LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices



Reply
 
Search this Thread
Old 08-12-2008, 05:56 AM   #1
kylibar
LQ Newbie
 
Registered: Aug 2008
Posts: 12

Rep: Reputation: 0
Question Shorewall Setup - I have some questions.


Im wanting to setup a 3 interface firewall using shorewall.
Im running 2.6.15-26-server (ubuntu server)
I have 3 network interfaces. Lets call them:

IFACE / NAME
---------------
eth0 / NET
eth1 / DMZ
eth2 / LOC

Q1) Should I be able to ping a device, lets say from LOC to NET, automatically? Without having to bridge my interfaces or install and configure shorewall?

Q2) If I do have to do some sort of special configuration, where do I start?

--------------------------------------------
The configuration im looking for... well I want the individual interfaces to continue to have their respective IP addresses, in-other-words, I dont want all 3 interfaces to have the same IP address, that defeats my purpos of building this. The address I want are as follows;

IFACE / IP ADDRESS
-----------------------
eth0 / 192.168.0.1
eth1 / 192.168.1.1
eth2 / 192.168.2.1

but I want to be able to pass information from one interface to another. like I said, I cant even ping a device from zone "LOC" to zone "NET". ive *tried* bridging and other methods VERY diligantly... but to no avial. its not working, and i know i must be doing something wrong.

can someone please at least point me in the right direction? maybe there is a line of code im missing??

I set up my bridge using the brctl-utils (easy peasy) it seemed so, and it seemed to work.

Maybe I set my /etc/network/interfaces file up incorrectly??


-----------------------------------------------
auto lo
iface lo inet loopback
address 127.0.0.1
netmask 255.0.0.0

iface eth0 inet static
address 192.168.0.1
netmask 255.255.255.0

iface eth1 inet static
address 192.168.1.1
netmask 255.255.255.0

iface eth2 inet static
address 192.168.2.1
netmask 255.255.255.0

iface br0 inet static
netmask 255.255.255.0
-----------------------------------------------

Last edited by kylibar; 08-12-2008 at 05:57 AM. Reason: tidy up
 
Old 08-12-2008, 08:25 AM   #2
ddaemonunics
Member
 
Registered: May 2008
Location: Romania
Distribution: Debian
Posts: 242

Rep: Reputation: 41
I think you should enable ip_forward
echo "1" > /proc/sys/net/ipv4/ip_forward
and also configure routes
route add -net 192.168.1.0/24 gw 192.168.1.1 etc.. for all the networks

and configure default gateway
route add default gw 192.168.x.1


flush ip rules
iptables -F
iptables -t nat -F

set default policy to allow
iptables -P INPUT ALLOW
iptables - P FORWARD ALLOW
also for OUTPUT
test by using ping

if it works don't forget to lock the machine by basic iptables rules to block traffic

Last edited by ddaemonunics; 08-12-2008 at 08:32 AM.
 
Old 08-12-2008, 04:15 PM   #3
kylibar
LQ Newbie
 
Registered: Aug 2008
Posts: 12

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by ddaemonunics View Post
I think you should enable ip_forward
echo "1" > /proc/sys/net/ipv4/ip_forward
and also configure routes
route add -net 192.168.1.0/24 gw 192.168.1.1 etc.. for all the networks

and configure default gateway
route add default gw 192.168.x.1


flush ip rules
iptables -F
iptables -t nat -F

set default policy to allow
iptables -P INPUT ALLOW
iptables - P FORWARD ALLOW
also for OUTPUT
test by using ping

if it works don't forget to lock the machine by basic iptables rules to block traffic
Thats a little confusing? But I think I can make sense out of it;

-I enable ip forwarding by:
editing /etc/sysctl.conf file by adding the line net.ipv4.conf.default.forwarding=1 ???

-Im quite confused about "route add -net 192.168.1.0/24 ... ... ..."
do i set this in the /etc/network/interfaces file??? i just add;
Gateway 192.168.x.x/x ???

-by the default gateway you mean; the one that is connected to the internet?? the is eth0 - NET zone

Dont get me wrong, ive been frustraited with this for a week, and your the first reply ive gotten... and im very thankful

however, is there a way you could be a little more explicit with your instructions?

