I have DSL service and have 5 static IP addresses (206.124.146.176-180). My DSL "modem" is connected to eth0. I have a local network connected to eth2 (subnet 192.168.1.0/24) and a DMZ connected to eth1 (192.168.2.0/24).
I use Static NAT for all internal systems except my test system (shuksan) which is masqueraded through the primary gateway address (206.124.146.176) and a server (206.124.146.177) in my DMZ which I manage using proxy ARP.
The firewall runs on a 128MB PII/233 with RH7.2 and Kernel 2.4.16.
My personal system (ursa) is 192.168.1.5.
The single system in the DMZ (address 206.124.146.177) runs postfix, Courier IMAP (imaps and pop3), DNS, a Web server and an FTP server (Pure-ftpd). The system also runs fetchmail to fetch our email from our old and current ISPs.
The firewall system itself runs a DHCP server that serves the local network.
All administration and publishing is done using ssh/scp.
I run PoPToP on my firewall system for when I was on the road with my Win2k laptop and the firewall serve as the endpoints of a PPTP tunnel to my employer (Compaq).
I run an SNMP server on my firewall to serve MRTG running on my personal system.
Finally, we have a WAP for when I'm roaming around the house with my laptop.
The ethernet interface in the Server is configured with IP address 206.124.146.177, netmask 255.255.255.0. The server's default gateway is 206.124.146.176 (the primary IP address of the firewall's external interface). On the firewall, Shorewall automatically adds a host route to 206.124.146.177 through eth1 (192.168.2.1) because of the entry in /etc/shorewall/proxyarp (see below).
I configure IP "aliases" 206.124.146.178-180 on the firewall's eth0 so I have ADD_IP_ALIASES=No in my /etc/shorewall/shorewall.conf.
Note: My files use features not available before Shorewall version 1.2.5.
#ZONE DISPLAY COMMENTS net Internet Internet loc Local Local networks dmz DMZ Demilitarized zone cpq Compaq Compaq Intranet #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
This is set up so that I can start the firewall before bringing up my Ethernet interfaces. It is important that 'loc' is defined before 'cpq' in the zones file since 'loc' also uses a ppp interface (see hosts file below).
#ZONE INTERFACE BROADCAST OPTIONS net eth0 206.124.146.255 routefilter,norfc1918 loc eth2 192.168.1.255 dhcp dmz eth1 192.168.2.255 routestopped - ppp+ #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Note that PPTP clients connected to my firewall are treated as part of the local zone (loc). They are given IP addresses in the 192.168.1.0/24 subnet.
#ZONE HOST(S) OPTIONS loc eth2:192.168.1.0/24 routestopped loc ppp+:192.168.1.0/24 cpq ppp+:!192.168.1.0/24 #LAST LINE -- ADD YOUR ENTRIES ABOVE -- DO NOT REMOVE
run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT run_iptables -A common -p udp --dport 137:139 -j DROP run_iptables -A common -p tcp --dport 445 -j REJECT run_iptables -A common -p tcp --dport 135 -j REJECT run_iptables -A common -d 255.255.255.255 -j DROP run_iptables -A common -d 224.0.0.0/4 -j DROP ## The following rule is non-standard and compensates for tardy # DNS replies # run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
#CLIENT SERVER POLICY LOG LEVEL cpq loc ACCEPT cpq fw DROP fw cpq DROP loc cpq ACCEPT loc net ACCEPT fw loc ACCEPT net all DROP info all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
Although most of our internal systems use static NAT, my test system (192.168.1.8) uses IP Masquerading (actually SNAT) as do visitors with laptops. Masquerading traffic from my server to Compaq ensures that all email I send to Compaq employees is sent through the encrypted tunnel.
