forked from extern/shorewall_code
213 lines
20 KiB
HTML
213 lines
20 KiB
HTML
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|||
|
<html>
|
|||
|
<head>
|
|||
|
|
|||
|
<meta http-equiv="Content-Type"
|
|||
|
content="text/html; charset=windows-1252">
|
|||
|
<title>My Shorewall Configuration</title>
|
|||
|
|
|||
|
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
|||
|
|
|||
|
<meta name="ProgId" content="FrontPage.Editor.Document">
|
|||
|
|
|||
|
<meta name="Microsoft Theme" content="none">
|
|||
|
</head>
|
|||
|
<body>
|
|||
|
|
|||
|
<table border="0" cellpadding="0" cellspacing="0"
|
|||
|
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
|||
|
bgcolor="#400169" height="90">
|
|||
|
<tbody>
|
|||
|
<tr>
|
|||
|
<td width="100%">
|
|||
|
|
|||
|
<h1 align="center"><font color="#ffffff">About My Network</font></h1>
|
|||
|
</td>
|
|||
|
</tr>
|
|||
|
|
|||
|
</tbody>
|
|||
|
</table>
|
|||
|
|
|||
|
<blockquote> </blockquote>
|
|||
|
|
|||
|
<h1>My Current Network </h1>
|
|||
|
|
|||
|
<blockquote>
|
|||
|
<p><big><font color="#ff0000"><b>Warning: </b></font><b><small>I</small></b></big><big><b><small>
|
|||
|
use a combination of Static NAT and Proxy ARP, neither of which are relevant
|
|||
|
to a simple configuration with a single public IP address.</small></b></big><big><b><small>
|
|||
|
If you have just a single public IP address, most of what you see here won't
|
|||
|
apply to your setup so beware of copying parts of this configuration and
|
|||
|
expecting them to work for you. What you copy may or may not work in your
|
|||
|
setup. </small></b></big><br>
|
|||
|
</p>
|
|||
|
|
|||
|
<p> I have DSL service and have 5 static IP addresses (206.124.146.176-180).
|
|||
|
My DSL "modem" (<a href="http://www.fujitsu.com">Fujitsu</a> Speedport)
|
|||
|
is connected to eth0. I have a local network connected to eth2 (subnet
|
|||
|
192.168.1.0/24) and a DMZ connected to eth1 (192.168.2.0/24).<2E></p>
|
|||
|
|
|||
|
<p> I use:<br>
|
|||
|
</p>
|
|||
|
|
|||
|
<ul>
|
|||
|
<li>Static NAT for Ursa (my XP System) - Internal address 192.168.1.5
|
|||
|
and external address 206.124.146.178.</li>
|
|||
|
<li>Static NAT for Wookie (my Linux System). Internal address
|
|||
|
192.168.1.3 and external address 206.124.146.179.</li>
|
|||
|
<li>SNAT through the primary gateway address (206.124.146.176)
|
|||
|
for<6F> my Wife's system (Tarry) and the Wireless Access Point (wap)</li>
|
|||
|
|
|||
|
</ul>
|
|||
|
|
|||
|
<p> The firewall runs on a 256MB PII/233 with RH8.0 and Kernel 2.4.20.</p>
|
|||
|
|
|||
|
<p> Wookie runs Samba and acts as the a WINS server.<2E> Wookie is in its
|
|||
|
own 'whitelist' zone called 'me'.</p>
|
|||
|
|
|||
|
<p> My laptop (eastept1) is connected to eth3 using a cross-over cable.
|
|||
|
It runs its own <a href="http://www.sygate.com"> Sygate</a> firewall software
|
|||
|
and is managed by Proxy ARP. It connects to the local network through
|
|||
|
a PPTP server running on Ursa. </p>
|
|||
|
|
|||
|
<p> The single system in the DMZ (address 206.124.146.177) runs postfix,
|
|||
|
Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP
|
|||
|
server (Pure-ftpd). The system also runs fetchmail to fetch our email
|
|||
|
from our old and current ISPs. That server is managed through Proxy ARP.</p>
|
|||
|
|
|||
|
<p> The firewall system itself runs a DHCP server that serves the local
|
|||
|
network.</p>
|
|||
|
|
|||
|
<p> All administration and publishing is done using ssh/scp. I have X installed
|
|||
|
on both the firewall and the server but no X server or desktop is installed.
