LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
Reload this Page Shorewall with PPPoE Issues
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 11-19-2008, 01:38 AM   #1
kylibar
LQ Newbie
 
Registered: Aug 2008
Posts: 12

Rep: Reputation: 0
Shorewall with PPPoE Issues

Please forgive me for any typos, mis-spellings and whatnot... i have a bb/pellett in my thumb-gettin it out today woo! i can type agian

I have been issued a class A subnet from my service provider.
I will call this net 10.10.10.64/29. (this is not my real IP address - just a "real" example
10.10.10.64 is the network address
10.10.10.71 is the braodcast address
I have five useable static IP address; 10.10.10.(65 - 70)

THE MODEM
==============================================
The modem is in bridge mode. The PPPoE connection is executed by the firewall.
The modem's external address is assigned to me dynamically via the PPP connection from the firewall. Can't ever tell what that address is going to be.

I have assigned the INTERNAL address 10.10.10.64 (my broadcast address).
the netmask i gave it was 255.255.255.0

THE FIREWALL
==============================================
eth0;
This is the primary interface on my firewall.
It is assigned the address 10.10.10.65 (the first of my useable static IP address)
eth0 is bridged with ppp0? I think. to come up with the internet connection. You can see all of my statics from the external, but for simplicity I am just using 64 and 65 until I finally get it working right. oh yea, I used "pppoeconf" to configure my PPPoE connection with my modem and ISP. nothin special.

So my problems are:
I can logon with the ppp0 connection and surf the internet just fine with the FIREWALL only. The remaining computers connected to eth1 and eth2 CANNOT surf the internet. What is weird... is shorewall is WORKING? properly? I can get on any of the machines connected to either zone (eth1 or eth2) and logon to the 10.10.10.64 (the web-interface for the modem - which is connected to eth0), but I cant surf the net. So I know I can see through the firewall correctly. Its as if its a nameserver/name resolving issue? maybe I should install bind9? or does it have something to do with shorewall's setup? configuration setting? or my interface settings? im at a loss. I havent looked into the PPP config files. Maybe thats it? Or maybe if I bridge the three interfaces and then use the ppp. i dunno.

basically... everything on the interfaces eth1 and eth2 cannot see the internet. the firewall can see the internet. the internet is connected to the firewall via eth0 and ppp0.

any help would be nice.

also, does anyone know where I can find some good examples of the files used in PPP?? I understand what some lines of the config files mean. i dont know what alot of them mean though. maybe the reason the other 2 interfaces arent working lies somewhere in the ppp/pppoe config??

like i said, any help would be nice.



Here are ALL the config files. If you need anything else... just ask.

[HTML]
====================================================
Network Topology
====================================================

modem <---eth0---> Shorewall$FireWall <---eth1---> dmz zone

/\
|
|eth2
|
\/
loc zone





====================================================
Network Configuration Files
====================================================

/etc/networking/interfaces
####################################################
auto lo
iface lo inet loopback
#
auto eth0
iface eth0 inet static
address 10.10.10.65 ##not the real address but close enough
gateway 10.10.10.64 ##not the real address but close enough
netmask 255.255.255.0
up ifup ppp0
down ifdown ppp0
auto ppp0
iface ppp0 inet ppp
provider dsl-provider
#pre-up ifup eth0
#post-down ifdown eth0
#
auto eth1
iface eth1 inet static
address 192.168.0.1
netmask 255.255.255.0
#
auto eth2
iface eth2 inet static
address 192.168.2.1
netmask 255.255.255.0
####################################################

/etc/resolv.conf
####################################################
#it contains my ISP nameservers
nameserver xxx.xxx.xxx.xxx
nameserver xxx.xxx.xxx.xxx
####################################################





====================================================
PPP Config Files
====================================================

/etc/ppp/chap secrets
####################################################
# Secrets for authentication using CHAP
# client server secret IP addresses





"myemail@mydomain.com" * "mypassword"
####################################################

/etc/ppp/options
####################################################
#this file was alot larger, but i shrank it
asyncmap 0
auth
crtscts
lock
hide-password
modem
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
noipx
# ---<End of File>---
####################################################

/etc/ppp/pap-secrets
####################################################
#
# /etc/ppp/pap-secrets
#
# This is a pap-secrets file to be used with the AUTO_PPP function of
# mgetty. mgetty-0.99 is preconfigured to startup pppd with the login option
# which will cause pppd to consult /etc/passwd (and /etc/shadow in turn)
# after a user has passed this file. Don't be disturbed therefore by the fact
# that this file defines logins with any password for users. /etc/passwd
# (again, /etc/shadow, too) will catch passwd mismatches.
#
# This file should block ALL users that should not be able to do AUTO_PPP.
# AUTO_PPP bypasses the usual login program so it's necessary to list all
# system userids with regular passwords here.
#
# ATTENTION: The definitions here can allow users to login without a
# password if you don't use the login option of pppd! The mgetty Debian
# package already provides this option; make sure you don't change that.