#INTERFACE SUBNET ADDRESS eth0 192.168.1.0/24 206.124.146.176 ppp+:!192.168.1.0/24 192.168.1.0/24 ppp+:!192.168.1.0/24 206.124.146.177 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
#EXTERNAL INTERFACE INTERNAL ALL LOCAL 206.124.146.178 eth0 192.168.1.5 No No 206.124.146.179 eth0 192.168.1.4 No No 206.124.146.180 eth0 192.168.1.7 No No #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
#ADDRESS INTERFACE EXTERNAL HAVEROUTE 206.124.146.177 eth1 eth0 No #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
#RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT ADDRESS # # Local Network to Internet - Reject attempts by Trojans to call home using IRC # REJECT:info loc net tcp 6667 # # Local Network to Firewall # ACCEPT loc fw tcp ssh,swat,135,137:139,445,time ACCEPT loc fw udp 137:139,snmp # Local Network to DMZ # ACCEPT loc dmz udp domain ACCEPT loc dmz tcp domain,smtp,ssh,auth,imaps ACCEPT loc dmz tcp www,ftp,pop3 ACCEPT loc dmz icmp echo-request # # # Internet to DMZ -- Note: My secondary Name Server is 4.3.113.178 # ACCEPT net dmz tcp www,ftp,smtp,imaps ACCEPT net dmz udp domain ACCEPT net:4.3.113.178 dmz tcp domain REJECT net dmz tcp auth # # Net to Local -- Allow ICQ to 206.124.146.178 (a.k.a 192.168.1.5) # and auth to all systems. Silently reject bots # ACCEPT net loc:192.168.1.5 tcp 4000:4100 ACCEPT net loc tcp auth REJECT net loc tcp www # # DMZ to Internet # ACCEPT dmz net icmp echo-request ACCEPT dmz net tcp smtp,auth,domain ACCEPT dmz net udp domain ACCEPT dmz net udp ntp # # I have an email account with my ISP and for the time being, both my # wife and I have email accounts at our old ISP. These are for fetchmail # running in the DMZ. # ACCEPT dmz net:206.124.128.18 tcp pop3 ACCEPT dmz net:206.191.151.2 tcp pop3 # # DMZ to Firewall -- Silently reject Auth since I don't run identd on the # firewall. # REJECT dmz fw tcp auth # # DMZ to Local Network # ACCEPT dmz loc tcp smtp,auth ACCEPT dmz loc icmp echo-request # # DMZ to Compaq -- DNS queries and email to compaq.com, cpqcorp.net and # dec.com are sent through the PPTP tunnel. The tunnel # has a large routing table that ensures that all # Compaq-bound traffic uses the tunnel. # ACCEPT dmz cpq udp domain ACCEPT dmz cpq tcp smtp ACCEPT dmz cpq icmp echo-request # # Internet to Firewall -- Allow incoming SSH and PPTP. PPTP requires both # TCP port 1723 and GRE (protocol 47). I have # modified /etc/protocols to include gre. # # Silently reject Auth since I don't run an ident # server on the firewall. Silently reject bots. # ACCEPT net fw tcp ssh,1723 ACCEPT net fw gre REJECT net fw tcp auth,www # # Firewall to Internet -- Allow NTP, DNS, WWW (for updating my dyndns.org # registration), SSH, PPTP (tcp port 1723 and GRE), # whois and ping. # ACCEPT fw net udp ntp ACCEPT fw net udp domain ACCEPT fw net tcp domain,www,ssh,1723,whois ACCEPT fw net gre ACCEPT fw net icmp echo-request # # Firewall to DMZ - FTP and DNS queries. # ACCEPT fw dmz tcp ftp ACCEPT fw dmz udp domain REJECT fw dmz udp 137:139 # # Firewall to Compaq - Just ping # ACCEPT fw cpq icmp echo-request #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
I had DSL service and got my External IP address via DHCP. My DSL "modem" was connected through a 10MB hub to eth0 (I could get up to 3 dynamic IP addresses and I also had an LRP-based firewall connected to this hub). I had a local network connected to eth2 (subnet 192.168.1.0/24) and a DMZ connected to eth1 (192.168.2.0/24).
Although I got my external IP address via DHCP, I kept the same address until I took the firewall down for an extended period of time or I installed a new NIC as eth0. Consequently, my firewall rules contained explicit references to that address (206.191.149.206).
The firewall ran on a 128MB PII/233 with RH7.1 and Kernel 2.4.9-2.4.15.
My personal system was 192.168.1.5 and all external icq connection requests were forwarded to that system.
There was a single system (192.168.2.2) in the DMZ and that system ran postfix, pop3, DNS, a Web server and an FTP server (Pure-ftpd). The system also ran fetchmail to fetch our email from our ISP.
The firewall system itself ran a DHCP server that serves the local network.
All administration and publishing was done using ssh/scp.
I ran PoPToP on my firewall system for when I was on the road with my Win2k laptop and the firewall served as the endpoint of a PPTP tunnel to my employer (Compaq).
I ran an SNMP server on my firewall to serve MRTG running on my personal system.
I ran Squid on my firewall and used it as a Transparent HTTP proxy.
Finally, the firewall acted as an IPSEC gateway to a peer network in Dallas Texas. I was using FreeS/Wan 1.91.
Note: My files used features not available before Shorewall version 1.1.12.
#ZONE DISPLAY COMMENTS net Internet Internet loc Local Local networks dmz DMZ Demilitarized zone tx Texas Peer network in Dallas cpq Compaq Compaq Intranet #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
This is set up so that I can start the firewall before bringing up my Ethernet interfaces. It is important that 'loc' is defined before 'cpq' since 'loc' also uses a ppp interface (see hosts file below).
#ZONE INTERFACE BROADCAST OPTIONS net eth0 206.191.149.223 dhcp,norfc1918,routefilter,noping loc eth2 192.168.1.255 dhcp dmz eth1 192.168.2.255 tx ipsec0 - cpq ppp+ #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Note that PPTP clients connected to my firewall are treated as part of the local zone (loc). They are given IP addresses in the 192.168.1.0/24 subnet.