|
|||
|
X applications tunnel through SSH to XWin.exe running on Ursa.</p>
|
|||
|
|
|||
|
<p> I run an SNMP server on my firewall to serve <a
|
|||
|
href="http://www.ee.ethz.ch/%7Eoetiker/webtools/mrtg/"> MRTG</a> running
|
|||
|
in the DMZ.</p>
|
|||
|
|
|||
|
<p align="center"> <img border="0"
|
|||
|
src="images/network.png" width="764" height="846">
|
|||
|
</p>
|
|||
|
|
|||
|
<p><EFBFBD></p>
|
|||
|
|
|||
|
<p>The ethernet interface in the Server is configured
|
|||
|
with IP address 206.124.146.177, netmask
|
|||
|
255.255.255.0. The server's default gateway is
|
|||
|
206.124.146.254 (Router at my ISP. This is the same
|
|||
|
default gateway used by the firewall itself). On the firewall,
|
|||
|
Shorewall automatically adds a host route
|
|||
|
to 206.124.146.177 through eth1 (192.168.2.1)
|
|||
|
because of the entry in /etc/shorewall/proxyarp
|
|||
|
(see below).</p>
|
|||
|
|
|||
|
<p>A similar setup is used on eth3 (192.168.3.1) which
|
|||
|
interfaces to my laptop (206.124.146.180).<br>
|
|||
|
</p>
|
|||
|
|
|||
|
<p>Ursa (192.168.1.5 AKA 206.124.146.178) runs a PPTP server for Road Warrior
|
|||
|
access.<br>
|
|||
|
</p>
|
|||
|
|
|||
|
<p><font color="#ff0000" size="5"></font></p>
|
|||
|
</blockquote>
|
|||
|
|
|||
|
<h3>Shorewall.conf</h3>
|
|||
|
|
|||
|
<blockquote>
|
|||
|
<pre>SHARED_DIR=/usr/share/shorewall<br>LOGFILE=/var/log/firewall<br>LOGRATE=<br>LOGBURST=<br>LOGUNCLEAN=info<br>BLACKLIST_LOGLEVEL=<br>LOGNEWNOTSYN=<br>MACLIST_LOG_LEVEL=$LOG<br>TCP_FLAGS_LOG_LEVEL=$LOG<br>RFC1918_LOG_LEVEL=$LOG<br>PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin<br>SUBSYSLOCK=/var/lock/subsys/shorewall<br>STATEDIR=/var/state/shorewall<br>MODULESDIR=<br>FW=fw<br>NAT_ENABLED=Yes<br>MANGLE_ENABLED=Yes<br>IP_FORWARDING=On<br>ADD_IP_ALIASES=Yes<br>ADD_SNAT_ALIASES=Yes<br>TC_ENABLED=Yes<br>CLEAR_TC=No<br>MARK_IN_FORWARD_CHAIN=No<br>CLAMPMSS=Yes<br>ROUTE_FILTER=No<br>NAT_BEFORE_RULES=No<br>MULTIPORT=Yes<br>DETECT_DNAT_IPADDRS=Yes<br>MUTEX_TIMEOUT=60<br>NEWNOTSYN=Yes<br>BLACKLIST_DISPOSITION=DROP<br>MACLIST_DISPOSITION=REJECT<br>TCP_FLAGS_DISPOSITION=DROP</pre>
|
|||
|
</blockquote>
|
|||
|
|
|||
|
<h4>
|
|||
|
<h3>Params File (Edited):</h3>
|
|||
|
</h4>
|
|||
|
<blockquote>MIRRORS=<i><list of shorewall mirror ip addresses></i><br>
|
|||
|
NTPSERVERS=<i><list of the NTP servers I sync with></i><br>
|
|||
|
LOG=ULOG<br>
|
|||
|
TEXAS=<i><ip address of gateway in Dallas></i><br>
|
|||
|
</blockquote>
|
|||
|
|
|||
|
<h3>Zones File</h3>
|
|||
|
|
|||
|
<blockquote>
|
|||
|
<pre>#ZONE DISPLAY COMMENTS<br>net Internet Internet<br>me Wookie My Linux Workstation<br>dmz DMZ Demilitarized zone<br>loc Local Local networks<br>tx Texas Peer Network in Dallas<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE<font
|
|||
|
face="Courier" size="2"><br></font></pre>
|
|||
|
</blockquote>
|
|||
|
|
|||
|
<h3>Interfaces File: </h3>
|
|||
|
|
|||
|
<blockquote>
|
|||
|
<p> This is set up so that I can start the firewall before bringing up my
|
|||
|
Ethernet interfaces. </p>
|
|||
|
</blockquote>
|
|||
|
|
|||
|
<blockquote>
|
|||
|
<pre>#ZONE INERFACE BROADCAST OPTIONS<br>net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags<br>loc eth2 192.168.1.255 dhcp,maclist<br>dmz eth1 192.168.2.255<br>net eth3 206.124.146.255<br>- texas 192.168.9.255<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE<font
|
|||
|
face="Courier" size="2"><br></font> </pre>
|
|||
|
</blockquote>
|
|||
|
<h3>Hosts File: </h3>
|
|||
|
|
|||
|
<blockquote>
|
|||
|
<pre>#ZONE HOST(S) OPTIONS<br>me<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> eth2:192.168.1.3<br>tx<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> texas:192.168.8.0/22<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</pre>
|
|||
|
</blockquote>
|
|||
|
<h3>Routestopped File:</h3>
|
|||
|
|
|||
|
<blockquote>
|
|||
|
<pre>#INTERFACQ HOST(S)<br>eth1 206.124.146.177<br>eth2 -<br>eth3 206.124.146.180<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE<font
|
|||
|
face="Courier" size="2"> </font></pre>
|
|||
|
</blockquote>
|
|||
|
<h3>Policy File:</h3>
|
|||
|
|
|||
|
<blockquote>
|
|||
|
<pre>#SOURCE DESTINATION POLICY LOG LEVEL BURST:LIMIT<br>me all ACCEPT<br>tx me ACCEPT<br>all me CONTINUE - 2/sec:5<br>loc net ACCEPT<br>$FW loc ACCEPT<br>$FW tx ACCEPT<br>loc tx ACCEPT<br>loc fw REJECT $LOG<br>net net ACCEPT<br>net all DROP $LOG 10/sec:40<br>all all REJECT $LOG<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE<br></pre>
|
|||
|
</blockquote>
|
|||
|
<h3>Masq File: </h3>
|
|||
|
|
|||
|
<blockquote>
|
|||
|
|
|||
|
<p> Although most of our internal systems use static NAT, my wife's system
|
|||
|
(192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with
|
|||
|
laptops. Also, I masquerade wookie to the peer subnet in Texas.</p>
|
|||
|
</blockquote>
|
|||
|
|
|||
|
<blockquote>
|
|||
|
<pre>#INTERFACE SUBNET ADDRESS<br>eth0:0.0.0.0/0 eth2 206.124.146.176<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br><font
|
|||
|
size="2" face="Courier"> </font></pre>
|
|||
|
</blockquote>
|
|||
|
<h3>NAT File: </h3>
|
|||
|
|
|||
|
<blockquote>
|
|||
|
<pre>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL<br>206.124.146.178 eth0:0 192.168.1.5 No No<br>206.124.146.179 eth0:1 192.168.1.3 No No<br>192.168.1.193 eth2:0 206.124.146.177 No No<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<font
|
|||
|
size="2" face="Courier"></font></pre>
|
|||
|
</blockquote>
|
|||
|
<h3>Proxy ARP File:</h3>
|
|||
|
|
|||
|
<blockquote>
|
|||
|
<pre>#ADDRESS INTERFACE EXTERNAL HAVEROUTE<br>206.124.146.177 eth1 eth0 No<br>206.124.146.180 eth3 eth0 No<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE<font
|
|||
|
face="Courier" size="2"> </font></pre>
|
|||
|
</blockquote>
|
|||
|
<h3>Tunnels File (Shell variable TEXAS set in /etc/shorewall/params):</h3>
|
|||
|
|
|||
|
<blockquote>
|
|||
|
<pre>#TYPE ZONE GATEWAY GATEWAY ZONE PORT<br>gre net $TEXAS<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE<br><small> </small></pre>
|
|||
|
</blockquote>
|
|||
|
<h3>Common File:</h3>
|
|||
|
<blockquote>
|
|||
|
<pre>. /etc/shorewall/common.def<br>run_iptables -A common -p tcp --dport auth -j REJECT<br></pre>
|
|||
|
</blockquote>
|
|||
|
<h3>Rules File (The shell variables
|
|||
|
