Shorewall Internet Sharing, HELP!

timmywo · 12-17-2003, 10:32 AM

Hi guys

Im really stuck with this one, so i hope you can help me.

I have...

ADSL Router IP:100.100.100.1

RedHat9 Server
Shorewall - firewall
eth0 IP:100.100.100.10 --> ADSL Router
eth1 IP:192.168.1.1 --> Switch

Win 2000 computer
1 NIC IP:192.168.1.2 --> Switch

I wont to share the internet form the Server to the 2k computer and have a firewall. So i got Shorewall, i set it up fine.

I can...

Browse the internet form the server
Go throw the Lan with Samba to share files (i set Shorewall so i could)

I cant...

Browse the internet from the 2k computer
Its gateway is -- 192.168.1.1
Its DNS server is -- 100.100.100.1

I dont no what to do!? I have found details on how to get IP forwarding to work with data from the internet to a client, but not how to get a client throw the server to the internet. Im starting to think that i am missing something or im barking up the wrong tree.

Below is my Shorewall Rules file...

Code:

##############################################################################
#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL		RATE	USER
#							PORT	PORT(S)	DEST			LIMIT	SET
#
#	Accept DNS connections from the firewall to the network
#
ACCEPT		fw		net		tcp	53
ACCEPT		fw		net		udp	53
#
#	Accept SSH connections from the local network for administration
#
ACCEPT		loc		fw		tcp	22
#
#	Allow Ping To And From Firewall
#
ACCEPT		loc		fw		icmp	8
ACCEPT		net		fw		icmp	8
ACCEPT		fw		loc		icmp	8
ACCEPT		fw		net		icmp	8
#
#allow vnc on :1 -Tim
ACCEPT 		loc 		fw 		tcp 	5901
#
#allow samba to work -Tim
ACCEPT  	fw		loc		udp  	137:139      
ACCEPT 		fw		loc		tcp     137,139,445    
ACCEPT 		fw		loc		udp	1024: 137  
ACCEPT		loc		fw		udp	137:139    
ACCEPT	 	loc		fw		tcp     137,139,445    
ACCEPT		loc		fw		udp	1024: 137
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Below is the Policy file...

Code:

###############################################################################
#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
loc		net		ACCEPT
# If you want open access to the Internet from your Firewall 
# remove the comment from the following line.
fw		net		ACCEPT
net		all		DROP		info
# THE FOLLOWING POLICY MUST BE LAST
all		all		REJECT		info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Please help guys!!!

THANKS

meks · 12-25-2003, 07:23 PM

add the following lines to your /etc/shorewall/policy file and try again:

loc $FW ACCEPT -
$FW loc ACCEPT -
net $FW ACCEPT -

1) allow traffic from loc-zone to the firewall itself (192.168.1.1 in your case)
2) allow vice versa - from the firewall to the loc-zone
3) allow traffic from the net to the firewall

please note that you will need to specifiy which ports your clients in the loc-zone will be able to connect to. (21 for ftp, 110 for pop3, ...)
alternatively, you may want to accept all ports.

also check if your interface with the ip 192.168.1.1 (eth1) is quoted in the interfaces-file.

if this won't work, try posting some iptables-output (iptables -nL)

timmywo · 12-26-2003, 12:18 PM

Thanks for your reply.

I waited for a reply to this post and while i was i found Firestarter, and it set it all up for me - a great program.

Thanks again Tim