Shorewall users - Nov 2007 - Access Point with Ethernet.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi:

I have a small infrastructure of network of local area, that are based on a
computer, with computer and with a Point Access, with Debian Etch 4.0r1.
With Shorewall 3.2.6-2.

Well. Since I have two cards of network, which of which, I have left like that:

Internet --> Router (217.126.221.65) --> eth1 (217.126.221.117) -->
eth0
(LAN 192.168.0.99) --> (one computer with ethernet: 192.168.0.1).
                   --> Point Access (192.168.0.245) --> laptop
(192.168.0.3)

In the machine with IP 192.168.0.1, it works correctly to sail, to call, to
do videoconference, etc.

Since I have this typology of simple network, since the point of access has
the IP 192.168.0.99, that of which, I do ping correctly him, and the plots
show me as it continues:

root@smtp:/var/log# ping 192.168.0.245
PING 192.168.0.245 (192.168.0.245) 56(84) bytes of data.
64 bytes from 192.168.0.245: icmp_seq=1 ttl=64 time=2.69 ms
64 bytes from 192.168.0.245: icmp_seq=2 ttl=64 time=0.453 ms
64 bytes from 192.168.0.245: icmp_seq=3 ttl=64 time=0.452 ms
64 bytes from 192.168.0.245: icmp_seq=4 ttl=64 time=0.442 ms
64 bytes from 192.168.0.245: icmp_seq=5 ttl=64 time=0.445 ms

- --- 192.168.0.245 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4001ms
rtt min/avg/max/mdev = 0.442/0.897/2.693/0.898 ms
root@smtp:/var/log#

Since well. The laptop, on having done, both with this server, and to the
laptop, on having done pings, they answer correctly, and allow to share
files, etc, etc, etc. It even can navigate down proxy Squid.

Good, since I want that the laptop sails without the proxy (that saying is
of step, it is sailing across the proxy of the server), since I would like
that also it had the same access as the machine under LAN.

I am going to detail how I have the files of configuration, so much of
networking, as of the Shorewall that I detail next:

/etc/network/interfaces:

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth1
iface eth1 inet static
        address 217.126.221.117
        netmask 255.255.255.192
        network 217.126.221.64
        broadcast 217.126.221.127
        gateway 217.126.221.65
        # dns-* options are implemented by the resolvconf package, if installed
        dns-nameservers 208.67.222.222 208.67.220.220
        dns-search hackindex.com
       hwaddress ether xx:xx:xx:xx:xx:xx # protect information.

auto eth0
iface eth0 inet static
        address 192.168.0.99
        netmask 255.255.255.0
        broadcast 192.168.0.255
#       up ethtool -s eth1 speed 100 autoneg off duplex full

In all the files of the Shorewall I have all this, for if I must add some
thing, etc:

/etc/shorewall/accounting:

(not configured)

/etc/shorewall/actions:

(not configured)

/etc/shorewall/blacklist

Several IP''s blacklisted''s.

/etc/shorewall/ecn:

(not configured)

/etc/shorewall/hosts:

(not configured)

/etc/shorewall/init:

(not configured)

/etc/shorewall/initdone:

(not configured)

/etc/shorewall/interfaces:

net eth1 detect routerfilter,norfc1918,logmartians,nosmurfs,tcpflags,blacklist
loc eth0 detect tcpflags

/etc/shorewall/ipsec:

(not configured)

/etc/shorewall/ipsecvpn:

(not configured)

/etc/shorewall/maclist:

(not configured)

/etc/shorewall/masq:

eth1 eth0

/etc/shorewall/nat:

(not configured)

/etc/shorewall/netmap:

(not configured)

/etc/shorewall/params:

(not configured)

/etc/shorewall/policy:

loc all ACCEPT
fw  all ACCEPT
net all DROP info
all all REJECT info

/etc/shorewall/proxyarp:

(not configured)

/etc/shorewall/routestopped:

(not configured)

/etc/shorewall/rules:

ACCEPT net fw icmp 8
ACCEPT fw net icmp
ACCEPT net fw tcp 21,25,37,80,110,113,995,1024:3127,3129:65535
ACCEPT net fw udp 37,123,1024:65535
ACCEPT loc fw tcp 25,123,631

/etc/shorewall/shorewall.conf:

LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:"
LOGTAGONLY=No
LOGRATELOGBURSTLOGALLNEWBLACKLIST_LOGLEVELLOGNEWNOTSYN=info
MACLIST_LOG_LEVEL=info
TCP_FLAGS_LOG_LEVEL=info
RFC1918_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
BOGON_LOG_LEVEL=info
LOG_MARTIANS=No
IPTABLESPATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=""
STATEDIR=/var/lib/shorewall
MODULESDIRCONFIG_PATH=/etc/shorewall:/usr/share/shorewall
RESTOREFILEFW=fw
IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=No
RETAIN_ALIASES=No
TC_ENABLED=No
CLEAR_TC=Yes
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=No
ROUTE_FILTER=Yes
DETECT_DNAT_IPADDRS=No
MUTEX_TIMEOUT=60
NEWNOTSYN=Yes
ADMINISABSENTMINDED=Yes
BLACKLISTNEWONLY=Yes
DELAYBLACKLISTLOAD=No
MODULE_SUFFIXDISABLE_IPV6=No
BRIDGING=No
DYNAMIC_ZONES=No
PKTTYPE=Yes
DROPINVALID=Yes
RFC1918_STRICT=No
MACLIST_TTLBLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP

/etc/shorewall/start:

(not configured)

/etc/shorewall/stop

(not configured)

/etc/shorewall/stopped:

(not configured)

/etc/shorewall/tcrules:

(not configured)

/etc/shorewall/tos:

(not configured)

/etc/shorewall/tunnel:

(for defect)

/etc/shorewall/tunnels

(not configured)

/etc/shorewall/zones:

net Net Internet
loc Local Private net

Well.

