newbie firewall problems > want to get ISA off my network > debian in

To: debian-user <debian-user@lists.debian.org>
Subject: newbie firewall problems > want to get ISA off my network > debian in
From: "ernst@vindal.com" <ernst@vindal.com>
Date: Sun, 30 Mar 2003 16:41:44 +0200
Message-id: <[🔎] 3E870228.9020102@vindal.com>

Hi,

I was looking athttp://newbiedoc.sourceforge.net/networking/homegateway.html and tryedto configure my debian firewall, but packages is not comming throug.


First some facts:

I'm running debian with 2.4.20 kernel. The box is for the time being ona local network, that is the default gateway is going throug an ISAfirewall. I can access everything from the firewalll to internet. I canalso access the firewall from local network with ssh. When I run nmapagainst the firewall I get:

mad:~# nmap -P0 10.34.78.13

Starting nmap V. 3.10ALPHA4 ( www.insecure.org/nmap/ )
Interesting ports on firewall (10.34.78.13):
(The 1601 ports scanned but not shown below are in state: closed)
Port       State       Service

9/tcp open discard13/tcp open daytime22/tcp open ssh37/tcp open time

Nmap run completed -- 1 IP address (1 host up) scanned in 0.376 seconds
mad:~#

As I said, I'm testing so I configured the box with static IP like this:
# The loopback interface
auto lo
iface lo inet loopback

# The first network card - this entry was created during the Debianinstallation

auto eth0
iface eth0 inet static         # external net
       address 10.34.78.13
       netmask 255.255.255.192
       network 10.34.78.0
       gateway 10.34.78.1
       broadcast 10.34.78.63

iface eth1 inet static            # internal net
       address 10.34.78.254
       netmask 255.255.255.240
       network 10.34.78.240
#       gateway 10.34.78.13
       broadcast 10.34.78.255
firewall:~#

What is the right gw for eth1?

On the firewall the command route comes up with this:
firewall:~# route
Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref UseIface

10.34.78.240    *               255.255.255.240 U     0      0        0 eth1
10.34.78.0      *               255.255.255.192 U     0      0        0 eth0
default         ns1             0.0.0.0         UG    0      0        0 eth0
firewall:~#

default "ns1" is 10.34.78.1 as in gw on my eth0 card on the firewall(named "firewall")


I'm useing iptables (I think.....)

output of "lsmod":
firewall:~# lsmod
Module                  Size  Used by    Not tainted
iptable_mangle          2072   0  (unused)
apm                    10024   0  (unused)
ipt_multiport            632   0  (unused)
ipt_MASQUERADE          1368   0  (unused)
iptable_nat            15896   0  [ipt_MASQUERADE]
ip_conntrack           20544   1  [ipt_MASQUERADE iptable_nat]
iptable_filter          1644   0  (unused)

ip_tables 12376 7 [iptable_mangle ipt_multiportipt_MASQUERADE iptable_nat iptable_filter]

8139too                14792   1
3c59x                  27344   1
firewall:~#

For a start I tried the same config as onhttp://newbiedoc.sourceforge.net/networking/homegateway.html#VARIOUSWAYSSOFTWAREwich goes like this:

# This is the file /etc/gateway.rules
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F #ignore if you get an error here
/sbin/iptables -X #deletes every non-builtin chain in the table

/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
# only if both of the above rules succeed, use
/sbin/iptables -P INPUT DROP

/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --stateESTABLISHED,RELATED -j ACCEPT

/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

# use this line if you have a static IP address from your ISP
# replace your static IP with x.x.x.x
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 10.34.78.13

# use this line only if you have dynamic IP address from your ISP
#/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

/sbin/iptables -A FORWARD -i eth0 -o eth0 -j REJECT

And for getting it started I have this:
# This is the file /etc/init.d/gateway
#! /bin/sh

# If no rules, do nothing.
[ -f /etc/gateway.rules ] || exit 0

case "$1" in
   start)
       echo -n "Turning on packet filtering:"

   /sbin/modprobe iptable_nat #only if using iptables
   /sbin/modprobe ipt_MASQUERADE #only if using iptables

       echo 1 > /proc/sys/net/ipv4/ip_forward
   # for RedHat users, the above line is not needed if you have
   # FORWARD_IPV4=true in /etc/sysconfig/network file

   # echo "1" > /proc/sys/net/ipv4/ip_dynaddr
   # the above option is for Dynamic IP users (DHCP,PPP or BOOTP)

       echo "."
       ;;
   stop)
       echo -n "Turning off packet filtering:"
       echo 0 > /proc/sys/net/ipv4/ip_forward

       #/sbin/ipchains -F
       #/sbin/ipchains -X
       #/sbin/ipchains -P input ACCEPT
       #/sbin/ipchains -P output ACCEPT
       #/sbin/ipchains -P forward ACCEPT
       echo "."
       ;;
   *)
       echo "Usage: /etc/init.d/gateway {start|stop}"
       exit 1
       ;;
esac

exit 0

########################################

And the I test it:
firewall:~# iptables -L
Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destinationfirewall:~#


########################################

firewall:~# cat /proc/net/ip_conntrack

tcp 6 431999 ESTABLISHED src=10.34.78.27 dst=10.34.78.13sport=32875 dport=22 src=10.

34.78.13 dst=10.34.78.27 sport=22 dport=32875 [ASSURED] use=1
firewall:~#

I am now connected to the firewall from the external net, that is :10.34.78.0/26

On the internal net I have connected my laptop directly to eht1 with acrossover cable, and I am able to ping both interfaces on the firewall,but I'm not able to ping further.


This is as far as I come, can anyone please help?

/ernst

Reply to:

Prev by Date: Re: [OT] History of debian-user footer.
Next by Date: Re: Limit a process's CPU usage?
Previous by thread: Re: How to install Woddy using Rsierfs?
Next by thread: Sarge Release Date
Index(es):
- Date
- Thread