#ZONE HOST(S) OPTIONS dmz eth1:192.168.2.2 routestopped loc eth2:192.168.1.0/24 routestopped loc ppp+:192.168.1.0/24 tx ipsec0:192.168.9.0/24 ##LAST LINE -- ADD YOUR ENTRIES ABOVE -- DO NOT REMOVE
#CLIENT SERVER POLICY LOG LEVEL cpq loc ACCEPT cpq fw DROP fw cpq DROP loc cpq ACCEPT loc net ACCEPT fw loc ACCEPT fw tx ACCEPT tx loc REJECT loc tx ACCEPT net all DROP info all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
# TYPE ZONE GATEWAY ipsec net 130.252.100.21 tx #LAST LINE -- DO NOT REMOVE
My local network is masqueraded to the the internet. Note that outbound tunnel traffic to Compaq also gets masqueraded (Compaq does not use 192.168.1.0/24 and my own PPTP clients have addresses in that range). This prevents masquerading of traffic destined for my PPTP clients.
#INTERFACE SUBNET eth0 192.168.1.0/24 eth0 192.168.2.0/24 ppp+:!192.168.1.0/24 192.168.1.0/24 ppp+:!192.168.1.0/24 192.168.2.0/24 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
#RESULT CLIENT(S) SERVER(S) PROTO PORT(S)CLIENT PORT(S) ADDRESS # # Local Network to Internet - Reject attempts by Trojans to call home # REJECT:info loc net tcp 6667 # # Local Network to Firewall - Allow SSH, swat, time, NETBIOS # noise and SNMP. I also run Squid on my firewall as a Transparent Proxy. I # don't want local requests for my web server to use the proxy. # # (note: if I access my webserver using the address 192.168.2.2, the proxy # _is_ used). # ACCEPT loc fw tcp ssh,swat,135,137:139,445,time ACCEPT loc fw udp 137:139,snmp ACCEPT loc fw::8080 tcp http - !206.191.149.206 # # Local Network to DMZ - Allow SMTP, POP3, SSH, AUTH, PING, FTP, WWW, SMTP # ACCEPT loc dmz udp domain ACCEPT loc dmz tcp domain,smtp,ssh,auth ACCEPT loc dmz icmp echo-request ACCEPT loc dmz:192.168.2.2 tcp ftp,www,pop3 - 206.191.149.206 # # # Internet to DMZ - Allow SMTP, WWW, FTP # ACCEPT net dmz:192.168.2.2 tcp www,ftp,smtp - all ACCEPT net dmz:192.168.2.2 udp domain - all # # Net to Local -- ICQ # ACCEPT net loc:192.168.1.5 tcp 4000:4100 - all # # DMZ to Internet - Allow ping, SMTP, NTP, Auth, POP3 and DNS # # Note: 206.191.149.193 is the IP address of the stata 2 time server that I # sync to. # Note: 206.191.151.2 is our ISP's POP3 server. # ACCEPT dmz net icmp echo-request ACCEPT dmz net tcp smtp,auth,domain ACCEPT dmz net:206.191.149.193 udp ntp ACCEPT dmz net:206.191.151.2 tcp pop3 ACCEPT dmz net udp domain # # DMZ to Firewall -- Silently reject Auth # REJECT dmz fw tcp auth # # DMZ to Local Network - Allow SMTP, AUTH, PING, and NFS # ACCEPT dmz loc tcp smtp,auth ACCEPT dmz loc icmp echo-request # # DMZ to Compaq -- DNS # ACCEPT dmz cpq udp domain ACCEPT dmz cpq tcp domain,smtp ACCEPT dmz cpq icmp echo-request # # DMZ to Texas -- STMP, POP3, AUTH and ping # ACCEPT dmz tx tcp smtp,pop3,auth ACCEPT dmz tx icmp echo-request # # Texas to DMZ -- SMTP, POP3, AUTH and ping # ACCEPT tx dmz tcp smtp,pop3,auth ACCEPT tx dmz icmp echo-request # # Internet to Firewall - Allow PPTP, Auth and SSH # ACCEPT net fw tcp ssh,auth,1723 ACCEPT net fw gre # # Firewall to Internet - Allow NTP, DNS, PPTP, HTTP and Whois # ACCEPT fw net:206.191.149.193 udp ntp ACCEPT fw net udp domain,33434:33500 ACCEPT fw net tcp domain,www,ssh,1723,whois ACCEPT fw net gre ACCEPT fw net icmp echo-request # # Firewall to DMZ - Reject NETBIOS noise but accept http, ftp and DNS # ACCEPT fw dmz tcp http,ftp ACCEPT fw dmz udp domain REJECT fw dmz udp 137:139 # # Firewall to Compaq - Ping # ACCEPT fw cpq icmp echo-request # # Allow Texas access to my personal system #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Last updated 3/2/2002 - Tom Eastep