My Current Network
Warning: I
use a combination of Static NAT and Proxy ARP, neither of which are relevant
to a simple configuration with a single public IP address.
If you have just a single public IP address, most of what you see here won't
apply to your setup so beware of copying parts of this configuration and expecting
them to work for you. What you copy may or may not work in your setup.
I have DSL service and have 5 static IP addresses (206.124.146.176-180).
My DSL "modem" (Fujitsu Speedport)
is connected to eth0. I have a local network connected to eth2 (subnet
192.168.1.0/24) and a DMZ connected to eth1 (192.168.2.0/24).
I use:
- Static NAT for ursa (my XP System) - Internal address 192.168.1.5
and external address 206.124.146.178.
- Proxy ARP for wookie (my Linux System). This system has two
IP addresses: 192.168.1.3/24 and 206.124.146.179/24.
- SNAT through the primary gateway address (206.124.146.176)
for my Wife's system (tarry) and the Wireless Access Point (wap)
The firewall runs on a 128MB PII/233 with RH7.2 and Kernel 2.4.20-pre6.
Wookie runs Samba and acts as the a WINS server. Wookie is in its
own 'whitelist' zone called 'me'.
My laptop (eastept1) is connected to eth3 using a cross-over cable.
It runs its own Sygate firewall
software and is managed by Proxy ARP. It connects to the local network
through the PopTop server running on my firewall.
The single system in the DMZ (address 206.124.146.177) runs postfix,
Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP
server (Pure-ftpd). The system also runs fetchmail to fetch our email
from our old and current ISPs. That server is managed through Proxy ARP.
The firewall system itself runs a DHCP server that serves the local
network.
All administration and publishing is done using ssh/scp.
I run an SNMP server on my firewall to serve MRTG running
in the DMZ.
The ethernet interface in the Server is configured
with IP address 206.124.146.177, netmask
255.255.255.0. The server's default gateway is
206.124.146.254 (Router at my ISP. This is the same
default gateway used by the firewall itself). On the firewall,
Shorewall automatically adds a host route to
206.124.146.177 through eth1 (192.168.2.1) because
of the entry in /etc/shorewall/proxyarp (see
below).
A similar setup is used on eth3 (192.168.3.1) which
interfaces to my laptop (206.124.146.180).
Ursa (192.168.1.5 AKA 206.124.146.178) runs a PPTP server for Road Warrior
access.
Shorewall.conf
SUBSYSLOCK=/var/lock/subsys/shorewall
STATEDIR=/var/state/shorewall
LOGRATE=
LOGBURST=
ADD_IP_ALIASES="Yes"
CLAMPMSS=Yes
MULTIPORT=Yes
Zones File:
#ZONE DISPLAY COMMENTS
net Internet Internet
me Eastep My Workstation
loc Local Local networks
dmz DMZ Demilitarized zone
tx Texas Peer Network in Dallas Texas
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
Interfaces File:
This is set up so that I can start the firewall before bringing up
my Ethernet interfaces.
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 206.124.146.255 routefilter,norfc1918,blacklist,filterping
loc eth2 192.168.1.255 dhcp,filterping,maclist
dmz eth1 206.124.146.255 filterping
net eth3 206.124.146.255 filterping,blacklist
- texas - filterping
loc ppp+ - filterping
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Hosts File:
#ZONE HOST(S) OPTIONS
me eth2:192.168.1.3,eth2:206.124.146.179
tx texas:192.168.9.0/24
#LAST LINE -- ADD YOUR ENTRIES ABOVE -- DO NOT REMOVE
Routestopped File:
#INTERFACE HOST(S)
eth1 206.124.146.177
eth2 -
eth3 206.124.146.180
Common File:
. /etc/shorewall/common.def
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
Policy File:
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
me all ACCEPT
tx me ACCEPT #Give Texas access to my personal system
all me CONTINUE #WARNING: You must be running Shorewall 1.3.1 or later for
# this policy to work as expected!!!
loc loc ACCEPT
loc net ACCEPT
$FW loc ACCEPT
$FW tx ACCEPT
loc tx ACCEPT
loc fw REJECT
net net ACCEPT
net all DROP info 10/sec:40
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE
Masq File:
Although most of our internal systems use static NAT, my wife's system
(192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with
laptops. Also, I masquerade wookie to the peer subnet in Texas.
