Csanyi Pal wrote: > I want to setup my headless pc box on which run a Debian Squeeze system > for firewall/gateway/server for my home LAN. Sounds good. > What I want is to protect my LAN and to get a web server that is > reachable from the Internet and from LAN too. Sure. > I want to use Shorewall as firewall manager and apache2 as a webserver. Excellent choices. > So far I have setup NIC's: > auto eth0 > iface eth0 inet dhcp > > iface eth1 inet static > address 192.168.10.1 > netmask 255.255.255.0 > network 192.168.10.0 > broadcast 192.168.10.255 > gateway 192.168.10.1 You are missing this line: allow-hotplug eth1 You should delete the 'network' and 'broadcast' lines since they are redundant and should be calculated from the 'netmask'. If they are calculated then they can't be set incorrectly. I don't see an eth0 setup. I assume that perhaps you are using network-manager to manage that interface? Search the archives and you will find very strong opinions about NetworkManager. Personally I am on the opposition side. I would add a stanza to configure eth0 as well and then disable or remove network manager. For dhcp: allow-hotplug eth0 iface eth0 inet dhcp Or similar to your above for a static entry. > a dhcp server: > /etc/default/isc-dhcp-server > INTERFACES="eth1" Looks okay. > /etc/dhcp/dhcpd.conf > > option domain-name "cspl.me"; > option domain-name-servers 91.102.231.242, 91.102.231.241; > > subnet 192.168.10.0 netmask 255.255.255.0 { > interface eth1; > range 192.168.10.90 192.168.10.99; > option routers 192.168.10.1; > option subnet-mask 255.255.255.0; > } I would also explicitly set lease times. I don't remember the default values. I use one day with: default-lease-time 86400; max-lease-time 86400; And you should set 'authoritative' somewhere too. authoritative; > a ddclient that works, > > IP Forwarding: > cat /proc/sys/net/ipv4/ip_forward > 1 I set this up in the /etc/shorewall/init script. Then it is always set when shorewall is initialized. # Enable IP forwarding in the linux kernel. echo 1 > /proc/sys/net/ipv4/ip_forward I also set this up there so that the console isn't covered with kernel messages concerned packet filter actions: dmesg -n5 > but this setup doesn't work yet. Why? What part or parts do not work? In addition to the above you will also need to set up shorewall too. You didn't share that configration so I don't know what to say about it. At the least you will want to set up NAT in the masq file. File /etc/shorewall/masq: eth0 192.168.10.1/24 File /etc/shorewall/interfaces: net eth0 detect blacklist,dhcp loc eth1 detect dhcp File /etc/shorewall/zones: net ipv4 loc ipv4 File /etc/shorewall/policy, something like this: fw net ACCEPT fw loc ACCEPT loc net ACCEPT #loc fw ACCEPT # If full access is desired. all all REJECT info File /etc/shorewall/rules: The rules file is much too much for this quick start. And everyone will have a unique set of security requirements. But I always have at least these: ACCEPT all all icmp echo-request # ping ACCEPT all all icmp time-exceeded # traceroute ACCEPT all all tcp ssh,http,https And I am sure I missed something along the way. Look in your /var/log/kern.log for kernel messages from netfilter. Bob
Attachment:
signature.asc
Description: Digital signature