have spent a few hours looking at google.groups to figure out how to
setup a gateway & firewall on my mandrake 10 box.
Here is what I want.
Internet --- Cable modem --- Linux box --- Router --- Any clients.
1) Just to get the Linux box to forward packets.
2) The most important function I want my Linux box to do, is
monitoring and restricting how much each client in the internal
network are able to download. This can be done using Squid right? Is
this the easiest way?
3) After I get the above working, I can play around with firewall,
email, ssh, ... etc
Can someone point to me to a place where I can familiarise of how to
get my gateway running.
The current configuration is this.
Internet --- Cable moderm --- Router --- Clients (Window and Linux
machines)
My Linux box have two NICs. Eth0 is up and running nicely. I
haven’t try to setup eth1 yet. (I am kind of scared of setting
up eth1, I'll probably run in trouble again).
Cette action est irreversible, confirmez la suppression du commentaire ?
Signaler le commentaire
Veuillez sélectionner un problème
Nudité
Violence
Harcèlement
Fraude
Vente illégale
Discours haineux
Terrorisme
Autre
Bit Twister
On 23 Dec 2004 02:16:29 -0800, zhex900 wrote:
have spent a few hours looking at google.groups to figure out how to setup a gateway & firewall on my mandrake 10 box.
Is that 10.0 or 10.1, It is not nice to leave us guessing. How about 10.0/ Official or Community? Please read http://www.catb.org/~esr/faqs/smart-questions.html
Assume all updates have been installed from a Mandrake mirror.
Here is what I want.
Internet --- Cable modem --- Linux box --- Router --- Any clients.
Ok, go ahead and configure eth1 for your lan. After you have it configured in the Mandrake Control Center (MCC) Edit /etc/sysconfig/network-scripts/ifcfg-eth1 and change METRIC if you are running mandrake 10.1
And add a line in /etc/sysconfig/network HOSTNAME=fw.home.invalid NETWORKING=yes GATEWAYDEV=eth0 <============
Make sure you have a carriage return after eth0, by doing a $ cat /etc/sysconfig/network
and the prompt should be on the left, not at end of eth0
1) Just to get the Linux box to forward packets.
Go into the Mandrake Control Center under security, firewall and uncheck all boxes, that tells the firewall to block all inbound attempts and allow all outbound attempts.
At this point your shorewall firewall is installed and running. I would load webmin to allow you to play with the shorewall firewall files.
click up a terminal su -l root
urpmi webmin service webmin start
Want a gui editor for the next change? export DISPLAY=:0.0 kwrite /etc/sysctl.conf
and set ip forwarding/masquerading with net.ipv4.ip_forward = 1 in /etc/sysctl.conf
save and exit
next enable forward change with the command sysctl -p and reload the network witn service network restart
I assume you have loaded your /etc/hosts file with LAN definitions. Example
Now, let's play with the shorewall files; in your user account, click up browser and load
https://localhost:10000 and click Network, shorewall
The names of the icon selections will be the names of the shorewall files.
In another browser window, load http://www.shorewall.net/two-interface.htm
That page will suggest to read it once then go back to start changes. That is good advice.
Do not install any files, we can do all the work from what is already loaded.
Now go back to top of shorewall document and find the Zone file example and verify the webmin Zone matches the document. You have some leeway.
Here is my _zone_ file net Net Internet zone loc Local Local
The document is having you edit the files and shows you what it should look like after editing. Just go to webmin for that file and set it to look like the example.
The Files I modified are interfaces masq policy routestopped rules
I wanted to have lan pc's to be able to do WAN pings and I wanted to allow one external machine to have access to my network Here are my _rules_ settings
ACCEPT net:$FUZZYIP fw all - - ACCEPT loc fw icmp 8 ACCEPT fw loc icmp DROP net fw icmp echo-request ACCEPT fw net icmp
Here is an advanced user tip. You can create variables in _params_ with an editor and use them in the scripts. That is what the $FUZZYIP is. What that allows me to do is modify params and do a shorewall restart and the new params values will go into all the shorewall files.
Example snippet from my params file FUZZYIP.216.147.150 LOC_NIC=eth0 # lan nic NET_NIC=eth1 # /etc/sysconfig/network gatewaydev
Note, I have eth1 on cable modem and eth0 for the lan router.
The _masq_ file has $NET_NIC $LOC_NIC
You would use eth0 eth1
Now my _routestopped_ has $LOC_NIC
You would have eth1
That allows any LAN box access to firewall box when shorewall is stopped.
my _policy_ file has loc net ACCEPT fw loc ACCEPT fw net ACCEPT net all DROP info all all REJECT info
At this point it should work. Click _Check Firewall_ for syntax errors
You might want to click yet up another terminal and do a tail -f /var/log/messages
That will allow you see any shorewall messages as you verify there are no problems accessing the internet from the LAN pcs.
Ok, click Stop/Start firewall and see what you can see.
http://www.shorewall.net/Documentation_Index.html for shorewall doc If you realy want to understand more about the firewall.
There were 94,000+ new viruses created this year. I got tired of seeing my logs filling up with all the attempts so I created entries in /etc/shorewall/blacklist for noisy ports.
Here are two lines from mine 0.0.0.0/0 tcp 1025 0.0.0.0/0 udp 1026:1029
one is a port, the other is a range of ports. Any def in blacklist is droped an no /var/log/messages entry is created.
After you edit blacklist, you can do a shorewall reload to set the values.
You may want to read the header files in /etc/shorewall just to get a feel what each file will do for you.
If you want to modify any other shorewall settings found in /usr/share/shorewall/, copy the file to /etc/shorewall and make the change there. Files in /etc/shorewall superceed files in /usr/share/shorewall.
Since webmin is running, you can get to the firewall from the lan with https://firewall_box_ip_here:10000
If the firewall box is in /etc/hosts on a LAN box https://firewall_box_name_here:10000
On 23 Dec 2004 02:16:29 -0800, zhex900 wrote:
have spent a few hours looking at google.groups to figure out how to
setup a gateway & firewall on my mandrake 10 box.
Is that 10.0 or 10.1, It is not nice to leave us guessing.
How about 10.0/ Official or Community?
Please read http://www.catb.org/~esr/faqs/smart-questions.html
Assume all updates have been installed from a Mandrake mirror.
Here is what I want.
Internet --- Cable modem --- Linux box --- Router --- Any clients.
Ok, go ahead and configure eth1 for your lan.
After you have it configured in the Mandrake Control Center (MCC)
Edit /etc/sysconfig/network-scripts/ifcfg-eth1
and change METRIC
if you are running mandrake 10.1
And add a line in /etc/sysconfig/network
HOSTNAME=fw.home.invalid
NETWORKING=yes
GATEWAYDEV=eth0 <============
Make sure you have a carriage return after eth0, by doing a
$ cat /etc/sysconfig/network
and the prompt should be on the left, not at end of eth0
1) Just to get the Linux box to forward packets.
Go into the Mandrake Control Center under security, firewall
and uncheck all boxes, that tells the firewall to block all inbound
attempts and allow all outbound attempts.
At this point your shorewall firewall is installed and running.
I would load webmin to allow you to play with the shorewall firewall files.
click up a terminal
su -l root
urpmi webmin
service webmin start
Want a gui editor for the next change?
export DISPLAY=:0.0
kwrite /etc/sysctl.conf
and set ip forwarding/masquerading with
net.ipv4.ip_forward = 1 in /etc/sysctl.conf
save and exit
next enable forward change with the command
sysctl -p
and reload the network witn
service network restart
I assume you have loaded your /etc/hosts file with LAN definitions. Example
Now, let's play with the shorewall files;
in your user account, click up browser and load
https://localhost:10000 and click Network, shorewall
The names of the icon selections will be the names of the shorewall
files.
