Web lists-archives.com

Re: Help needed with home network configuration




On 3/9/2018 3:30 PM, Johann Spies wrote:
For many years I have used my desktp as a network/firewall server with
two interfaces one facing the internet (through ADSL) and the other the
local network.

Now I have a fibre connection and for a month both connections will be
available in parallel.

I have decided to use my Raspberry Pi3 as the firewall/network server in
future but have after many hours failed to do so successfully.

First I have tried a similar Shorewall setup that I have on my desktop
and after failing successful connections I tried ufw with no success.

My shorewall configuration:

Zones

#ZONE   TYPE    OPTIONS                 IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
net     ipv4
loc     ipv4

Interfaces
#ZONE   INTERFACE       BROADCAST       OPTIONS
loc     eth0            detect
tcpflags,nosmurfs,routefilter,logmartians
net    eth1            detect
tcpflags,nosmurfs,routefilter,logmartians

Policy

#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST

loc             $FW             ACCEPT
$FW             loc             ACCEPT
$FW             net             ACCEPT
loc             net             ACCEPT
net             all             DROP            info
# THE FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info

snat

#ACTION         SOURCE          DEST            PROTO   PORT   IPSEC
MARK   USER    SWITCH  ORIGDEST   PROBABILITY
#
# Rules generated from masq file /etc/shorewall/masq by Shorewall
5.0.15.2 - Fri Feb 24 08:52:03 SAST 2017
#
MASQUERADE      192.168.0.0/24  eth1

Rules

DNS(ACCEPT)     $FW             net
SSH(ACCEPT)     loc             $FW
SSH(ACCEPT)     $FW             loc
SSH(ACCEPT)     $FW             net
SSH(ACCEPT)     loc             net
HTTP(ACCEPT)     $FW            net
HTTPS(ACCEPT)     $FW           net
FTP(ACCEPT)     $FW             net
FTP(ACCEPT)     loc             $FW
SMTP(ACCEPT)    loc             $FW
SMTP(ACCEPT)    $FW             net:195.190.146.50
DNS(ACCEPT)     loc             $FW
Ping(DROP)      net             $FW
Ping(ACCEPT)    loc             $FW
ACCEPT          loc             net             icmp
ACCEPT          $FW             net             icmp
ACCEPT          $FW             loc             icmp


Given your policies your rules file is almost not needed.

In sysctl.conf I have

net.ipv4.ip_forward=1
net.ipv4.conf.all.log_martians = 1


Shorewall takes care of this.
You need to set 'IP_FORWARDING=Yes' in /etc/shorewall/shorewall.conf and logmartians is properly set in /etc/shorewall/interfaces.

If your willing to play with multiple ISP configuration you should look on shorewall.org and for the corresponding examples provided with the Shorewall.

$ sudo ifconfig
eth0      Link encap:Ethernet  HWaddr b8:27:eb:63:94:ea
           inet addr:192.168.0.9  Bcast:192.168.0.255  Mask:255.255.255.0
           inet6 addr: fe80::dbe4:63c:a02b:cb1e/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:11223527 errors:0 dropped:0 overruns:0 frame:0
           TX packets:4414187 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:3648814410 (3.3 GiB)  TX bytes:381642127 (363.9 MiB)

eth1      Link encap:Ethernet  HWaddr 00:e0:4c:20:bf:5d
           inet addr:192.168.1.249  Bcast:192.168.1.255  Mask:255.255.255.0
           inet6 addr: fe80::9d48:f754:2113:9a80/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:103887 errors:0 dropped:0 overruns:0 frame:0
           TX packets:91137 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:124760139 (118.9 MiB)  TX bytes:13325394 (12.7 MiB)

$ ip route ls
default via 192.168.1.1 dev eth1
default via 192.168.1.1 dev eth1  metric 204
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.9
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.249
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.249  metric 204


I really do not know the way forward from here.  Help will be
appreciated.


If your interfaces are not configured by dhcp in your shorewall config you should use SNAT() and not MASQUERATE in /etc/shorewall/snat.

Do you want to buy some new hardware or can you elaborate on what you would like to have?

--
John Doe