Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
firehol firewall help
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Redeeman
l33t
l33t


Joined: 25 Sep 2003
Posts: 958
Location: Portugal

PostPosted: Fri Sep 09, 2005 9:09 pm    Post subject: firehol firewall help Reply with quote

Hello.. this is how my setup is:
i have three interface:
ppp0: my internet, via pppoe (my ip: 80.196.156.209)
eth0: nic, with direct connection to my workstation(1gbit for speed) (192.168.0.0/24)
eth1: nic, connected with a switch, for the rest of the lan (192.168.0.1/24)

what i need:
i need internet on both eth0 and eth1, therefore i believe i need nat from ppp0 to both eth0 and eth1.
now about that NAT, i saw that masquerade is expensive, and in my current firewall i am using snat, so i guess i would like that here too.

i also need to be able to have traffic between eth0 and eth1, so that my workstation can connect to the other pc's on my lan, and for this part i
am not sure, since i think that by doing:
Code:

echo "1" > /proc/sys/net/ipv4/ip_forward

it will forward traffic between interfaces, and then it might work, but as i said, i am not sure.. i would like your advice on how to do that, for now, it should just accept all traffic between the two interfaces.

and now for the part i am most unsure about, port forwarding.. i need to forward ports from the ppp0 interface(internet) to both my workstation and pc's on the lan. i would like suggestions from you on how to do this. if there are several ways i would like to see them all.

this is what i have so far, its without port forwarding though, and without(unless nothing is needed) traffic between workstation and lan support:
Code:

interface ppp0 internet
   protection strong
   server "http https smtp ftp ssh dns" accept
   client "ftp ssh http https irc" accept

interface eth0 redeeman
   policy accept

interface eth1 lan
   protection strong
   server "http https ssh ftp smtp imaps pop3s samba" accept

router redeeman2internet inface eth0 outface ppp0
   snat to 80.196.156.209 outface ppp0 src 192.168.0.0/24
   route all accept

router lan2internet inface eth1 outface ppp0
   snat to 80.196.156.209 outface ppp0 src 192.168.0.1/24
   route all accept


now a note:
in the routers, in the snat statements, i saw i was supposed to give a dst too, but i dont know what, in my current firewall i do:
iptables -t nat -A POSTROUTING -s $INT_SUBNET -o $EXT_IFACE -j SNAT --to $EXT_IP
any help here would be apreciated


a few questions:
in the services, for example pop3, server ports are rcp/110, and client ports are default, does default in client ports mean the ports in server ports, just for outgoing traffic?

for services, i see ntp, it listens on the same portnr, on udp and tcp, for server ports.... on client ports it just allows outgoing traffic on port 123, and default. what does this mean?

if i have a router from lan to internet, where i router all, will pc's on the lan be limited by the client statements in my ppp0(internet) interface?
-----

thanks for all your help! i greatly apreciate it
Back to top
View user's profile Send private message
Redeeman
l33t
l33t


Joined: 25 Sep 2003
Posts: 958
Location: Portugal

PostPosted: Sat Sep 10, 2005 8:16 pm    Post subject: Reply with quote

comon, someone must know it..
Back to top
View user's profile Send private message
Redeeman
l33t
l33t


Joined: 25 Sep 2003
Posts: 958
Location: Portugal

PostPosted: Sun Sep 11, 2005 11:33 pm    Post subject: Reply with quote

hmmmm
Back to top
View user's profile Send private message
Redeeman
l33t
l33t


Joined: 25 Sep 2003
Posts: 958
Location: Portugal

PostPosted: Mon Sep 12, 2005 2:31 pm    Post subject: Reply with quote

can it really be that no one uses firehol?
Back to top
View user's profile Send private message
Steven Robertson
Tux's lil' helper
Tux's lil' helper


Joined: 26 Mar 2003
Posts: 140
Location: Tampa, FL

PostPosted: Wed Sep 14, 2005 2:47 am    Post subject: Reply with quote

Here's my firehol.conf.

Code:
version 5

# The variable NAT_FORWARD_IP tells firehol to forward a specific port to a specific
# host.  The variable is stored in the format "host-port,port:range;[host...]".

NAT_FORWARD_IP="192.168.0.9-4600:4699,3632,3664,37500,5400-6000;192.168.0.7-4700:4799;"




for IP_PORT in $(echo $NAT_FORWARD_IP | tr ";" " ")
do
        IP=$(echo $IP_PORT | grep -o "^[1234567890.]\{7,15\}-" | tr -d "-")
        for PORT in $(echo $IP_PORT | grep -o "[-,][1234567890:]*" | tr -d -- "-,")
        do
                dnat to $IP proto tcp dport $PORT
                dnat to $IP proto udp dport $PORT
        done
done


interface eth0 local
        server all                                      accept
        client all                                      accept


interface eth1 inet
        protection strong 10/sec 10
        server "ssh telnet smtp http https pop3 pop3s ping ftp ident" accept
        server custom "tcp/8575" accept
        server custom "tcp/20" accept
        for PORT in $(echo $NAT_FORWARD_IP | grep -o "[-,][1234567890:]*" | tr -d -- "-,")
        do
                server custom forward "tcp/$PORT udp/$PORT" default accept
        done
        server custom "tcp/25000:26000" accept
#       server ident                                    reject with tcp-reset
        client all                                      accept



router inet2local inface eth1 outface eth0
        masquerade reverse
        server ident                                    reject with tcp-reset
        for PORT in $(echo $NAT_FORWARD_IP | grep -o "[-,][1234567890:]*" | tr -d -- "-,")
        do
                route custom forward "tcp/$PORT udp/$PORT" default accept
        done
        client all                                      accept


It should be more or less self-explanatory. Really, the for loops are all you need to copy.

WRT the eth0/eth1 deal: I'm not sure. Bridging might be the solution you intend, or there may be a firehol directive hiding somewhere for it. I haven't looked at my firewall in a while, so I'm still kind of hazy, but Verizon FiOS (15 mb/s down, 2 up) should be arriving soon, so I'm going to migrate my firewall and router from my 166MHz server (getting retired!) to my desktop. (I'm replacing the server with a nice Via Epia box; I'm off to college in a year, and I want a bittorrent proxy of sorts in case the campus's download policy is too restrictive.) If I run into anything resembling a solution, I'll let you know.

Steve
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum