Csanyi Pal wrote:
> I want to setup my headless pc box on which run a Debian Squeeze system
> for firewall/gateway/server for my home LAN.
Sounds good.
> What I want is to protect my LAN and to get a web server that is
> reachable from the Internet and from LAN too.
Sure.
> I want to use Shorewall as firewall manager and apache2 as a webserver.
Excellent choices.
> So far I have setup NIC's:
> auto eth0
> iface eth0 inet dhcp
>
> iface eth1 inet static
> address 192.168.10.1
> netmask 255.255.255.0
> network 192.168.10.0
> broadcast 192.168.10.255
> gateway 192.168.10.1
You are missing this line:
allow-hotplug eth1
You should delete the 'network' and 'broadcast' lines since they are
redundant and should be calculated from the 'netmask'. If they are
calculated then they can't be set incorrectly.
I don't see an eth0 setup. I assume that perhaps you are using
network-manager to manage that interface? Search the archives and you
will find very strong opinions about NetworkManager. Personally I am
on the opposition side. I would add a stanza to configure eth0 as
well and then disable or remove network manager.
For dhcp:
allow-hotplug eth0
iface eth0 inet dhcp
Or similar to your above for a static entry.
> a dhcp server:
> /etc/default/isc-dhcp-server
> INTERFACES="eth1"
Looks okay.
> /etc/dhcp/dhcpd.conf
>
> option domain-name "cspl.me";
> option domain-name-servers 91.102.231.242, 91.102.231.241;
>
> subnet 192.168.10.0 netmask 255.255.255.0 {
> interface eth1;
> range 192.168.10.90 192.168.10.99;
> option routers 192.168.10.1;
> option subnet-mask 255.255.255.0;
> }
I would also explicitly set lease times. I don't remember the default
values. I use one day with:
default-lease-time 86400;
max-lease-time 86400;
And you should set 'authoritative' somewhere too.
authoritative;
> a ddclient that works,
>
> IP Forwarding:
> cat /proc/sys/net/ipv4/ip_forward
> 1
I set this up in the /etc/shorewall/init script. Then it is always
set when shorewall is initialized.
# Enable IP forwarding in the linux kernel.
echo 1 > /proc/sys/net/ipv4/ip_forward
I also set this up there so that the console isn't covered with kernel
messages concerned packet filter actions:
dmesg -n5
> but this setup doesn't work yet. Why?
What part or parts do not work?
In addition to the above you will also need to set up shorewall too.
You didn't share that configration so I don't know what to say about
it. At the least you will want to set up NAT in the masq file.
File /etc/shorewall/masq:
eth0 192.168.10.1/24
File /etc/shorewall/interfaces:
net eth0 detect blacklist,dhcp
loc eth1 detect dhcp
File /etc/shorewall/zones:
net ipv4
loc ipv4
File /etc/shorewall/policy, something like this:
fw net ACCEPT
fw loc ACCEPT
loc net ACCEPT
#loc fw ACCEPT # If full access is desired.
all all REJECT info
File /etc/shorewall/rules:
The rules file is much too much for this quick start. And everyone
will have a unique set of security requirements. But I always have at
least these:
ACCEPT all all icmp echo-request # ping
ACCEPT all all icmp time-exceeded # traceroute
ACCEPT all all tcp ssh,http,https
And I am sure I missed something along the way. Look in your
/var/log/kern.log for kernel messages from netfilter.
Bob
Attachment:
signature.asc
Description: Digital signature