I have DSL service and have 5 static IP addresses (206.124.146.176-180). My DSL "modem" (Fujitsu Speedport) is connected to eth0. I have a local network connected to eth2 (subnet 192.168.1.0/24) and a DMZ connected to eth1 (192.168.2.0/24).
I use Static NAT for all internal systems (those connected to the switch) except my Wife's system (tarry) and the Wireless Access Point (wap) which are masqueraded through the primary gateway address (206.124.146.176).
The firewall runs on a 128MB PII/233 with RH7.2 and Kernel 2.4.19.
My personal GNU/Linux System (wookie) is 192.168.1.3 and my personal Windows XP system (ursa) is 192.168.1.5. Wookie runs Samba and acts as the a WINS server. Wookie is in its own 'whitelist' zone called 'me'.
My laptop (eastept1) is connected to eth3 using a cross-over cable. It runs its own Sygate firewall software and is managed by Proxy ARP. It connects to the local network through the PopTop server running on my firewall.
The single system in the DMZ (address 206.124.146.177) runs postfix, Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server (Pure-ftpd). The system also runs fetchmail to fetch our email from our old and current ISPs. That server is managed through Proxy ARP.
The firewall system itself runs a DHCP server that serves the local network.
All administration and publishing is done using ssh/scp.
I run an SNMP server on my firewall to serve MRTG running in the DMZ.
The ethernet interface in the Server is configured with IP address 206.124.146.177, netmask 255.255.255.0. The server's default gateway is 206.124.146.254 (Router at my ISP. This is the same default gateway used by the firewall itself). On the firewall, Shorewall automatically adds a host route to 206.124.146.177 through eth1 (192.168.2.1) because of the entry in /etc/shorewall/proxyarp (see below).
A similar setup is used on eth3 (192.168.3.1) which interfaces to my laptop (206.124.146.180).
Note: My files use features not available before Shorewall version 1.3.4.
SUBSYSLOCK=/var/lock/subsys/shorewall STATEDIR=/var/state/shorewall LOGRATE= LOGBURST= ADD_IP_ALIASES="Yes" CLAMPMSS=Yes MULTIPORT=Yes
#ZONE DISPLAY COMMENTS net Internet Internet me Eastep My Workstation loc Local Local networks dmz DMZ Demilitarized zone tx Texas Peer Network in Dallas Texas #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
This is set up so that I can start the firewall before bringing up my Ethernet interfaces.
#ZONE INTERFACE BROADCAST OPTIONS net eth0 206.124.146.255 routefilter,norfc1918,blacklist,filterping loc eth2 192.168.1.255 dhcp dmz eth1 206.124.146.255 - net eth3 206.124.146.255 norfc1918 - texas - loc ppp+ #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#ZONE HOST(S) OPTIONS me eth2:192.168.1.3 tx texas:192.168.9.0/24 #LAST LINE -- ADD YOUR ENTRIES ABOVE -- DO NOT REMOVE
#INTERFACE HOST(S) eth1 206.124.146.177 eth2 - eth3 206.124.146.180
. /etc/shorewall/common.def run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP run_iptables -A common -p tcp --dport 113 -j REJECT
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST me all ACCEPT tx me ACCEPT #Give Texas access to my personal system all me CONTINUE #WARNING: You must be running Shorewall 1.3.1 or later for # this policy to work as expected!!! loc loc ACCEPT loc net ACCEPT $FW loc ACCEPT $FW tx ACCEPT loc tx ACCEPT loc fw REJECT net net ACCEPT net all DROP info 10/sec:40 all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE
Although most of our internal systems use static NAT, my wife's system (192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with laptops.
#INTERFACE SUBNET ADDRESS eth0 192.168.1.0/24 206.124.146.176 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
#EXTERNAL INTERFACE INTERNAL ALL LOCAL 206.124.146.178 eth0 192.168.1.5 No No 206.124.146.179 eth0 192.168.1.3 No No #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
#ADDRESS INTERFACE EXTERNAL HAVEROUTE 206.124.146.177 eth1 eth0 No 206.124.146.180 eth3 eth0 No #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT(S) PORT(S) PORT(S) DEST # # Local Network to Internet - Reject attempts by Trojans to call home # REJECT:info loc net tcp 6667 # # Local Network to Firewall # ACCEPT loc fw tcp ssh ACCEPT loc fw tcp time # # Local Network to DMZ # ACCEPT loc dmz udp domain ACCEPT loc dmz tcp smtp ACCEPT loc dmz tcp domain ACCEPT loc dmz tcp ssh ACCEPT loc dmz tcp auth ACCEPT loc dmz tcp imap ACCEPT loc dmz tcp https ACCEPT loc dmz tcp imaps ACCEPT loc dmz tcp cvspserver ACCEPT loc dmz tcp www ACCEPT loc dmz tcp ftp ACCEPT loc dmz tcp pop3 ACCEPT loc dmz icmp echo-request # # Internet to DMZ # ACCEPT net dmz tcp www ACCEPT net dmz tcp smtp ACCEPT net dmz tcp ftp ACCEPT net dmz tcp auth ACCEPT net dmz tcp https ACCEPT net dmz tcp imaps ACCEPT net dmz tcp domain ACCEPT net dmz tcp cvspserver ACCEPT net dmz udp domain ACCEPT net dmz icmp echo-request ACCEPT net:$MIRRORS dmz tcp rsync # # Net to Me (ICQ chat and file transfers) # ACCEPT net me tcp 4000:4100 # # Net to Local # ACCEPT net loc tcp auth REJECT net loc tcp www # # DMZ to Internet # ACCEPT dmz net icmp echo-request ACCEPT dmz net tcp smtp ACCEPT dmz net tcp auth ACCEPT dmz net tcp domain ACCEPT dmz net tcp www ACCEPT dmz net tcp https ACCEPT dmz net tcp whois ACCEPT dmz net tcp echo ACCEPT dmz net udp domain ACCEPT dmz net:$NTPSERVERS udp ntp ACCEPT dmz net:$POPSERVERS tcp pop3 # # The following compensates for a bug, either in some FTP clients or in the # Netfilter connection tracking code that occasionally denies active mode # FTP clients # ACCEPT:info dmz net tcp 1024: 20 # # DMZ to Firewall -- snmp # ACCEPT dmz fw tcp snmp ACCEPT dmz fw udp snmp # # DMZ to Local Network # ACCEPT dmz loc tcp smtp ACCEPT dmz loc tcp auth ACCEPT dmz loc icmp echo-request # Internet to Firewall # ACCEPT net fw tcp 1723 ACCEPT net fw gre REJECT net fw tcp www # # Firewall to Internet # ACCEPT fw net:$NTPSERVERS udp ntp ACCEPT fw net udp domain ACCEPT fw net tcp domain ACCEPT fw net tcp www ACCEPT fw net tcp https ACCEPT fw net tcp ssh ACCEPT fw net tcp whois ACCEPT fw net icmp echo-request # # Firewall to DMZ # ACCEPT fw dmz tcp www ACCEPT fw dmz tcp ftp ACCEPT fw dmz tcp ssh ACCEPT fw dmz tcp smtp ACCEPT fw dmz udp domain # # Let Texas Ping # ACCEPT tx fw icmp echo-request ACCEPT tx loc icmp echo-request #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Last updated 8/9/2002 - Tom Eastep
Copyright © 2001, 2002 Thomas M. Eastep.