#INTERFACE SUBNET ADDRESS
eth0 192.168.1.0/24 206.124.146.176
texas 206.124.146.179 192.168.1.254
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
NAT File:
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
206.124.146.178 eth0 192.168.1.5 No No
206.124.146.179 eth0 192.168.1.3 No No
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
Proxy ARP File:
#ADDRESS INTERFACE EXTERNAL HAVEROUTE
206.124.146.177 eth1 eth0 No
206.124.146.180 eth3 eth0 No
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Tunnels File (Shell variable TEXAS set in /etc/shorewall/params):
#TYPE ZONE GATEWAY
gre net $TEXAS
#LAST LINE -- DO NOT REMOVE
Rules File (The shell variables
are set in /etc/shorewall/params):
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) PORT(S) DEST
#
# Local Network to Internet - Reject attempts by Trojans to call home
#
REJECT:info loc net tcp 6667
#
# Local Network to Firewall
#
ACCEPT loc fw tcp ssh
ACCEPT loc fw tcp time
#
# Local Network to DMZ
#
ACCEPT loc dmz udp domain
ACCEPT loc dmz tcp smtp
ACCEPT loc dmz tcp domain
ACCEPT loc dmz tcp ssh
ACCEPT loc dmz tcp auth
ACCEPT loc dmz tcp imap
ACCEPT loc dmz tcp https
ACCEPT loc dmz tcp imaps
ACCEPT loc dmz tcp cvspserver
ACCEPT loc dmz tcp www
ACCEPT loc dmz tcp ftp
ACCEPT loc dmz tcp pop3
ACCEPT loc dmz icmp echo-request
#
# Internet to DMZ
#
ACCEPT net dmz tcp www
ACCEPT net dmz tcp smtp
ACCEPT net dmz tcp ftp
ACCEPT net dmz tcp auth
ACCEPT net dmz tcp https
ACCEPT net dmz tcp imaps
ACCEPT net dmz tcp domain
ACCEPT net dmz tcp cvspserver
ACCEPT net dmz udp domain
ACCEPT net dmz icmp echo-request
ACCEPT net:$MIRRORS dmz tcp rsync
#
# Net to Me (ICQ chat and file transfers)
#
ACCEPT net me tcp 4000:4100
#
# Net to Local
#
ACCEPT net loc tcp auth
REJECT net loc tcp www
ACCEPT net loc:192.168.1.5 tcp 1723
ACCEPT net loc:192.168.1.5 gre
#
# DMZ to Internet
#
ACCEPT dmz net icmp echo-request
ACCEPT dmz net tcp smtp
ACCEPT dmz net tcp auth
ACCEPT dmz net tcp domain
ACCEPT dmz net tcp www
ACCEPT dmz net tcp https
ACCEPT dmz net tcp whois
ACCEPT dmz net tcp echo
ACCEPT dmz net udp domain
ACCEPT dmz net:$NTPSERVERS udp ntp
ACCEPT dmz net:$POPSERVERS tcp pop3
#
# The following compensates for a bug, either in some FTP clients or in the
# Netfilter connection tracking code that occasionally denies active mode
# FTP clients
#
ACCEPT:info dmz net tcp 1024: 20
#
# DMZ to Firewall -- snmp
#
ACCEPT dmz fw tcp snmp
ACCEPT dmz fw udp snmp
#
# DMZ to Local Network
#
ACCEPT dmz loc tcp smtp
ACCEPT dmz loc tcp auth
ACCEPT dmz loc icmp echo-request
# Internet to Firewall
#
REJECT net fw tcp www
#
# Firewall to Internet
#
ACCEPT fw net:$NTPSERVERS udp ntp
ACCEPT fw net udp domain
ACCEPT fw net tcp domain
ACCEPT fw net tcp www
ACCEPT fw net tcp https
ACCEPT fw net tcp ssh
ACCEPT fw net tcp whois
ACCEPT fw net icmp echo-request
#
# Firewall to DMZ
#
ACCEPT fw dmz tcp www
ACCEPT fw dmz tcp ftp
ACCEPT fw dmz tcp ssh
ACCEPT fw dmz tcp smtp
ACCEPT fw dmz udp domain
#
# Let Texas Ping
#
ACCEPT tx fw icmp echo-request
ACCEPT tx loc icmp echo-request
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Last updated 1/12/2003 -
Tom Eastep
Copyright ©
2001, 2002, 2003 Thomas M. Eastep.