About My Network

My Current Network

Warning: I use a combination of Static NAT and Proxy ARP, neither of which are relevant to a simple configuration with a single public IP address. If you have just a single public IP address, most of what you see here won't apply to your setup so beware of copying parts of this configuration and expecting them to work for you. They may or may not work in your setup.

I have DSL service and have 5 static IP addresses (206.124.146.176-180). My DSL "modem" (Fujitsu Speedport) is connected to eth0. I have a local network connected to eth2 (subnet 192.168.1.0/24) and a DMZ connected to eth1 (192.168.2.0/24). 

I use:

The firewall runs on a 128MB PII/233 with RH7.2 and Kernel 2.4.20-pre6.

Wookie runs Samba and acts as the a WINS server.  Wookie is in its own 'whitelist' zone called 'me'.

My laptop (eastept1) is connected to eth3 using a cross-over cable. It runs its own Sygate firewall software and is managed by Proxy ARP. It connects to the local network through the PopTop server running on my firewall.

The single system in the DMZ (address 206.124.146.177) runs postfix, Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server (Pure-ftpd). The system also runs fetchmail to fetch our email from our old and current ISPs. That server is managed through Proxy ARP.

The firewall system itself runs a DHCP server that serves the local network.

All administration and publishing is done using ssh/scp.

I run an SNMP server on my firewall to serve MRTG running in the DMZ.

 

The ethernet interface in the Server is configured with IP address 206.124.146.177, netmask 255.255.255.0. The server's default gateway is 206.124.146.254 (Router at my ISP. This is the same default gateway used by the firewall itself). On the firewall, Shorewall automatically adds a host route to 206.124.146.177 through eth1 (192.168.2.1) because of the entry in /etc/shorewall/proxyarp (see below).

A similar setup is used on eth3 (192.168.3.1) which interfaces to my laptop (206.124.146.180).

Ursa (192.168.1.5 AKA 206.124.146.178) runs a PPTP server for Road Warrior access.

Shorewall.conf

	SUBSYSLOCK=/var/lock/subsys/shorewall
STATEDIR=/var/state/shorewall

LOGRATE=
LOGBURST=

ADD_IP_ALIASES="Yes"

CLAMPMSS=Yes

MULTIPORT=Yes

Zones File:

	#ZONE 	DISPLAY 	COMMENTS
net Internet Internet
me Eastep My Workstation
loc Local Local networks
dmz DMZ Demilitarized zone
tx Texas Peer Network in Dallas Texas
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Interfaces File:

This is set up so that I can start the firewall before bringing up my Ethernet interfaces.

	#ZONE    INTERFACE	BROADCAST 	OPTIONS
net eth0 206.124.146.255 routefilter,norfc1918,blacklist,filterping
loc eth2 192.168.1.255 dhcp,filterping,maclist
dmz eth1 206.124.146.255 filterping
net eth3 206.124.146.255 filterping,blacklist
- texas - filterping
loc ppp+ - filterping
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Hosts File:

	#ZONE 		HOST(S)			OPTIONS
me eth2:192.168.1.3,eth2:206.124.146.179
tx texas:192.168.9.0/24
#LAST LINE -- ADD YOUR ENTRIES ABOVE -- DO NOT REMOVE

Routestopped File:

	#INTERFACE	HOST(S)
eth1 206.124.146.177
eth2 -
eth3 206.124.146.180

Common File:

	. /etc/shorewall/common.def
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP

Policy File:


	#SOURCE	DEST	POLICY	LOG LEVEL	LIMIT:BURST
	me	all	ACCEPT
	tx	me	ACCEPT		#Give Texas access to my personal system
	all	me	CONTINUE	#WARNING: You must be running Shorewall 1.3.1 or later for
# this policy to work as expected!!!
loc loc ACCEPT
loc net ACCEPT
$FW loc ACCEPT
$FW tx ACCEPT
loc tx ACCEPT
loc fw REJECT
net net ACCEPT
net all DROP info 10/sec:40
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE

Masq File:

Although most of our internal systems use static NAT, my wife's system (192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with laptops. Also, I masquerade wookie to the peer subnet in Texas.

	#INTERFACE 	SUBNET		ADDRESS
eth0 192.168.1.0/24 206.124.146.176
texas 206.124.146.179 192.168.1.254
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

NAT File:

	#EXTERNAL	INTERFACE	INTERNAL	ALL	LOCAL
206.124.146.178 eth0 192.168.1.5 No No
206.124.146.179 eth0 192.168.1.3 No No
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Proxy ARP File:

     	#ADDRESS	INTERFACE	EXTERNAL	HAVEROUTE
206.124.146.177 eth1 eth0 No
206.124.146.180 eth3 eth0 No
	#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Tunnels File (Shell variable TEXAS set in /etc/shorewall/params):

	#TYPE           ZONE    GATEWAY	
gre             net     $TEXAS

#LAST LINE -- DO NOT REMOVE

Rules File (The shell variables are set in /etc/shorewall/params):

     	#ACTION		SOURCE 		DEST 			PROTO	DEST 	SOURCE  ORIGINAL
# PORT(S) PORT(S) PORT(S) DEST
#
# Local Network to Internet - Reject attempts by Trojans to call home
#
REJECT:info loc net tcp 6667
#
# Local Network to Firewall
#
ACCEPT loc fw tcp ssh
ACCEPT loc fw tcp time
#
# Local Network to DMZ
#
ACCEPT loc dmz udp domain
ACCEPT loc dmz tcp smtp
ACCEPT loc dmz tcp domain
ACCEPT loc dmz tcp ssh
ACCEPT loc dmz tcp auth
ACCEPT loc dmz tcp imap
ACCEPT loc dmz tcp https
ACCEPT loc dmz tcp imaps
ACCEPT loc dmz tcp cvspserver
ACCEPT loc dmz tcp www
ACCEPT loc dmz tcp ftp
ACCEPT loc dmz tcp pop3
ACCEPT loc dmz icmp echo-request
#
# Internet to DMZ
#
ACCEPT net dmz tcp www
ACCEPT net dmz tcp smtp
ACCEPT net dmz tcp ftp
ACCEPT net dmz tcp auth
ACCEPT net dmz tcp https
ACCEPT net dmz tcp imaps
ACCEPT net dmz tcp domain
ACCEPT net dmz tcp cvspserver
ACCEPT net dmz udp domain
ACCEPT net dmz icmp echo-request
ACCEPT net:$MIRRORS dmz tcp rsync
#
# Net to Me (ICQ chat and file transfers)
#
ACCEPT net me tcp 4000:4100
#
# Net to Local
#
ACCEPT net loc tcp auth
REJECT net loc tcp www
ACCEPT net loc:192.168.1.5 tcp 1723
ACCEPT net loc:192.168.1.5 gre
#
# DMZ to Internet
#
ACCEPT dmz net icmp echo-request
ACCEPT dmz net tcp smtp
ACCEPT dmz net tcp auth
ACCEPT dmz net tcp domain
ACCEPT dmz net tcp www
ACCEPT dmz net tcp https
ACCEPT dmz net tcp whois
ACCEPT dmz net tcp echo
ACCEPT dmz net udp domain
ACCEPT dmz net:$NTPSERVERS udp ntp
ACCEPT dmz net:$POPSERVERS tcp pop3
#
# The following compensates for a bug, either in some FTP clients or in the
# Netfilter connection tracking code that occasionally denies active mode
# FTP clients
#
ACCEPT:info dmz net tcp 1024: 20
#
# DMZ to Firewall -- snmp
#
ACCEPT dmz fw tcp snmp
ACCEPT dmz fw udp snmp
#
# DMZ to Local Network
#
ACCEPT dmz loc tcp smtp
ACCEPT dmz loc tcp auth
ACCEPT dmz loc icmp echo-request
# Internet to Firewall
#
REJECT net fw tcp www
#
# Firewall to Internet
#
ACCEPT fw net:$NTPSERVERS udp ntp
ACCEPT fw net udp domain
ACCEPT fw net tcp domain
ACCEPT fw net tcp www
ACCEPT fw net tcp https
ACCEPT fw net tcp ssh
ACCEPT fw net tcp whois
ACCEPT fw net icmp echo-request
#
# Firewall to DMZ
#
ACCEPT fw dmz tcp www
ACCEPT fw dmz tcp ftp
ACCEPT fw dmz tcp ssh
ACCEPT fw dmz tcp smtp
ACCEPT fw dmz udp domain
#
# Let Texas Ping
#
ACCEPT tx fw icmp echo-request
ACCEPT tx loc icmp echo-request

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Last updated 1/12/2003 - Tom Eastep

Copyright © 2001, 2002, 2003 Thomas M. Eastep.