Im going to give this my best shot, but i hope i dont do anything i cant fix, that would blow lol
 
Old 08-14-2008, 01:32 AM   #4
ddaemonunics
Member
 
Registered: May 2008
Location: Romania
Distribution: Debian
Posts: 242

Rep: Reputation: 41
flush iptables :
#execute

iptables -F
iptables -t nat -F

#set default policy to allow
iptables -P INPUT ALLOW
iptables -P FORWARD ALLOW
iptables -P OUTPUT ALLOW

#You should check if ip_forward is enable by executing :
cat /proc/sys/net/ipv4/ip_forward

#which should show 1.
#if it's 0 execute

echo "1" > /proc/sys/net/ipv4/ip_forward


#if you configured the network interfaces..then you should be #able to ping them
#execute:
ping 192.168.0.1
ping 192.168.1.1
ping 192.168.2.1

#add the default route (to the internet): execute this command

route add defaut gw 192.168.0.1

#now you should be able to ping an external IP from the internet, #if dns is configured you should be able to ping www.google.com
#Make sure iptables doesn't block traffic.

#Set up routing tables...by executing the commands:

route add -net 192.168.1.0/24 gw 192.168.1.1
route add -net 192.168.2.0/24 gw 192.168.2.1

#try to ping hosts from those networks

ping 192.168.2.100..for example
 
Old 08-14-2008, 05:19 AM   #5
kylibar
LQ Newbie
 
Registered: Aug 2008
Posts: 12

Original Poster
Rep: Reputation: 0
Ok, this is EXACTLY what I did, and I mean exactly. I did a fresh install (ubuntu server 6.06). After a quick installation I executed the following commands, in sequence...

sudo passwd root ~ gave root my password

I got right to the bridging of the 3 interfaces;

Obtained the only package I needed from the internet;
apt-get install bridge-utils

I shut down the networking interfaces completely;
ifconfig eth0 down
ifconfig eth1 down
ifconfig eth2 down
ifconfig lo down
/etc/init.d/networking stop

----------------------------------------------------

I created the bridge "br0";
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
brctl addif br0 eth2
brctl show ~ i did this to confirm

I then edited the file /etc/network/interfaces, this is what it currently looks like;
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.0.1
netmask 255.255.255.0
auto eth1
iface eth1 inet static
address 192.168.1.1
netmask 255.255.255.0
auto eth2
iface eth2 inet static
address 192.168.2.1
netmask 255.255.255.0
auto br0
iface br0 inet static
I flushed the IP tables;
iptables -F
iptables -t nat -F

I had problems with these;
iptables -P INPUT ALLOW
iptables -P FORWARD ALLOW
iptables -P OUPUT ALLOW
ERROR RETURNED: "BAD POLICY NAME"

I enabled IP forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward

Then I just read on and realized that I should be able to ping after that point, so then I restarted the networking. Did't work, but at least it told me why;

"Don't seem to have all the variables for br0/inet. Failed to bring up br0".

So it seems maybe my bridging is ok? Maybe my problem exists in /etc/network/interfaces ???

And like I said before thanks for helping, its hard to find help on this stuff sometimes. Most of the time I get along by myself just fine, but every so often, something will stump me silly ~ like this firewall of mine. Anyway, im still picking at it...


what do you think it could be?

Last edited by kylibar; 08-14-2008 at 05:50 AM. Reason: forgot something :D
 
Old 08-14-2008, 11:58 AM   #6
ddaemonunics
Member
 
Registered: May 2008
Location: Romania
Distribution: Debian
Posts: 242

Rep: Reputation: 41
why bridging ?
I don't see why you use bridging...
if it's a linux router forwarding and source nat-ing or masquerade should do it

try baby steps :P I am sure that the problem is in bridging....I have a few linux internet gateways..and I never used bridge..

it's iptables -P OUTPUT ALLOW...my bad

Last edited by ddaemonunics; 08-14-2008 at 12:02 PM.
 
  


Reply

Tags
bridge, bridging, ethernet, firewall, interface, network, nic, shorewall


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
shorewall config question with /etc/shorewall/rules peter72 Linux - Networking 3 01-01-2007 10:33 PM
Server setup questions mikehoisington Linux - Newbie 2 10-31-2006 12:33 PM
Setup shorewall with Lan & Wan zone on same NIC, is it possible? kechara Linux - Networking 0 06-20-2004 06:30 AM
Shorewall Firewall Questions bLaDe Linux - Security 3 08-13-2003 09:46 PM
Some Setup Questions ToeShot Slackware 11 10-02-2002 04:00 AM


All times are GMT -5. The time now is 03:03 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration