Shorewall Setup - I have some questions.
Im wanting to setup a 3 interface firewall using shorewall.
Im running 2.6.15-26-server (ubuntu server) I have 3 network interfaces. Lets call them: IFACE / NAME --------------- eth0 / NET eth1 / DMZ eth2 / LOC Q1) Should I be able to ping a device, lets say from LOC to NET, automatically? Without having to bridge my interfaces or install and configure shorewall? Q2) If I do have to do some sort of special configuration, where do I start? -------------------------------------------- The configuration im looking for... well I want the individual interfaces to continue to have their respective IP addresses, in-other-words, I dont want all 3 interfaces to have the same IP address, that defeats my purpos of building this. The address I want are as follows; IFACE / IP ADDRESS ----------------------- eth0 / 192.168.0.1 eth1 / 192.168.1.1 eth2 / 192.168.2.1 but I want to be able to pass information from one interface to another. like I said, I cant even ping a device from zone "LOC" to zone "NET". ive *tried* bridging and other methods VERY diligantly... but to no avial. its not working, and i know i must be doing something wrong. can someone please at least point me in the right direction? maybe there is a line of code im missing?? I set up my bridge using the brctl-utils (easy peasy) it seemed so, and it seemed to work. Maybe I set my /etc/network/interfaces file up incorrectly?? ----------------------------------------------- auto lo iface lo inet loopback address 127.0.0.1 netmask 255.0.0.0 iface eth0 inet static address 192.168.0.1 netmask 255.255.255.0 iface eth1 inet static address 192.168.1.1 netmask 255.255.255.0 iface eth2 inet static address 192.168.2.1 netmask 255.255.255.0 iface br0 inet static netmask 255.255.255.0 ----------------------------------------------- |
I think you should enable ip_forward
echo "1" > /proc/sys/net/ipv4/ip_forward and also configure routes route add -net 192.168.1.0/24 gw 192.168.1.1 etc.. for all the networks and configure default gateway route add default gw 192.168.x.1 flush ip rules iptables -F iptables -t nat -F set default policy to allow iptables -P INPUT ALLOW iptables - P FORWARD ALLOW also for OUTPUT test by using ping if it works don't forget to lock the machine by basic iptables rules to block traffic |
Quote:
-I enable ip forwarding by: editing /etc/sysctl.conf file by adding the line net.ipv4.conf.default.forwarding=1 ??? -Im quite confused about "route add -net 192.168.1.0/24 ... ... ..." do i set this in the /etc/network/interfaces file??? i just add; Gateway 192.168.x.x/x ??? -by the default gateway you mean; the one that is connected to the internet?? the is eth0 - NET zone Dont get me wrong, ive been frustraited with this for a week, and your the first reply ive gotten... and im very thankful :D however, is there a way you could be a little more explicit with your instructions? Im going to give this my best shot, but i hope i dont do anything i cant fix, that would blow :( lol |
flush iptables :
#execute iptables -F iptables -t nat -F #set default policy to allow iptables -P INPUT ALLOW iptables -P FORWARD ALLOW iptables -P OUTPUT ALLOW #You should check if ip_forward is enable by executing : cat /proc/sys/net/ipv4/ip_forward #which should show 1. #if it's 0 execute echo "1" > /proc/sys/net/ipv4/ip_forward #if you configured the network interfaces..then you should be #able to ping them #execute: ping 192.168.0.1 ping 192.168.1.1 ping 192.168.2.1 #add the default route (to the internet): execute this command route add defaut gw 192.168.0.1 #now you should be able to ping an external IP from the internet, #if dns is configured you should be able to ping www.google.com #Make sure iptables doesn't block traffic. #Set up routing tables...by executing the commands: route add -net 192.168.1.0/24 gw 192.168.1.1 route add -net 192.168.2.0/24 gw 192.168.2.1 #try to ping hosts from those networks ping 192.168.2.100..for example |
Ok, this is EXACTLY what I did, and I mean exactly. I did a fresh install (ubuntu server 6.06). After a quick installation I executed the following commands, in sequence...
sudo passwd root ~ gave root my password :) I got right to the bridging of the 3 interfaces; Obtained the only package I needed from the internet; apt-get install bridge-utils I shut down the networking interfaces completely; ifconfig eth0 down ifconfig eth1 down ifconfig eth2 down ifconfig lo down /etc/init.d/networking stop ---------------------------------------------------- I created the bridge "br0"; brctl addbr br0 brctl addif br0 eth0 brctl addif br0 eth1 brctl addif br0 eth2 brctl show ~ i did this to confirm I then edited the file /etc/network/interfaces, this is what it currently looks like; auto loI flushed the IP tables; iptables -F iptables -t nat -F I had problems with these; iptables -P INPUT ALLOW iptables -P FORWARD ALLOW iptables -P OUPUT ALLOW ERROR RETURNED: "BAD POLICY NAME" I enabled IP forwarding echo "1" > /proc/sys/net/ipv4/ip_forward Then I just read on and realized that I should be able to ping after that point, so then I restarted the networking. Did't work, but at least it told me why; "Don't seem to have all the variables for br0/inet. Failed to bring up br0". So it seems maybe my bridging is ok? Maybe my problem exists in /etc/network/interfaces ??? And like I said before thanks for helping, its hard to find help on this stuff sometimes. Most of the time I get along by myself just fine, but every so often, something will stump me silly ~ like this firewall of mine. Anyway, im still picking at it... what do you think it could be? |
why bridging ?
I don't see why you use bridging... if it's a linux router forwarding and source nat-ing or masquerade should do it try baby steps :P I am sure that the problem is in bridging....I have a few linux internet gateways..and I never used bridge.. it's iptables -P OUTPUT ALLOW...my bad |
All times are GMT -5. The time now is 03:57 AM. |