In another browser window, load
http://www.shorewall.net/two-interface.htm
That page will suggest to read it once then go back to start changes.
That is good advice.
Do not install any files, we can do all the work from what is already
loaded.
Now go back to top of shorewall document and find the Zone file example
and verify the webmin Zone matches the document. You have some leeway.
Here is my _zone_ file
net Net Internet zone
loc Local Local
The document is having you edit the files and shows you what it should
look like after editing. Just go to webmin for that file and
set it to look like the example.
The Files I modified are
interfaces
masq
policy
routestopped
rules
I wanted to have lan pc's to be able to do WAN pings and I wanted
to allow one external machine to have access to my network
Here are my _rules_ settings
ACCEPT net:$FUZZYIP fw all - -
ACCEPT loc fw icmp 8
ACCEPT fw loc icmp
DROP net fw icmp echo-request
ACCEPT fw net icmp
Here is an advanced user tip.
You can create variables in _params_ with an editor and use them
in the scripts. That is what the $FUZZYIP is.
What that allows me to do is modify params and do a shorewall restart
and the new params values will go into all the shorewall files.
Example snippet from my params file
FUZZYIP.216.147.150
LOC_NIC=eth0 # lan nic
NET_NIC=eth1 # /etc/sysconfig/network gatewaydev
Note, I have eth1 on cable modem and eth0 for the lan router.
The _masq_ file has
$NET_NIC $LOC_NIC
You would use eth0 eth1
Now my _routestopped_ has
$LOC_NIC
You would have eth1
That allows any LAN box access to firewall box when shorewall is stopped.
my _policy_ file has
loc net ACCEPT
fw loc ACCEPT
fw net ACCEPT
net all DROP info
all all REJECT info
At this point it should work. Click _Check Firewall_ for syntax errors
You might want to click yet up another terminal and do a
tail -f /var/log/messages
That will allow you see any shorewall messages as you verify
there are no problems accessing the internet from the LAN pcs.
Ok, click Stop/Start firewall and see what you can see.
http://www.shorewall.net/Documentation_Index.html for shorewall doc
If you realy want to understand more about the firewall.
There were 94,000+ new viruses created this year. I got tired of
seeing my logs filling up with all the attempts so I created entries
in /etc/shorewall/blacklist for noisy ports.
Here are two lines from mine
0.0.0.0/0 tcp 1025
0.0.0.0/0 udp 1026:1029
one is a port, the other is a range of ports.
Any def in blacklist is droped an no /var/log/messages entry is
created.
After you edit blacklist, you can do a shorewall reload to set
the values.
You may want to read the header files in /etc/shorewall just to get a
feel what each file will do for you.
If you want to modify any other shorewall settings found in
/usr/share/shorewall/, copy the file to /etc/shorewall and make the
change there.
Files in /etc/shorewall superceed files in /usr/share/shorewall.
Since webmin is running, you can get to the firewall from the lan with
https://firewall_box_ip_here:10000
If the firewall box is in /etc/hosts on a LAN box
https://firewall_box_name_here:10000
have spent a few hours looking at google.groups to figure out how to setup a gateway & firewall on my mandrake 10 box.
Is that 10.0 or 10.1, It is not nice to leave us guessing. How about 10.0/ Official or Community? Please read http://www.catb.org/~esr/faqs/smart-questions.html
Assume all updates have been installed from a Mandrake mirror.
Here is what I want.
Internet --- Cable modem --- Linux box --- Router --- Any clients.
Ok, go ahead and configure eth1 for your lan. After you have it configured in the Mandrake Control Center (MCC) Edit /etc/sysconfig/network-scripts/ifcfg-eth1 and change METRIC if you are running mandrake 10.1
And add a line in /etc/sysconfig/network HOSTNAME=fw.home.invalid NETWORKING=yes GATEWAYDEV=eth0 <============
Make sure you have a carriage return after eth0, by doing a $ cat /etc/sysconfig/network
and the prompt should be on the left, not at end of eth0
1) Just to get the Linux box to forward packets.
