Mandrake 10, gateway/firewall setup HOWTO?

have spent a few hours looking at google.groups to figure out how to
setup a gateway & firewall on my mandrake 10 box.

Here is what I want.

Internet --- Cable modem --- Linux box --- Router --- Any clients.

1) Just to get the Linux box to forward packets.
2) The most important function I want my Linux box to do, is
monitoring and restricting how much each client in the internal
network are able to download. This can be done using Squid right? Is
this the easiest way?
3) After I get the above working, I can play around with firewall,
email, ssh, ... etc

Can someone point to me to a place where I can familiarise of how to
get my gateway running.

The current configuration is this.

Internet --- Cable moderm --- Router --- Clients (Window and Linux
machines)

My Linux box have two NICs. Eth0 is up and running nicely. I
haven’t try to setup eth1 yet. (I am kind of scared of setting
up eth1, I'll probably run in trouble again).


zhex900

On 2004-12-23, zhex900 <(E-Mail Removed)> wrote:
> have spent a few hours looking at google.groups to figure out how to
> setup a gateway & firewall on my mandrake 10 box.

See the home-networking-howto and the firewall-howto.
Davide

--
Windows found - Remove? (Y)es (S)ure (F)ine (O)K

On 23 Dec 2004 02:16:29 -0800, zhex900 wrote:
> have spent a few hours looking at google.groups to figure out how to
> setup a gateway & firewall on my mandrake 10 box.

Is that 10.0 or 10.1, It is not nice to leave us guessing.
How about 10.0/ Official or Community?
Please read http://www.catb.org/~esr/faqs/smart-questions.html

Assume all updates have been installed from a Mandrake mirror.

> Here is what I want.
>
> Internet --- Cable modem --- Linux box --- Router --- Any clients.

Ok, go ahead and configure eth1 for your lan.
After you have it configured in the Mandrake Control Center (MCC)
Edit /etc/sysconfig/network-scripts/ifcfg-eth1
and change METRIC=12
if you are running mandrake 10.1

And add a line in /etc/sysconfig/network
HOSTNAME=fw.home.invalid
NETWORKING=yes
GATEWAYDEV=eth0 <=============


Make sure you have a carriage return after eth0, by doing a
$ cat /etc/sysconfig/network

and the prompt should be on the left, not at end of eth0

> 1) Just to get the Linux box to forward packets.


Go into the Mandrake Control Center under security, firewall
and uncheck all boxes, that tells the firewall to block all inbound
attempts and allow all outbound attempts.

At this point your shorewall firewall is installed and running.
I would load webmin to allow you to play with the shorewall firewall files.

click up a terminal
su -l root

urpmi webmin
service webmin start

Want a gui editor for the next change?
export DISPLAY=:0.0
kwrite /etc/sysctl.conf

and set ip forwarding/masquerading with
net.ipv4.ip_forward = 1 in /etc/sysctl.conf

save and exit

next enable forward change with the command
sysctl -p
and reload the network witn
service network restart

I assume you have loaded your /etc/hosts file with LAN definitions. Example

$ head -5 /etc/hosts
192.168.1.10 wb.home.invalid wb
127.0.0.1 localhost
192.168.1.12 wb1.home.invalid wb1
192.168.1.1 fw.home.invalid fw
192.168.1.22 wb4.home.invalid wb4

Now, let's play with the shorewall files;
in your user account, click up browser and load

https://localhost:10000 and click Network, shorewall

The names of the icon selections will be the names of the shorewall
files.

In another browser window, load
http://www.shorewall.net/two-interface.htm

That page will suggest to read it once then go back to start changes.
That is good advice.

Do not install any files, we can do all the work from what is already
loaded.

Now go back to top of shorewall document and find the Zone file example
and verify the webmin Zone matches the document. You have some leeway.

Here is my _zone_ file
net Net Internet zone
loc Local Local

The document is having you edit the files and shows you what it should
look like after editing. Just go to webmin for that file and
set it to look like the example.

The Files I modified are
interfaces
masq
policy
routestopped
rules


I wanted to have lan pc's to be able to do WAN pings and I wanted
to allow one external machine to have access to my network
Here are my _rules_ settings

ACCEPT net:$FUZZYIP fw all - -
ACCEPT loc fw icmp 8
ACCEPT fw loc icmp
DROP net fw icmp echo-request
ACCEPT fw net icmp

Here is an advanced user tip.
You can create variables in _params_ with an editor and use them
in the scripts. That is what the $FUZZYIP is.
What that allows me to do is modify params and do a shorewall restart
and the new params values will go into all the shorewall files.

Example snippet from my params file
FUZZYIP=12.216.147.150
LOC_NIC=eth0 # lan nic
NET_NIC=eth1 # /etc/sysconfig/network gatewaydev

Note, I have eth1 on cable modem and eth0 for the lan router.

The _masq_ file has
$NET_NIC $LOC_NIC

You would use eth0 eth1

Now my _routestopped_ has
$LOC_NIC

You would have eth1

That allows any LAN box access to firewall box when shorewall is stopped.

my _policy_ file has
loc net ACCEPT
fw loc ACCEPT
fw net ACCEPT
net all DROP info
all all REJECT info

At this point it should work. Click _Check Firewall_ for syntax errors

You might want to click yet up another terminal and do a
tail -f /var/log/messages

That will allow you see any shorewall messages as you verify
there are no problems accessing the internet from the LAN pcs.

Ok, click Stop/Start firewall and see what you can see.

http://www.shorewall.net/Documentation_Index.html for shorewall doc
If you realy want to understand more about the firewall.

There were 94,000+ new viruses created this year. I got tired of
seeing my logs filling up with all the attempts so I created entries
in /etc/shorewall/blacklist for noisy ports.

Here are two lines from mine
0.0.0.0/0 tcp 1025
0.0.0.0/0 udp 1026:1029

one is a port, the other is a range of ports.
Any def in blacklist is droped an no /var/log/messages entry is
created.

After you edit blacklist, you can do a shorewall reload to set
the values.

You may want to read the header files in /etc/shorewall just to get a
feel what each file will do for you.

If you want to modify any other shorewall settings found in
/usr/share/shorewall/, copy the file to /etc/shorewall and make the
change there.
Files in /etc/shorewall superceed files in /usr/share/shorewall.

Since webmin is running, you can get to the firewall from the lan with
https://firewall_box_ip_here:10000

If the firewall box is in /etc/hosts on a LAN box
https://firewall_box_name_here:10000