are set in /etc/shorewall/params):</h3>
|
|||
|
<blockquote>
|
|||
|
<pre>################################################################################################################################################################<br>#RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT ORIGINAL DEST:SNAT<br>################################################################################################################################################################<br># Local Network to Internet - Reject attempts by Trojans to call home<br>#<br>REJECT:$LOG loc net tcp 6667<br>#<br># Stop NETBIOS crap since our policy is ACCEPT<br>#<br>REJECT loc net tcp 137,445<br>REJECT loc net udp 137:139<br>LOG:$LOG loc net tcp 137:139<br>################################################################################################################################################################<br># Local Network to Firewall<br>#<br>ACCEPT loc fw tcp ssh,time,10000<br>ACCEPT loc fw udp snmp<br>ACCEPT loc fw udp ntp<br>################################################################################################################################################################<br># Local Network to DMZ (10027 is our SMTP backdoor that bypasses virus/spam filtering)<br>#<br>ACCEPT loc dmz udp domain<br>ACCEPT loc dmz tcp smtp,domain,ssh,imap,https,imaps,cvspserver,www,ftp,10027,10000,8080 -<br>################################################################################################################################################################<br># Internet to DMZ<br>#<br>ACCEPT net dmz tcp www,smtp,ftp,imaps,domain,cvspserver,https,imap -<br>ACCEPT net dmz udp domain<br>ACCEPT net:$MIRRORS dmz tcp rsync<br>ACCEPT:$LOG net dmz tcp 32768:61000 20<br>DROP net dmz tcp 1433<br>################################################################################################################################################################<br>#<br># Net to Local<br>#<br># My laptop isn't NATTED when in its docking station. To allow access to the local lan, I need a VPN to Ursa which is enabled by the following "half"-rules.<br>#<br>DNAT- net loc:192.168.1.5 tcp 1723 - 206.124.146.178<br>DNAT- net loc:192.168.1.5 gre - - 206.124.146.178<br>#<br># When I'm "on the road", the following two rules allow me VPN access back home.<br>#<br>ACCEPT net loc:192.168.1.5 tcp 1723<br>ACCEPT net loc:192.168.1.5 gre<br>#<br># ICQ to Ursa<br>#<br>ACCEPT net loc:192.168.1.5 tcp 4000:4100<br>################################################################################################################################################################<br># Net to me<br>#<br>ACCEPT net me:192.168.1.3 tcp 4000:4100<br>###################################################################################
|
|||
|
</blockquote>
|
|||
|
|
|||
|
<p><font size="2"><a href="support.htm">Tom Eastep</a></font> </p>
|
|||
|
<a href="copyright.htm"><font size="2">Copyright</font>
|
|||
|
<EFBFBD> <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
|||
|
<br>
|
|||
|
<br>
|
|||
|
<br>
|
|||
|
</body>
|
|||
|
</html>
|