On 23 Dec 2004 02:16:29 -0800, zhex900 wrote:
> have spent a few hours looking at google.groups to figure out how to
> setup a gateway & firewall on my mandrake 10 box.
Is that 10.0 or 10.1, It is not nice to leave us guessing.
How about 10.0/ Official or Community?
Please read
http://www.catb.org/~esr/faqs/smart-questions.html
Assume all updates have been installed from a Mandrake mirror.
> Here is what I want.
>
> Internet --- Cable modem --- Linux box --- Router --- Any clients.
Ok, go ahead and configure eth1 for your lan.
After you have it configured in the Mandrake Control Center (MCC)
Edit /etc/sysconfig/network-scripts/ifcfg-eth1
and change METRIC=12
if you are running mandrake 10.1
And add a line in /etc/sysconfig/network
HOSTNAME=fw.home.invalid
NETWORKING=yes
GATEWAYDEV=eth0 <=============
Make sure you have a carriage return after eth0, by doing a
$ cat /etc/sysconfig/network
and the prompt should be on the left, not at end of eth0
> 1) Just to get the Linux box to forward packets.
Go into the Mandrake Control Center under security, firewall
and uncheck all boxes, that tells the firewall to block all inbound
attempts and allow all outbound attempts.
At this point your shorewall firewall is installed and running.
I would load webmin to allow you to play with the shorewall firewall files.
click up a terminal
su -l root
urpmi webmin
service webmin start
Want a gui editor for the next change?
export DISPLAY=:0.0
kwrite /etc/sysctl.conf
and set ip forwarding/masquerading with
net.ipv4.ip_forward = 1 in /etc/sysctl.conf
save and exit
next enable forward change with the command
sysctl -p
and reload the network witn
service network restart
I assume you have loaded your /etc/hosts file with LAN definitions. Example
$ head -5 /etc/hosts
192.168.1.10 wb.home.invalid wb
127.0.0.1 localhost
192.168.1.12 wb1.home.invalid wb1
192.168.1.1 fw.home.invalid fw
192.168.1.22 wb4.home.invalid wb4
Now, let's play with the shorewall files;
in your user account, click up browser and load
https://localhost:10000 and click Network, shorewall
The names of the icon selections will be the names of the shorewall
files.
In another browser window, load
http://www.shorewall.net/two-interface.htm
That page will suggest to read it once then go back to start changes.
That is good advice.
Do not install any files, we can do all the work from what is already
loaded.
Now go back to top of shorewall document and find the Zone file example
and verify the webmin Zone matches the document. You have some leeway.
Here is my _zone_ file
net Net Internet zone
loc Local Local
The document is having you edit the files and shows you what it should
look like after editing. Just go to webmin for that file and
set it to look like the example.
The Files I modified are
interfaces
masq
policy
routestopped
rules
I wanted to have lan pc's to be able to do WAN pings and I wanted
to allow one external machine to have access to my network
Here are my _rules_ settings
ACCEPT net:$FUZZYIP fw all - -
ACCEPT loc fw icmp 8
ACCEPT fw loc icmp
DROP net fw icmp echo-request
ACCEPT fw net icmp
Here is an advanced user tip.
You can create variables in _params_ with an editor and use them
in the scripts. That is what the $FUZZYIP is.
What that allows me to do is modify params and do a shorewall restart
and the new params values will go into all the shorewall files.
Example snippet from my params file
FUZZYIP=12.216.147.150
LOC_NIC=eth0 # lan nic
NET_NIC=eth1 # /etc/sysconfig/network gatewaydev
Note, I have eth1 on cable modem and eth0 for the lan router.
The _masq_ file has
$NET_NIC $LOC_NIC
You would use eth0 eth1
Now my _routestopped_ has
$LOC_NIC
You would have eth1
That allows any LAN box access to firewall box when shorewall is stopped.
my _policy_ file has
loc net ACCEPT
fw loc ACCEPT
fw net ACCEPT
net all DROP info
all all REJECT info
At this point it should work. Click _Check Firewall_ for syntax errors
You might want to click yet up another terminal and do a
tail -f /var/log/messages
That will allow you see any shorewall messages as you verify
there are no problems accessing the internet from the LAN pcs.
Ok, click Stop/Start firewall and see what you can see.
http://www.shorewall.net/Documentation_Index.html for shorewall doc
If you realy want to understand more about the firewall.
There were 94,000+ new viruses created this year. I got tired of
seeing my logs filling up with all the attempts so I created entries
in /etc/shorewall/blacklist for noisy ports.
Here are two lines from mine
0.0.0.0/0 tcp 1025
0.0.0.0/0 udp 1026:1029
one is a port, the other is a range of ports.
Any def in blacklist is droped an no /var/log/messages entry is
created.
After you edit blacklist, you can do a shorewall reload to set
the values.
You may want to read the header files in /etc/shorewall just to get a
feel what each file will do for you.
If you want to modify any other shorewall settings found in
/usr/share/shorewall/, copy the file to /etc/shorewall and make the
change there.
Files in /etc/shorewall superceed files in /usr/share/shorewall.
Since webmin is running, you can get to the firewall from the lan with
https://firewall_box_ip_here:10000
If the firewall box is in /etc/hosts on a LAN box
https://firewall_box_name_here:10000
Similar Threads
Linear Mode
