configuring shorewall on slackware

b0nd · 08-31-2005, 10:50 AM

Hello all,
I've two systems on lan.
Let us assume that the one which has modem be sys1 and the second one be sys2.
i've dial up connection to the internet.
Now i'm trying to configure shorewall on my sys1 so that i can access internet from my sys2 also using sys1 as gateway.
......................................
using "netconfig" on both the systems i've set the ip address.
sys1 192.168.0.1
sys2 192.168.0.2

both systems are pinging each other perfectly.
......................................

Its for the first time that i'm trying to configure shorewall so i'm not very much confident with the entries which i made in
****/etc/shorewall/"various files"****

.......................................

Code:

root@bond:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:A1:B0:10:19:2E
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:50 errors:0 dropped:0 overruns:0 frame:0
          TX packets:34 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4444 (4.3 Kb)  TX bytes:3108 (3.0 Kb)
          Interrupt:10 Base address:0xcc00

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

ppp0      Link encap:Point-to-Point Protocol
          inet addr:61.95.216.58  P-t-P:202.56.24.135  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:591 errors:0 dropped:0 overruns:0 frame:0
          TX packets:669 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:258482 (252.4 Kb)  TX bytes:87850 (85.7 Kb)

root@bond:~#

Code:

root@bond:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
202.56.24.135   0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         202.56.24.135   0.0.0.0         UG    0      0        0 ppp0
root@bond:~#

Entries in /etc/shorewall/interfaces

Code:

##############################################################################
#ZONE	INTERFACE	BROADCAST	OPTIONS
net	ppp0		   -		routefilter,norfc1918,tcpflags
loc	eth0		   -		tcpflags
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Entries in /etc/shorewall/masq

Code:

#############################################################################
#INTERFACE		SUBNET		ADDRESS		PROTO	PORT(S)	IPSEC
ppp0			eth0
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

/etc/shorewall/policy

Code:

###############################################################################
#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
loc		net		ACCEPT
# If you want open access to the Internet from your Firewall 
# remove the comment from the following line.
fw		net		ACCEPT
net		all		DROP		info
# THE FOLLOWING POLICY MUST BE LAST
all		all		REJECT		info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

/etc/shorewall/shorewall.conf

Code:

# If left blank, or set to "No" or "no", the option is not enabled.
#
CLAMPMSS=Yes

/etc/shorewall/zones

Code:

#ZONE	DISPLAY		COMMENTS
net	Net		Internet
loc	Local		Local Networks
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

where am i missing something?????.............b'coz my sys2 can't connect to internet through sys1 as gateway.......

route -n on sys2

Code:

root@bond:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.0.0     0.0.0.0         255.255.255.0       U       0        0        0  eth0
127.0.0.0       0.0.0.0         255.0.0.0             U        0      0         0 lo
0.0.0.0         192.168.0.1   0.0.0.0              UG    0      0          0 eth0
root@bond:~#

thanx in adv. to all of u who will be trying to sort out the problem..

regards

achal · 08-31-2005, 01:14 PM

i am running shorewall myself on my systems other two systems are connected via line
as far as shorewall is concerned main thing u have to decide is the policy
following is the entry from /etc/shorewall/policy
see if it helps u
##############################################################################
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
loc net ACCEPT
loc fw ACCEPT
fw net ACCEPT `
fw loc ACCEPT
net all DROP info
#
# THE FOLLOWING POLICY MUST BE LAST
#
#all all REJECT info

masand · 08-31-2005, 08:43 PM

2 things

1.have u specified the correct DNS option in sys2
2. what do u get for
cat /rpoc/sys/net/ipv4/ip_forward
on sys1

regards

b0nd · 08-31-2005, 10:46 PM

Quote:

Originally posted by masand
2 things

1.have u specified the correct DNS option in sys2
2. what do u get for
cat /rpoc/sys/net/ipv4/ip_forward
on sys1

regards

1>> How should i set the DNS option on sys2 ????.........is it the same as "nameserver" option during "netconfig" ???
And how should i check what settings i made during "netconfig" ???

2>> the output of cat/proc/sys/net/ipv4/ip_forward is..........'1'.

regards

masand · 09-01-2005, 11:17 AM

check out ur
/etc/resolv.conf
u should have
nameserver <DNS ip>

regards

b0nd · 09-01-2005, 01:04 PM

Thanx a lot Mr. masand.
My both systems are now on internet....

But i've few doubts.
have a look at the following....

Code:

root@bond:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:A1:B0:10:19:2E
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:366 errors:0 dropped:0 overruns:0 frame:0
          TX packets:337 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:43718 (42.6 Kb)  TX bytes:206156 (201.3 Kb)
          Interrupt:10 Base address:0xcc00

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:88 errors:0 dropped:0 overruns:0 frame:0
          TX packets:88 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:5892 (5.7 Kb)  TX bytes:5892 (5.7 Kb)

ppp0      Link encap:Point-to-Point Protocol
          inet addr:61.246.240.85  P-t-P:202.56.24.135  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:1050 errors:1 dropped:0 overruns:0 frame:0
          TX packets:1180 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:465397 (454.4 Kb)  TX bytes:129418 (126.3 Kb)

root@bond:~#

some one once told me that the entry

Code:

P-t-P:202.56.24.135

in ppp0 shows the ip of your ISP..
so accordingly i was using it as the default DNS
But now when i opened /etc/resolv.conf i found the following entries.

Code:

root@bond:~# cat /etc/resolv.conf
search slachome
nameserver 202.56.24.135
nameserver 202.56.224.135       #kppp temp entry
nameserver 202.56.224.132       #kppp temp entry
root@bond:~#

so accordingly in "sys2" i changed the entries in /etc/resolv.conf and make it to 202.56.224.135.
and now it too can access the internel.

But now the question is how am i suppose to know the DNS ???

Thanx a lot

regards

achal · 09-01-2005, 01:45 PM

i think ur nameserver is
202.56.224.135 its an ip of the isp u are using

masand · 09-02-2005, 05:12 AM

Please do not post public IPs as that u have posted !!

also DNS IP are fixed and the IP of ur ISP is the gateway for ur machine connected to the internet

if u connect directly to the internet then KPPP automiaticlly adds the DNS ips in resolv.conf and if u assign IP address using DHCP to clients then ur cleints won't require to add the DNS ip

regards