Re: Setup a firewall/gateway/server

To: debian-user@lists.debian.org
Subject: Re: Setup a firewall/gateway/server
From: Csanyi Pal <csanyipal@gmail.com>
Date: Sat, 14 Jan 2012 12:48:42 +0100
Message-id: <[🔎] 8739bi1p45.fsf@debian-asztal.excito>
References: <[🔎] 87wr8vfh6l.fsf@debian-asztal.excito> <[🔎] 20120113231619.GA19154@hysteria.proulx.com>

Bob Proulx <bob@proulx.com> writes:

> Csanyi Pal wrote:
<snipped>


>> So far I have setup NIC's:
<snipped>
> You are missing this line:
<snipped>

allow-hotplug eth0
iface eth0 inet dhcp

allow-hotplug eth1
iface eth1 inet static
    address 192.168.10.1
    netmask 255.255.255.0
    gateway 192.168.10.1

Should I remve the gateway 192.168.10.1 option?

>> a dhcp server:
>> /etc/default/isc-dhcp-server
>> INTERFACES="eth1"
>
> Looks okay.
>
>> /etc/dhcp/dhcpd.conf
<snipped>

option domain-name "cspl.me";
option domain-name-servers 91.102.231.242, 91.102.231.241;

default-lease-time 600;
max-lease-time 7200;

authoritative;

subnet 192.168.10.0 netmask 255.255.255.0 {
    interface eth1;
    range 192.168.10.90 192.168.10.99;
    option routers 192.168.10.1;
    option subnet-mask 255.255.255.0;
}

>> a ddclient that works,
<snipped>

> What part or parts do not work?

Yesterday actually nothing, after I rebooted it, so I must reinstall the
headless server to get again Debian Squeeze into which I can SSH again.

Today I have setup like:

I setup IP Forwarding so:
nano /etc/sysctl.conf
 # Uncomment the following to stop low-level messages on console
kernel.printk = 3 4 1 3
net.ipv4.ip_forward = 1

/etc/init.d/procps restart

nano /etc/shorewall/shorewall.conf
 IP_FORWARDING=Yes

<snipped>

nano /etc/shorewall/masq
eth0    192.168.10.1/24

nano /etc/shorewall/interfaces
net     eth0            detect          blacklist,dhcp
loc     eth1            detect          dhcp

nano /etc/shorewall/zones
fw      firewall
net     ipv4
loc     ipv4

nano /etc/shorewall/policy
loc             net             ACCEPT
net             all             DROP            info

fw              net             ACCEPT
fw              loc             ACCEPT
loc             fw              ACCEPT # If full access is desired.

 # THE FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info


nano /etc/shorewall/rules
DNS(ACCEPT)     $FW             net

SSH(ACCEPT)     loc             $FW

Ping(ACCEPT)    loc             $FW

Ping(DROP)      net             $FW

ACCEPT          $FW             loc             icmp
ACCEPT          $FW             net             icmp

ACCEPT  all     all     icmp    time-exceeded  # traceroute
ACCEPT  all     all     tcp     http,https

> And I am sure I missed something along the way.  Look in your
> /var/log/kern.log for kernel messages from netfilter.

It's time now to reboot my headless server machine, but ask before that
whether is the setup abowe good? It's only my home server so there
aren't any dangeres if the setup doesn't work. At least I must to
reinstall Debian again and try again.. in the loop until I don't get the
right setup. Thanks you all!

-- 
Regards from Pal

Reply to:

Follow-Ups:
- Re: Setup a firewall/gateway/server
  - From: Andrei Popescu <andreimpopescu@gmail.com>

References:
- Setup a firewall/gateway/server
  - From: Csanyi Pal <csanyipal@gmail.com>
- Re: Setup a firewall/gateway/server
  - From: Bob Proulx <bob@proulx.com>

Prev by Date: iptable rule for bypassing netfilter queue for a matching address.
Next by Date: Re: Grub cannot fit into boot record
Previous by thread: Re: Setup a firewall/gateway/server
Next by thread: Re: Setup a firewall/gateway/server
Index(es):
- Date
- Thread