On Sb, 14 ian 12, 12:48:42, Csanyi Pal wrote: > > allow-hotplug eth0 > iface eth0 inet dhcp > > allow-hotplug eth1 > iface eth1 inet static > address 192.168.10.1 > netmask 255.255.255.0 > gateway 192.168.10.1 > > Should I remve the gateway 192.168.10.1 option? Yes (a machine can not be its own gateway) > Yesterday actually nothing, after I rebooted it, so I must reinstall the > headless server to get again Debian Squeeze into which I can SSH again. Why would you be forced to reinstall? Getting a Debian foobar'ed is *very* difficult. > Today I have setup like: > > I setup IP Forwarding so: > nano /etc/sysctl.conf > # Uncomment the following to stop low-level messages on console > kernel.printk = 3 4 1 3 > net.ipv4.ip_forward = 1 > > /etc/init.d/procps restart > > nano /etc/shorewall/shorewall.conf > IP_FORWARDING=Yes You don't need both (sysctl.conf and shorewall.conf) for the forwarding. I would suggest to stick with shorewall, but the other setting is indeed useful. > <snipped> > > nano /etc/shorewall/masq > eth0 192.168.10.1/24 You want 192.168.10.0 (not 192.168.10.1). > nano /etc/shorewall/interfaces > net eth0 detect blacklist,dhcp > loc eth1 detect dhcp > > nano /etc/shorewall/zones > fw firewall > net ipv4 > loc ipv4 > > nano /etc/shorewall/policy > loc net ACCEPT > net all DROP info > > fw net ACCEPT > fw loc ACCEPT > loc fw ACCEPT # If full access is desired. Since you allow all traffic between your hosts you can write it shorter like this: loc all ACCEPT fw all ACCEPT net all DROP info > # THE FOLLOWING POLICY MUST BE LAST > all all REJECT info > > > nano /etc/shorewall/rules > DNS(ACCEPT) $FW net > > SSH(ACCEPT) loc $FW > > Ping(ACCEPT) loc $FW > > Ping(DROP) net $FW > > ACCEPT $FW loc icmp > ACCEPT $FW net icmp > > ACCEPT all all icmp time-exceeded # traceroute > ACCEPT all all tcp http,https You seem to have misunderstood the meaning of 'policy' and 'rules'. In 'policy' you configure what your firewall should do with packets in the "normal" case. In 'rules' you configure exceptions to the general policy (i.e. open port 80 because you want to run your own webserver). > > And I am sure I missed something along the way. Look in your > > /var/log/kern.log for kernel messages from netfilter. > > It's time now to reboot my headless server machine, but ask before that > whether is the setup abowe good? It's only my home server so there > aren't any dangeres if the setup doesn't work. At least I must to > reinstall Debian again and try again.. in the loop until I don't get the > right setup. Thanks you all! Again, please explain why you have to reinstall and can't fix the problem instead. Kind regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
Attachment:
signature.asc
Description: Digital signature