse the order, set this variable to
"No".
#
# If this variable is not set or is set to the empty value, "Yes" is
assumed.
NAT_BEFORE_RULES=Yes
# MULTIPORT support
#
# If your kernel includes the multiport match option
# (CONFIG_IP_NF_MATCH_MULTIPORT), you may enable it''s use here. When
this
# option is enabled by setting it''s value to "Yes" or
"yes":
#
# 1) If you list more that 15 ports in a comma-seperated list in
# /etc/shorewall/rules, Shorewall will not use the multiport option
# but will generate a separate rule for each element of each port
# list.
# 2) If you include a port range (<low port>:<high port>) in
the
# rule, Shorewall will not use the multiport option but will
generate
# a separate rule for each element of each port list.
#
# See the /etc/shorewall/rules file for additional information on this
option.
#
# if this variable is not set or is set to the empty value, "No" is
assumed.
MULTIPORT=No
# DNAT IP ADDRESS DETECTION
#
# Normally when Shorewall encounters the following rule:
#
# DNAT net loc:192.168.1.3 tcp 80
#
# it will forward TCP port 80 connections from the net to 192.168.1.3
# REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is
# convenient for two reasons:
#
# a) If the the network interface has a dynamic IP address, the
# firewall configuration will work even when the address
# changes.
#
# b) It saves having to configure the IP address in the rule
# while still allowing the firewall to be started before the
# internet interface is brought up.
#
# This default behavior can also have a negative effect. If the
# internet interface has more than one IP address then the above
# rule will forward connection requests on all of these addresses;
# that may not be what is desired.
#
# By setting DETECT_DNAT_IPADDRS=Yes, rules such as the above will apply
# only if the original destination address is the primary IP address of
# one of the interfaces associated with the source zone. Note that this
# requires all interfaces to the source zone to be up when the firewall
# is [re]started.
DETECT_DNAT_IPADDRS=No
#
# MERGE HOSTS FILE
#
# The traditional behavior of the /etc/shorewall/hosts file has been that
# if that file has ANY entry for a zone then the zone must be defined
# entirely in the hosts file. This is counter-intuitive and has caused
# people some problems.
#
# By setting MERGE_HOSTS=Yes, a more intuitive behavior of the hosts file
# is enabled. With MERGE_HOSTS=Yes, the zone contents in the hosts file
# are added to the contents described in the /etc/shorewall/interfaces file.
#
# Example: Suppose that we have the following interfaces and hosts files:
#
# Interfaces:
#
# net eth0
# loc eth1
# - ppp+
#
# Hosts:
#
# loc ppp+:192.168.1.0/24
# wrk ppp+:!192.168.1.0/24
#
# With MERGE_HOSTS=No, the contents of the ''loc'' zone would be
just
# ppp+:192.168.1.0/24. With MERGE_HOSTS=Yes, the contents would be
# ppp+:192.168.1.0 and eth1:0.0.0.0/0
#
# If this variable is not set or is set to the empty value, "No" is
assumed.
MERGE_HOSTS=Yes
#
# MUTEX TIMEOUT
#
# The value of this variable determines the number of seconds that programs
# will wait for exclusive access to the Shorewall lock file. After the
number
# of seconds corresponding to the value of this variable, programs will
assume
# that the last program to hold the lock died without releasing the lock.
#
# If not set or set to the empty value, a value of 60 (60 seconds) is
assumed.
#
# An appropriate value for this parameter would be twice the length of time
# that it takes your firewall system to process a "shorewall restart"
command.
MUTEX_TIMEOUT=60
#
# LOGGING ''New not SYN'' rejects
#
# When a TCP packet that does not have the SYN flag set and the ACK and RST
# flags clear then unless the packet is part of an established connection,
# it will be rejected by the firewall. If you want these rejects logged,
# then set LOGNEWNOTSYN to the syslog log level at which you want them
logged.
#
# Example: LOGNEWNOTSYN=debug
LOGNEWNOTSYN
#
# Forward "Ping"
#
# If FORWARDPING is set to "Yes" then Echo Request ("Ping")
packets are
# forwarded by the firewall.
FORWARDPING=Yes
#LAST LINE -- DO NOT REMOVE