thr3ads.net - Shorewall users - [Shorewall-users] A small LAN + an ADSL modem router [Mar 2003]

If this information is useful, please help other people find it:
Share via:

S. Anthony Sequeira

2003-Mar-16 08:18 UTC

[Shorewall-users] A small LAN + an ADSL modem router

Hi all,

I have been beating my brains out on firewalling for a while now.

I decided to go for shorewall because I found the documentation
easy (relatively) to follow, and it does not require X and it is a
Debian
package.

I have recently connected my LAN (subnet 192.168.0.0) to the
internet via a conexant ADSL modem/router (which handles the
PPPoA) side of things.  This seems OK, but
I have taken the dire warnings about security to heart, and decided
to install a firewall.  This is when my troubles started.

I installed shorewall, and made several attemots at configuration, each
time cutting off access to the internet from the rest of the LAN, and
sometimes from the machine I installed it on.

This machine handles DNS/DHCP (internal and external), SAMBA,
printing, also providing and receiving NFS services and time services
for the rest of the LAN.  It has, like the others (except for the
router)
one interface eth0.

The modem has an internal address of 192.168.0.254.  What do I
need in zones, interfaces (maybe hosts), policy and rules?  I cannot
for the life of me find anything

Do I need firewalling at all?  I tried using hosts, and got myself in
even more of a knot?

Do I need to firewall ALL the machines on my LAN (predominantly
Linux, various distros)?

Any special rules required for SMB and NFS services on the LAN?

Please help.

root@quasar:/etc/shorewall
# shorewall version
1.2.12
root@quasar:/etc/shorewall
# uname -a
Linux quasar 2.4.18 #1 Fri Mar 7 23:41:58 GMT 2003 i486 unknown
root@quasar:/etc/shorewall
# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:c0:26:26:54:e9 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
root@quasar:/etc/shorewall
# ip route show
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.1
default via 192.168.0.254 dev eth0
root@quasar:/etc/shorewall
# lsmod
Module                  Size  Used by    Not tainted
ipt_TOS                 1024   0  (autoclean)
ipt_LOG                 3232   0  (autoclean)
iptable_mangle          2144   0  (autoclean)
ip_nat_irc              2336   0  (unused)
ip_nat_ftp              3008   0  (unused)
iptable_nat            13044   2  [ip_nat_irc ip_nat_ftp]
ipt_REJECT              2816   0
ip_conntrack_ftp        3264   0  (unused)
ip_conntrack_irc        2464   0  (unused)
iptable_filter          1760   1
ipt_state                608   0
ip_conntrack           12940   4  [ip_nat_irc ip_nat_ftp iptable_nat
ip_conntrack_ftp ip_conntrack_irc ipt_state]
ip_tables              10464   9  [ipt_TOS ipt_LOG iptable_mangle
iptable_nat ipt_REJECT iptable_filter ipt_state]
nfs                    70844   1  (autoclean)
nfsd                   65920   8  (autoclean)
lockd                  47712   1  (autoclean) [nfs nfsd]
sunrpc                 58900   1  (autoclean) [nfs nfsd lockd]
parport_pc             16296   1  (autoclean)
lp                      5952   0  (autoclean)
parport                13344   1  (autoclean) [parport_pc lp]
af_packet              11592   1  (autoclean)
serial                 49568   1  (autoclean)
rtc                     5592   0  (autoclean)
unix                   13604   9  (autoclean)
root@quasar:/etc/shorewall


Some entries from syslog:

Last attempt, trying to ping the internet from another Linux box.

Mar 16 14:39:06 quasar root: Shorewall Started
Mar 16 14:39:24 quasar kernel: Shorewall:net2all:DROP:IN=eth0
OUTMAC=00:c0:26:26:54:e9:00:04:61:44:33:5f:08:00 SRC=192.168.0.3
DST=192.168.0.1 LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=51267 DF PROTO=UDP
SPT=32778 DPT=53 LEN=39
Mar 16 14:39:50 quasar root: Shorewall Stopped

An earlirer attempt appeared to block DHCP:

Mar 16 14:34:04 quasar dhcpd-2.2.x: DHCPACK on 192.168.0.20 to
00:04:75:97:93:b7 via eth0
Mar 16 14:34:04 quasar kernel: Shorewall:all2all:REJECT:IN= OUT=eth0
SRC=192.168.0.1 DST=192.168.0.20 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0
DF PROTO=UDP SPT=67 DPT=68 LEN=308
Mar 16 14:34:04 quasar dhcpd-2.2.x: send_packet: Operation not
permitted
Mar 16 14:34:05 quasar kernel: Shorewall:net2all:DROP:IN=eth0 OUTMAC=00:c0:26:

There are more, but you get the gist.  I need help configuring it.

Grateful TIA for ANY help.

--
Tony




---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.462 / Virus Database: 261 - Release Date: 13/03/2003

Tom Eastep

2003-Mar-17 16:06 UTC

head link

[Shorewall-users] A small LAN + an ADSL modem router

--On Sunday, March 16, 2003 04:18:23 PM +0000 "S. Anthony Sequeira" 
<tony@sequeira.com> wrote:
> Hi all,
>
> I have been beating my brains out on firewalling for a while now.
>
> I decided to go for shorewall because I found the documentation
> easy (relatively) to follow, and it does not require X and it is a
> Debian
> package.
>
> I have recently connected my LAN (subnet 192.168.0.0) to the
> internet via a conexant ADSL modem/router (which handles the
> PPPoA) side of things.  This seems OK, but
> I have taken the dire warnings about security to heart, and decided
> to install a firewall.  This is when my troubles started.
>
> I installed shorewall, and made several attemots at configuration, each
> time cutting off access to the internet from the rest of the LAN, and
> sometimes from the machine I installed it on.
But you are going to keep what you did a secret? Did you follow the simple 
instructions at http://www.shorewall.net/two-interface.htm? It should have 
given you most of what you need.
>
> This machine handles DNS/DHCP (internal and external), SAMBA,
> printing, also providing and receiving NFS services and time services
> for the rest of the LAN.  It has, like the others (except for the
> router)
> one interface eth0.
>
> The modem has an internal address of 192.168.0.254.  What do I
> need in zones, interfaces (maybe hosts), policy and rules?  I cannot
> for the life of me find anything
>
> Do I need firewalling at all?  I tried using hosts, and got myself in
> even more of a knot?
>
> Do I need to firewall ALL the machines on my LAN (predominantly
> Linux, various distros)?
>
> Any special rules required for SMB and NFS services on the LAN?
>
NFS is covered at http://www.shorewall.net/ports.htm. SMB is covered at 
http://www.shorewall.net/Samba.htm.

The log messages you showed are caused by

a) Missing DNS rule (covered in the two-interface quickstart guide referred 
to above.

b) Missing ''dhcp'' interface option on an interface served by
DHCP or
getting its IP address via DHCP.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net

Shorewall users - Mar 2003 - A small LAN + an ADSL modem router

[Shorewall-users] A small LAN + an ADSL modem router

[Shorewall-users] A small LAN + an ADSL modem router