Web lists-archives.com

Help needed with home network configuration




For many years I have used my desktp as a network/firewall server with
two interfaces one facing the internet (through ADSL) and the other the
local network.

Now I have a fibre connection and for a month both connections will be
available in parallel.

I have decided to use my Raspberry Pi3 as the firewall/network server in
future but have after many hours failed to do so successfully.

First I have tried a similar Shorewall setup that I have on my desktop
and after failing successful connections I tried ufw with no success.

First ufw:

$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip

To                         Action      From
--                         ------      ----
Anywhere                   ALLOW IN    192.168.0.0/24

Anywhere                   ALLOW OUT   192.168.0.0/24
53/udp                     ALLOW OUT   192.168.0.0/24
443/tcp                    ALLOW OUT   192.168.0.0/24

(Ihave added the last two lines which I thought should not be
necessary).

I get this in the log:

Mar  9 12:14:15 pi3 kernel: [403782.469448] [UFW BLOCK] IN=eth0
OUT=eth1 MAC=b8:27:eb:63:94:ea:1c:5a:3e:e0:29:fe:08:00:45:00:00:3c:50:e8:40:00:3f:06:fb:f2
SRC=192.168.0.10 DST=207.36.95.10 LEN=60 TOS=0x00 PREC=0x00 TTL=63
ID=20712 DF PROTO=TCP SPT=53337 DPT=443 WINDOW=5840 RES=0x00 SYN
URGP=0

My shorewall configuration:

Zones

#ZONE   TYPE    OPTIONS                 IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
net     ipv4
loc     ipv4

Interfaces
#ZONE   INTERFACE       BROADCAST       OPTIONS
loc     eth0            detect
tcpflags,nosmurfs,routefilter,logmartians
net    eth1            detect
tcpflags,nosmurfs,routefilter,logmartians

Policy

#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST

loc             $FW             ACCEPT
$FW             loc             ACCEPT
$FW             net             ACCEPT
loc             net             ACCEPT
net             all             DROP            info
# THE FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info

snat

#ACTION         SOURCE          DEST            PROTO   PORT   IPSEC
MARK   USER    SWITCH  ORIGDEST   PROBABILITY
#
# Rules generated from masq file /etc/shorewall/masq by Shorewall
5.0.15.2 - Fri Feb 24 08:52:03 SAST 2017
#
MASQUERADE      192.168.0.0/24  eth1

Rules

DNS(ACCEPT)     $FW             net
SSH(ACCEPT)     loc             $FW
SSH(ACCEPT)     $FW             loc
SSH(ACCEPT)     $FW             net
SSH(ACCEPT)     loc             net
HTTP(ACCEPT)     $FW            net
HTTPS(ACCEPT)     $FW           net
FTP(ACCEPT)     $FW             net
FTP(ACCEPT)     loc             $FW
SMTP(ACCEPT)    loc             $FW
SMTP(ACCEPT)    $FW             net:195.190.146.50
DNS(ACCEPT)     loc             $FW
Ping(DROP)      net             $FW
Ping(ACCEPT)    loc             $FW
ACCEPT          loc             net             icmp
ACCEPT          $FW             net             icmp
ACCEPT          $FW             loc             icmp

In sysctl.conf I have

net.ipv4.ip_forward=1
net.ipv4.conf.all.log_martians = 1

$ sudo ifconfig
eth0      Link encap:Ethernet  HWaddr b8:27:eb:63:94:ea
          inet addr:192.168.0.9  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::dbe4:63c:a02b:cb1e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:11223527 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4414187 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3648814410 (3.3 GiB)  TX bytes:381642127 (363.9 MiB)

eth1      Link encap:Ethernet  HWaddr 00:e0:4c:20:bf:5d
          inet addr:192.168.1.249  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::9d48:f754:2113:9a80/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:103887 errors:0 dropped:0 overruns:0 frame:0
          TX packets:91137 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:124760139 (118.9 MiB)  TX bytes:13325394 (12.7 MiB)

$ ip route ls
default via 192.168.1.1 dev eth1
default via 192.168.1.1 dev eth1  metric 204
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.9
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.249
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.249  metric 204


I really do not know the way forward from here.  Help will be
appreciated.

Regards
Johann


-- 
Because experiencing your loyal love is better than life itself,
my lips will praise you.  (Psalm 63:3)