# INBOUND connections

# Every regular user can use PPP and has to use passwords from /etc/passwd
* hostname "" *

# UserIDs that cannot use PPP at all. Check your /etc/passwd and add any
# other accounts that should not be able to use pppd!
guest hostname "*" -
master hostname "*" -
root hostname "*" -
support hostname "*" -
stats hostname "*" -

# OUTBOUND connections

# Here you should add your userid password to connect to your providers via
# PAP. The * means that the password is to be used for ANY host you connect
# to. Thus you do not have to worry about the foreign machine name. Just
# replace password with your password.
# If you have different providers with different passwords then you better
# remove the following line.

# * password





"myemail@mydomain.com" * "mypassword"
####################################################

/etc/ppp/peers/dsl-provider
####################################################
# Minimalistic default options file for DSL/PPPoE connections

noipdefault
defaultroute
replacedefaultroute
hide-password
#lcp-echo-interval 30
#lcp-echo-failure 4
noauth
persist
#mtu 1492
usepeerdns
plugin rp-pppoe.so eth0
user "myemail@mydomain.com"

####################################################

/etc/ppp/peers/provider
####################################################
# Serial device to which the modem is connected.
/dev/modem

# Speed of the serial line.
115200

# Assumes that your IP address is allocated dynamically by the ISP.
noipdefault
# Try to get the name server addresses from the ISP.
usepeerdns
# Use this connection as the default route.
defaultroute

# Makes pppd "dial again" when the connection is lost.
persist

# Do not ask the remote to authenticate.
noauth


####################################################





====================================================
Shorewall Configuration Files
====================================================

/etc/shorewall/interfaces
####################################################
#ZONE INTERFACE BROADCAST OPTIONS
net ppp0
net eth0 detect tcpflags,dhcp,routefilter,norfc1918,nosmurfs,logmartians
dmz eth1 detect
loc eth2 detect tcpflags,detectnets,nosmurfs
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
####################################################

/etc/shorewall/masq
####################################################
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
ppp0 eth0
eth0 eth1
eth0 eth2
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
####################################################

/etc/shorewall/policy
####################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
# If you want open access to the Internet from your Firewall
# remove the comment from the following line.
$FW net ACCEPT
# Also If You Wish To Open Up DMZ Access To The Internet
# remove the comment from the following line.
dmz net ACCEPT
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
####################################################

/etc/shorewall/routestopped
####################################################
#INTERFACE HOST(S)
eth1 -
eth2 -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
####################################################

/etc/shorewall/rules
####################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#
# Accept DNS connections from the firewall to the Internet
#
DNS/ACCEPT $FW net
#
#
# Accept SSH connections from the local network to the firewall and DMZ
#
SSH/ACCEPT loc $FW
SSH/ACCEPT loc dmz
#
# DMZ DNS access to the Internet
#
DNS/ACCEPT dmz net


# Reject Ping from the "bad" net zone.

Ping/REJECT net $FW

#
# Make ping work bi-directionally between the dmz, net, Firewall and local zone
# (assumes that the loc-> net policy is ACCEPT).
#

Ping/ACCEPT loc $FW
Ping/ACCEPT dmz $FW
Ping/ACCEPT loc dmz
Ping/ACCEPT dmz loc
Ping/ACCEPT dmz net

ACCEPT $FW net icmp
ACCEPT $FW loc icmp
ACCEPT $FW dmz icmp

# Uncomment this if using Proxy ARP and static NAT and you want to allow ping from
# the net zone to the dmz and loc

#Ping/ACCEPT net dmz
#Ping/ACCEPT net loc

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
####################################################

/etc/shorewall/shorewall.conf
####################################################
#the only changes I made were;
CLAMPMSS=Yes
IP_Forwarding=On
####################################################

/etc/shorewall/zones
####################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
dmz ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
####################################################
[/HTML]
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Shorewall Issues kylibar Linux - Newbie 0 08-12-2008 12:46 AM
PPTPD CentOS 5 - Issues with Shorewall CoMMy Linux - General 0 08-10-2008 10:12 AM
Shorewall w ulog issues igbe Mandriva 0 07-24-2004 04:07 PM
Shorewall issues on Mandrake 9.1 DesertWolf0132 Linux - Software 2 10-14-2003 10:40 PM
Can't use shorewall wt pppoe connection Ether Mandriva 4 09-08-2003 09:54 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:33 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration