newbie firewall problems > want to get ISA off my network > debian in
Hi,
I was looking at
http://newbiedoc.sourceforge.net/networking/homegateway.html and tryed
to configure my debian firewall, but packages is not comming throug.
First some facts:
I'm running debian with 2.4.20 kernel. The box is for the time being on
a local network, that is the default gateway is going throug an ISA
firewall. I can access everything from the firewalll to internet. I can
also access the firewall from local network with ssh. When I run nmap
against the firewall I get:
mad:~# nmap -P0 10.34.78.13
Starting nmap V. 3.10ALPHA4 ( www.insecure.org/nmap/ )
Interesting ports on firewall (10.34.78.13):
(The 1601 ports scanned but not shown below are in state: closed)
Port State Service
9/tcp open discard
13/tcp open daytime
22/tcp open ssh
37/tcp open time
Nmap run completed -- 1 IP address (1 host up) scanned in 0.376 seconds
mad:~#
As I said, I'm testing so I configured the box with static IP like this:
# The loopback interface
auto lo
iface lo inet loopback
# The first network card - this entry was created during the Debian
installation
auto eth0
iface eth0 inet static # external net
address 10.34.78.13
netmask 255.255.255.192
network 10.34.78.0
gateway 10.34.78.1
broadcast 10.34.78.63
iface eth1 inet static # internal net
address 10.34.78.254
netmask 255.255.255.240
network 10.34.78.240
# gateway 10.34.78.13
broadcast 10.34.78.255
firewall:~#
What is the right gw for eth1?
On the firewall the command route comes up with this:
firewall:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
10.34.78.240 * 255.255.255.240 U 0 0 0 eth1
10.34.78.0 * 255.255.255.192 U 0 0 0 eth0
default ns1 0.0.0.0 UG 0 0 0 eth0
firewall:~#
default "ns1" is 10.34.78.1 as in gw on my eth0 card on the firewall
(named "firewall")
I'm useing iptables (I think.....)
output of "lsmod":
firewall:~# lsmod
Module Size Used by Not tainted
iptable_mangle 2072 0 (unused)
apm 10024 0 (unused)
ipt_multiport 632 0 (unused)
ipt_MASQUERADE 1368 0 (unused)
iptable_nat 15896 0 [ipt_MASQUERADE]
ip_conntrack 20544 1 [ipt_MASQUERADE iptable_nat]
iptable_filter 1644 0 (unused)
ip_tables 12376 7 [iptable_mangle ipt_multiport
ipt_MASQUERADE iptable_nat iptable_filter]
8139too 14792 1
3c59x 27344 1
firewall:~#
For a start I tried the same config as on
http://newbiedoc.sourceforge.net/networking/homegateway.html#VARIOUSWAYSSOFTWARE
wich goes like this:
# This is the file /etc/gateway.rules
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F #ignore if you get an error here
/sbin/iptables -X #deletes every non-builtin chain in the table
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
# only if both of the above rules succeed, use
/sbin/iptables -P INPUT DROP
/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state
ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
# use this line if you have a static IP address from your ISP
# replace your static IP with x.x.x.x
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 10.34.78.13
# use this line only if you have dynamic IP address from your ISP
#/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth0 -o eth0 -j REJECT
And for getting it started I have this:
# This is the file /etc/init.d/gateway
#! /bin/sh
# If no rules, do nothing.
[ -f /etc/gateway.rules ] || exit 0
case "$1" in
start)
echo -n "Turning on packet filtering:"
/sbin/modprobe iptable_nat #only if using iptables
/sbin/modprobe ipt_MASQUERADE #only if using iptables
echo 1 > /proc/sys/net/ipv4/ip_forward
# for RedHat users, the above line is not needed if you have
# FORWARD_IPV4=true in /etc/sysconfig/network file
# echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# the above option is for Dynamic IP users (DHCP,PPP or BOOTP)
echo "."
;;
stop)
echo -n "Turning off packet filtering:"
echo 0 > /proc/sys/net/ipv4/ip_forward
#/sbin/ipchains -F
#/sbin/ipchains -X
#/sbin/ipchains -P input ACCEPT
#/sbin/ipchains -P output ACCEPT
#/sbin/ipchains -P forward ACCEPT
echo "."
;;
*)
echo "Usage: /etc/init.d/gateway {start|stop}"
exit 1
;;
esac
exit 0
########################################
And the I test it:
firewall:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
firewall:~#
########################################
firewall:~# cat /proc/net/ip_conntrack
tcp 6 431999 ESTABLISHED src=10.34.78.27 dst=10.34.78.13
sport=32875 dport=22 src=10.
34.78.13 dst=10.34.78.27 sport=22 dport=32875 [ASSURED] use=1
firewall:~#
I am now connected to the firewall from the external net, that is :
10.34.78.0/26
On the internal net I have connected my laptop directly to eht1 with a
crossover cable, and I am able to ping both interfaces on the firewall,
but I'm not able to ping further.
This is as far as I come, can anyone please help?
/ernst
Reply to: