Shorewall users - Dec 2007 - One interface rfc1918 address. Connection via DSL router

I have several computers connected to the internet through a DSL router that
assigns rfc1918 (192.168.1.x) addresses to the systems connected. I have a
server where shorewall is installed with one interface eth0, with a static
ip (192.168.1.3). The router is configured to forward all connections from
the internet to the linux server.

I''d like to know how I can configure shorewall to allow connections
from the
local network (192.168.1.x) to several services (smb mainly) but not from
the internet.

I thought I needed to create the ''loc'' zone with ip addresses
in the net
192.168.1.0, and assume any other address to come from the
''net'' zone.

I''ve read I need to use the hosts file, but I haven''t been
able to find find
out how.

I''m quite sure this question has come up before, unfortunately I
couldn''t
find the answer. :(

TIA,

Pedro.


-------------------------------------------------------------------------
SF.Net email is sponsored by: 
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

On Mon, Dec 10, 2007 at 01:40:50AM +0100, Pedro Bezunartea López
wrote:
> I have several computers connected to the internet through a DSL router
that
> assigns rfc1918 (192.168.1.x) addresses to the systems connected. I have a
> server where shorewall is installed with one interface eth0, with a static
> ip (192.168.1.3). The router is configured to forward all connections from
> the internet to the linux server.
> 
I am assuming, based on your description, that your server has only a
single Ethernet interface.
> I''d like to know how I can configure shorewall to allow
connections from the
> local network (192.168.1.x) to several services (smb mainly) but not from
> the internet.
> 
If it is a single interface firewall and your DSL router is forwarding
all traffic in, then that might be difficult.
> I thought I needed to create the ''loc'' zone with ip
addresses in the net
> 192.168.1.0, and assume any other address to come from the
''net'' zone.
> 
Zones are (usually) associated with physical interfaces, not with
particular addresses.
> I''ve read I need to use the hosts file, but I haven''t
been able to find find
> out how.
> 
Did you read ''man 5 shorewall-hosts'' ?
> I''m quite sure this question has come up before, unfortunately I
couldn''t
> find the answer. :(
> 
I would recommend one of the following two solutions:

 1. have your DSL router only forward ports that you really want to be
 open on your Linux server (e.g., web server for port 80).

 2. Write accept statements in your rules files that specify to only
 accept traffic from particular IP addresses in your local zone.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


-------------------------------------------------------------------------
SF.Net email is sponsored by: 
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

Pedro Bezunartea López wrote:
>I have several computers connected to the 
>internet through a DSL router that assigns 
>rfc1918 (192.168.1.x) addresses to the systems 
>connected. I have a server where shorewall is 
>installed with one interface eth0, with a static 
>ip ( <http://192.168.1.3>192.168.1.3). The 
>router is configured to forward all connections 
>from the internet to the linux server.
>
>I''d like to know how I can configure shorewall 
>to allow connections from the local network ( 
>192.168.1.x) to several services (smb mainly) 
>but not from the internet.
>
>I thought I needed to create the ''loc'' zone with 
>ip addresses in the net 
><http://192.168.1.0>192.168.1.0, and assume any 
>other address to come from the ''net'' zone.
>
>I''ve read I need to use the hosts file, but I 
>haven''t been able to find find out how.
How about a rule saying :

SMB/ACCEPT  net:192.168.1.0/24  $FW

Repeat for all services you want to make available.

-------------------------------------------------------------------------
SF.Net email is sponsored by: 
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

On Mon, Dec 10, 2007 at 09:28:15AM +0000, Simon Hobson
wrote:
> Pedro Bezunartea López wrote:
> >I have several computers connected to the 
> >internet through a DSL router that assigns 
> >rfc1918 (192.168.1.x) addresses to the systems 
> >connected. I have a server where shorewall is 
> >installed with one interface eth0, with a static 
> >ip ( <http://192.168.1.3>192.168.1.3). The 
> >router is configured to forward all connections 
> >from the internet to the linux server.
> >
> >I''d like to know how I can configure shorewall 
> >to allow connections from the local network ( 
> >192.168.1.x) to several services (smb mainly) 
> >but not from the internet.
> >
> >I thought I needed to create the ''loc'' zone with 
> >ip addresses in the net 
> ><http://192.168.1.0>192.168.1.0, and assume any 
> >other address to come from the ''net'' zone.
> >
> >I''ve read I need to use the hosts file, but I 
> >haven''t been able to find find out how.
> 
> How about a rule saying :
> 
> SMB/ACCEPT  net:192.168.1.0/24  $FW
> 
> Repeat for all services you want to make available.
> 
Because if his DSL router is handing out the address 192.168.1.3 to his
Linux server, the router itself likely has the address 192.168.1.1 or
192.168.1.2.  Thus, your rule would open up his Samba share to whole
world.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


-------------------------------------------------------------------------
SF.Net email is sponsored by: 
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

Roberto C. Sánchez wrote:
>  > >I have several computers connected to the
>>  >internet through a DSL router that assigns
>>  >rfc1918 (192.168.1.x) addresses to the systems
>>  >connected. I have a server where shorewall is
>>  >installed with one interface eth0, with a static
>>  >ip ( <http://192.168.1.3>192.168.1.3). The
>>  >router is configured to forward all connections
>>  >from the internet to the linux server.
>>  >
>>  >I''d like to know how I can configure shorewall
>>  >to allow connections from the local network (
>>  >192.168.1.x) to several services (smb mainly)
>  > >but not from the internet.

>  > How about a rule saying :
>>
>>  SMB/ACCEPT  net:192.168.1.0/24  $FW
>>
>  > Repeat for all services you want to make available.

>Because if his DSL router is handing out the address 192.168.1.3 to his
>Linux server, the router itself likely has the address 192.168.1.1 or
>192.168.1.2.  Thus, your rule would open up his Samba share to whole
>world.

No. Connections from the global internet will 
still have their public IPs as source address - 
only the destination address will have been 
re-written. Similarly, outgoing packets will have 
the global IP as destination address, and the 
internal source address will be re-written by the 
gateway to the global address.


-------------------------------------------------------------------------
SF.Net email is sponsored by: 
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php

On Mon, Dec 10, 2007 at 11:39:06AM +0000, Simon Hobson
wrote:
> 
> No. Connections from the global internet will 
> still have their public IPs as source address - 
> only the destination address will have been 
> re-written. Similarly, outgoing packets will have 
> the global IP as destination address, and the 
> internal source address will be re-written by the 
> gateway to the global address.
> 
Sorry.  It was kind of early in the morning when I replied.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


-------------------------------------------------------------------------
SF.Net email is sponsored by: 
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php