Im wanting to setup a 3 interface firewall using shorewall.
Im running 2.6.15-26-server (ubuntu server)
I have 3 network interfaces. Lets call them:

IFACE / NAME
---------------
eth0 / NET
eth1 / DMZ
eth2 / LOC

Q1) Should I be able to ping a device, lets say from LOC to NET, automatically? Without having to bridge my interfaces or install and configure shorewall?

Q2) If I do have to do some sort of special configuration, where do I start?

--------------------------------------------
The configuration im looking for... well I want the individual interfaces to continue to have their respective IP addresses, in-other-words, I dont want all 3 interfaces to have the same IP address, that defeats my purpos of building this. The address I want are as follows;

IFACE / IP ADDRESS
-----------------------
eth0 / 192.168.0.1
eth1 / 192.168.1.1
eth2 / 192.168.2.1

but I want to be able to pass information from one interface to another. like I said, I cant even ping a device from zone "LOC" to zone "NET". ive *tried* bridging and other methods VERY diligantly... but to no avial. its not working, and i know i must be doing something wrong.

can someone please at least point me in the right direction? maybe there is a line of code im missing??

I set up my bridge using the brctl-utils (easy peasy) it seemed so, and it seemed to work.

Maybe I set my /etc/network/interfaces file up incorrectly??


-----------------------------------------------
auto lo
iface lo inet loopback
address 127.0.0.1
netmask 255.0.0.0

iface eth0 inet static
address 192.168.0.1
netmask 255.255.255.0

iface eth1 inet static
address 192.168.1.1
netmask 255.255.255.0

iface eth2 inet static
address 192.168.2.1
netmask 255.255.255.0

iface br0 inet static
netmask 255.255.255.0
-----------------------------------------------

I think you should enable ip_forward
echo "1" > /proc/sys/net/ipv4/ip_forward
and also configure routes
route add -net 192.168.1.0/24 gw 192.168.1.1 etc.. for all the networks

and configure default gateway
route add default gw 192.168.x.1


flush ip rules
iptables -F
iptables -t nat -F

set default policy to allow
iptables -P INPUT ALLOW
iptables - P FORWARD ALLOW
also for OUTPUT
test by using ping

if it works don't forget to lock the machine by basic iptables rules to block traffic

Thats a little confusing? But I think I can make sense out of it;

-I enable ip forwarding by:
editing /etc/sysctl.conf file by adding the line net.ipv4.conf.default.forwarding=1 ???

-Im quite confused about "route add -net 192.168.1.0/24 ... ... ..."
do i set this in the /etc/network/interfaces file??? i just add;
Gateway 192.168.x.x/x ???

-by the default gateway you mean; the one that is connected to the internet?? the is eth0 - NET zone

Dont get me wrong, ive been frustraited with this for a week, and your the first reply ive gotten... and im very thankful

however, is there a way you could be a little more explicit with your instructions?

Im going to give this my best shot, but i hope i dont do anything i cant fix, that would blow lol

flush iptables :
#execute

iptables -F
iptables -t nat -F

#set default policy to allow
iptables -P INPUT ALLOW
iptables -P FORWARD ALLOW
iptables -P OUTPUT ALLOW

#You should check if ip_forward is enable by executing :
cat /proc/sys/net/ipv4/ip_forward

#which should show 1.
#if it's 0 execute

echo "1" > /proc/sys/net/ipv4/ip_forward


#if you configured the network interfaces..then you should be #able to ping them
#execute:
ping 192.168.0.1
ping 192.168.1.1
ping 192.168.2.1

#add the default route (to the internet): execute this command

route add defaut gw 192.168.0.1

#now you should be able to ping an external IP from the internet, #if dns is configured you should be able to ping www.google.com
#Make sure iptables doesn't block traffic.

#Set up routing tables...by executing the commands:

route add -net 192.168.1.0/24 gw 192.168.1.1
route add -net 192.168.2.0/24 gw 192.168.2.1

#try to ping hosts from those networks

ping 192.168.2.100..for example

Ok, this is EXACTLY what I did, and I mean exactly. I did a fresh install (ubuntu server 6.06). After a quick installation I executed the following commands, in sequence...

sudo passwd root ~ gave root my password

I got right to the bridging of the 3 interfaces;

Obtained the only package I needed from the internet;
apt-get install bridge-utils

I shut down the networking interfaces completely;
ifconfig eth0 down
ifconfig eth1 down
ifconfig eth2 down
ifconfig lo down
/etc/init.d/networking stop

----------------------------------------------------

I created the bridge "br0";
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
brctl addif br0 eth2
brctl show ~ i did this to confirm

I then edited the file /etc/network/interfaces, this is what it currently looks like;

auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.0.1
netmask 255.255.255.0
auto eth1
iface eth1 inet static
address 192.168.1.1
netmask 255.255.255.0
auto eth2
iface eth2 inet static
address 192.168.2.1
netmask 255.255.255.0
auto br0
iface br0 inet static

I flushed the IP tables;
iptables -F
iptables -t nat -F

I had problems with these;
iptables -P INPUT ALLOW
iptables -P FORWARD ALLOW
iptables -P OUPUT ALLOW
ERROR RETURNED: "BAD POLICY NAME"

I enabled IP forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward

Then I just read on and realized that I should be able to ping after that point, so then I restarted the networking. Did't work, but at least it told me why;

"Don't seem to have all the variables for br0/inet. Failed to bring up br0".

So it seems maybe my bridging is ok? Maybe my problem exists in /etc/network/interfaces ???

And like I said before thanks for helping, its hard to find help on this stuff sometimes. Most of the time I get along by myself just fine, but every so often, something will stump me silly ~ like this firewall of mine. Anyway, im still picking at it...


what do you think it could be?

why bridging ?
I don't see why you use bridging...
if it's a linux router forwarding and source nat-ing or masquerade should do it

try baby steps :P I am sure that the problem is in bridging....I have a few linux internet gateways..and I never used bridge..

it's iptables -P OUTPUT ALLOW...my bad