What do I have to do so that, across the point of access, the remote machine
could sail transparently without happening for proxy?

What do I have to add on this matter?

Do I have to put a switch, one for the machine under direct LAN, and to the
point of access in another mouth of the switch?

Meanwhile, the machine that is from mouth to mouth, across the HUB, works
correctly...

There is times, which of the machine laptop, jump me losses of bundles ARP
and others as '' NO-IP ''.

Happiness laptop, I have position servers DNS''s, have position as
gateway to
the point of access.

The above mentioned point of access gets connected perfectly to Internet
synchronizing the putting of the clock, with NTP server.

Do I have to add any new area? Do I have to add any rule more? What is what
I must give more so that the Shorewall allows me the machine that there is
low gateway of the point of access? If the point of access has like gateway
to this machine (192.168.0.99).

Someone who gives me some light to be able to add the pertinent rules or
parameters to the Shorewall?

A lot of thank you.

Greetings = Saludos = Slds...

- --
Slds de Santiago José López Borrazás
Conocimientos avanzados en seguridad informática.
Conocimientos avanzados en redes.
-----BEGIN PGP SIGNATURE-----

iQIVAwUBRzXUyruF9/q6J55WAQpEmQ/8DfrXVYpkAl3wuBjI55SMei3fT5rLBNc+
ZcN8aNj1JRCiDWbTktlh4unGlQbIT5y727lr588jG4Rrma71pet65COmz9V+E750
6XAlQ1BRDjfYfMs/b9bZ19Mf7UlNV7OANw1ggAuk08UhsuIhEJXqqyOBeS3fXIdm
dTaQHiiqv1HSskFNOPsZ/NKwFp+anxQP57/F8kYnhHN/E+CJQdiqpAofuNE4x6DZ
pLoHkCYaXSZR17T7BaHJxEHOdQLF3dBZIrppt/45w+pjnOzmUwPhSSPze2JpQZTl
MbK9DMWdBBUk+cLvWlhN3B9Yo/KIiRRF05przTmU8GOJzcQU5Vv6vNOLmUIQ3Lng
2XVxD9SXdnjcOqllFydXmICtw6Yb70EwOc/+fsU2QfVk3Ie+Bh/PlVQrhN4N7e+o
Re9fmJHvTjbHBcHUMtzsMGeDep4Cpu2xRdT/Svzc8OhazVM/2B1q92sN8GHviA5h
qBIGNmXZNchovkkaKOeD8DBfq1OkUQvf2Z7V11fRv4i7TiODJ7usiW3X/Vq30gig
wMFauYPFum+NcPol191rIs6sdquSonP9QBSp9aB6DzCGXrgsjy1ou0Uu/y2zu8Hf
8TnaikM22EEumgZR5ckZaCBVVy5y1KqwAnuwkuM4m1lDSUoO+7OCranu4gUkH34U
o5c5djZ2hKw=If97
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

Santiago José López Borrazás wrote:
> Well.
> 
> What do I have to do so that, across the point of access, the remote
machine
> could sail transparently without happening for proxy?
> 
> What do I have to add on this matter?
> 
You should just have to set the default gateway on the remote machine to
192.168.0.99.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

El 11/11/07 17:16, Tom Eastep escribió:
> You should just have to set the default gateway on the remote machine to
> 192.168.0.99.
THANK''s!!!!!!!! Work already!!!!!!!!

8-)))))))))))))))))))))))

Up to other one!!!!!

Ciao!!!!

- --
Slds de Santiago José López Borrazás
Conocimientos avanzados en seguridad informática.
Conocimientos avanzados en redes.
-----BEGIN PGP SIGNATURE-----

iQIVAwUBRzdQEbuF9/q6J55WAQqCYQ/+IeOE2aRcPvcfgSS6UcdzptsmF8Ztx0tp
I9bEyheOmJn5zugvxwbbOB9u4Bd2VRLuHF/zgpjt9+rizLlNfdMcSYkzYzOemOl4
u5xEKlGieqxd8o7+7vEpOocwgfl2JSJX9t7wKFgtNK02JXa6y7IMQDMqusWF5vnu
2MDXzUc5p6HNzse9QG6juUn0RIHYjgQgziKMbIijGdk4/iMvvTJ83CbV4cyujpP4
Lj948rUslywMwOVmeCIh3vxG/PPDurQwD6L6DOE+EtQ63EXmLm+70GNLPI1Tgqro
MWNdcrSC7pOTr8q4De0U5iL6ToCbYr2PbAF0qhAUPmZ5k9ywdaapC4M6DClBQc/a
jMDWHGtqU1c63lxGhuCPYiQGh3QCqL13XmoJRKyjwynhRzCpeHdBI7oPXYBRRx2A
LtHfPupzMuFmTke2d7XwpmpagUP7usOeNiP0uNcUQ4psd472ZYy+LDK03ZKx2shb
ha+ruKTGHiABpF/7CaAk1QY1CW9mDr0pJzLvGirvq3ZZ1yT5mUI9ZBmzZ+qXwuBk
C1vMqNlCThCL33ud+FXfohuk6qgDt0eaOp1tsCciPCpBoLKLmJOcLVqqk/tlj1qL
JHCHM4YgqwvnLrgLJA5hNeiSJuurdmM62LDBtETtQG+bBxXurHMA/hphs0GamlG3
u9gLbAWWEOo=vmwU
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/