Go into the Mandrake Control Center under security, firewall and uncheck all boxes, that tells the firewall to block all inbound attempts and allow all outbound attempts.
At this point your shorewall firewall is installed and running. I would load webmin to allow you to play with the shorewall firewall files.
click up a terminal su -l root
urpmi webmin service webmin start
Want a gui editor for the next change? export DISPLAY=:0.0 kwrite /etc/sysctl.conf
and set ip forwarding/masquerading with net.ipv4.ip_forward = 1 in /etc/sysctl.conf
save and exit
next enable forward change with the command sysctl -p and reload the network witn service network restart
I assume you have loaded your /etc/hosts file with LAN definitions. Example
Now, let's play with the shorewall files; in your user account, click up browser and load
https://localhost:10000 and click Network, shorewall
The names of the icon selections will be the names of the shorewall files.
In another browser window, load http://www.shorewall.net/two-interface.htm
That page will suggest to read it once then go back to start changes. That is good advice.
Do not install any files, we can do all the work from what is already loaded.
Now go back to top of shorewall document and find the Zone file example and verify the webmin Zone matches the document. You have some leeway.
Here is my _zone_ file net Net Internet zone loc Local Local
The document is having you edit the files and shows you what it should look like after editing. Just go to webmin for that file and set it to look like the example.
The Files I modified are interfaces masq policy routestopped rules
I wanted to have lan pc's to be able to do WAN pings and I wanted to allow one external machine to have access to my network Here are my _rules_ settings
ACCEPT net:$FUZZYIP fw all - - ACCEPT loc fw icmp 8 ACCEPT fw loc icmp DROP net fw icmp echo-request ACCEPT fw net icmp
Here is an advanced user tip. You can create variables in _params_ with an editor and use them in the scripts. That is what the $FUZZYIP is. What that allows me to do is modify params and do a shorewall restart and the new params values will go into all the shorewall files.
Example snippet from my params file FUZZYIP.216.147.150 LOC_NIC=eth0 # lan nic NET_NIC=eth1 # /etc/sysconfig/network gatewaydev
Note, I have eth1 on cable modem and eth0 for the lan router.
The _masq_ file has $NET_NIC $LOC_NIC
You would use eth0 eth1
Now my _routestopped_ has $LOC_NIC
You would have eth1
That allows any LAN box access to firewall box when shorewall is stopped.
my _policy_ file has loc net ACCEPT fw loc ACCEPT fw net ACCEPT net all DROP info all all REJECT info
At this point it should work. Click _Check Firewall_ for syntax errors
You might want to click yet up another terminal and do a tail -f /var/log/messages
That will allow you see any shorewall messages as you verify there are no problems accessing the internet from the LAN pcs.
Ok, click Stop/Start firewall and see what you can see.
http://www.shorewall.net/Documentation_Index.html for shorewall doc If you realy want to understand more about the firewall.
There were 94,000+ new viruses created this year. I got tired of seeing my logs filling up with all the attempts so I created entries in /etc/shorewall/blacklist for noisy ports.
Here are two lines from mine 0.0.0.0/0 tcp 1025 0.0.0.0/0 udp 1026:1029
one is a port, the other is a range of ports. Any def in blacklist is droped an no /var/log/messages entry is created.
After you edit blacklist, you can do a shorewall reload to set the values.
You may want to read the header files in /etc/shorewall just to get a feel what each file will do for you.
If you want to modify any other shorewall settings found in /usr/share/shorewall/, copy the file to /etc/shorewall and make the change there. Files in /etc/shorewall superceed files in /usr/share/shorewall.
Since webmin is running, you can get to the firewall from the lan with https://firewall_box_ip_here:10000
If the firewall box is in /etc/hosts on a LAN box https://firewall_box_name_here:10000