Re: Setup a firewall/gateway/server
Bob Proulx <bob@proulx.com> writes:
> Csanyi Pal wrote:
<snipped>
>> So far I have setup NIC's:
<snipped>
> You are missing this line:
<snipped>
allow-hotplug eth0
iface eth0 inet dhcp
allow-hotplug eth1
iface eth1 inet static
address 192.168.10.1
netmask 255.255.255.0
gateway 192.168.10.1
Should I remve the gateway 192.168.10.1 option?
>> a dhcp server:
>> /etc/default/isc-dhcp-server
>> INTERFACES="eth1"
>
> Looks okay.
>
>> /etc/dhcp/dhcpd.conf
<snipped>
option domain-name "cspl.me";
option domain-name-servers 91.102.231.242, 91.102.231.241;
default-lease-time 600;
max-lease-time 7200;
authoritative;
subnet 192.168.10.0 netmask 255.255.255.0 {
interface eth1;
range 192.168.10.90 192.168.10.99;
option routers 192.168.10.1;
option subnet-mask 255.255.255.0;
}
>> a ddclient that works,
<snipped>
> What part or parts do not work?
Yesterday actually nothing, after I rebooted it, so I must reinstall the
headless server to get again Debian Squeeze into which I can SSH again.
Today I have setup like:
I setup IP Forwarding so:
nano /etc/sysctl.conf
# Uncomment the following to stop low-level messages on console
kernel.printk = 3 4 1 3
net.ipv4.ip_forward = 1
/etc/init.d/procps restart
nano /etc/shorewall/shorewall.conf
IP_FORWARDING=Yes
<snipped>
nano /etc/shorewall/masq
eth0 192.168.10.1/24
nano /etc/shorewall/interfaces
net eth0 detect blacklist,dhcp
loc eth1 detect dhcp
nano /etc/shorewall/zones
fw firewall
net ipv4
loc ipv4
nano /etc/shorewall/policy
loc net ACCEPT
net all DROP info
fw net ACCEPT
fw loc ACCEPT
loc fw ACCEPT # If full access is desired.
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
nano /etc/shorewall/rules
DNS(ACCEPT) $FW net
SSH(ACCEPT) loc $FW
Ping(ACCEPT) loc $FW
Ping(DROP) net $FW
ACCEPT $FW loc icmp
ACCEPT $FW net icmp
ACCEPT all all icmp time-exceeded # traceroute
ACCEPT all all tcp http,https
> And I am sure I missed something along the way. Look in your
> /var/log/kern.log for kernel messages from netfilter.
It's time now to reboot my headless server machine, but ask before that
whether is the setup abowe good? It's only my home server so there
aren't any dangeres if the setup doesn't work. At least I must to
reinstall Debian again and try again.. in the loop until I don't get the
right setup. Thanks you all!
--
Regards from Pal
Reply to: