[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Setup a firewall/gateway/server

Csanyi Pal wrote:
> I want to setup my headless pc box on which run a Debian Squeeze system
> for firewall/gateway/server for my home LAN.

Sounds good.

> What I want is to protect my LAN and to get a web server that is
> reachable from the Internet and from LAN too.


> I want to use Shorewall as firewall manager and apache2 as a webserver.

Excellent choices.

> So far I have setup NIC's:
> auto eth0
> iface eth0 inet dhcp
> iface eth1 inet static
>     address
>     netmask
>     network
>     broadcast
>     gateway

You are missing this line:

  allow-hotplug eth1

You should delete the 'network' and 'broadcast' lines since they are
redundant and should be calculated from the 'netmask'.  If they are
calculated then they can't be set incorrectly.

I don't see an eth0 setup.  I assume that perhaps you are using
network-manager to manage that interface?  Search the archives and you
will find very strong opinions about NetworkManager.  Personally I am
on the opposition side.  I would add a stanza to configure eth0 as
well and then disable or remove network manager.

For dhcp:

  allow-hotplug eth0
  iface eth0 inet dhcp

Or similar to your above for a static entry.

> a dhcp server:
> /etc/default/isc-dhcp-server

Looks okay.

> /etc/dhcp/dhcpd.conf
> option domain-name "cspl.me";
> option domain-name-servers,;
> subnet netmask {
>     interface eth1;
>     range;
>     option routers;
>     option subnet-mask;
> }

I would also explicitly set lease times.  I don't remember the default
values.  I use one day with:

  default-lease-time 86400;
  max-lease-time 86400;

And you should set 'authoritative' somewhere too.


> a ddclient that works,
> IP Forwarding:
> cat /proc/sys/net/ipv4/ip_forward
> 1

I set this up in the /etc/shorewall/init script.  Then it is always
set when shorewall is initialized.

  # Enable IP forwarding in the linux kernel.
  echo 1 > /proc/sys/net/ipv4/ip_forward

I also set this up there so that the console isn't covered with kernel
messages concerned packet filter actions:

  dmesg -n5

> but this setup doesn't work yet. Why?

What part or parts do not work?

In addition to the above you will also need to set up shorewall too.
You didn't share that configration so I don't know what to say about
it.  At the least you will want to set up NAT in the masq file.

File /etc/shorewall/masq:


File /etc/shorewall/interfaces:

  net     eth0            detect          blacklist,dhcp
  loc     eth1            detect          dhcp

File /etc/shorewall/zones:

  net     ipv4
  loc     ipv4

File /etc/shorewall/policy, something like this:

  fw              net             ACCEPT
  fw              loc             ACCEPT
  loc             net             ACCEPT
  #loc             fw              ACCEPT # If full access is desired.
  all             all             REJECT          info 

File /etc/shorewall/rules:

The rules file is much too much for this quick start.  And everyone
will have a unique set of security requirements.  But I always have at
least these:

  ACCEPT  all     all     icmp    echo-request  # ping
  ACCEPT  all     all     icmp    time-exceeded  # traceroute
  ACCEPT  all     all     tcp     ssh,http,https

And I am sure I missed something along the way.  Look in your
/var/log/kern.log for kernel messages from netfilter.


Attachment: signature.asc
Description: Digital signature

Reply to: