Web lists-archives.com

Re: Help needed with home network configuration




I see I have broken the thread by adding [SOLVED] to the subject.

Just to keep it in this thread:

I have tried a third option: arno-iptables-firewall.

Now I can reach the internet from the local network.  I still don't
understand why I could not
get it working with Shorewall which I have used for many years.

Johann

On 10 March 2018 at 11:04, Johann Spies <johann.spies@xxxxxxxxx> wrote:
> Thanks Bob.
>
> Regards
> Johann
>
> On 9 March 2018 at 23:50, Bob Weber <bobrweber@xxxxxxxxx> wrote:
>> On 3/9/18 2:52 PM, Johann Spies wrote:
>>
>> On 9 March 2018 at 17:31, Bob Weber <bobrweber@xxxxxxxxx> wrote:
>>
>> There are other things that you can do once you get the basics working.  I
>> have a caching DNS (with dns crypt to opendns to keep dns querys from being
>> forged) and ntp server on my router and I use the shorewall redirect command
>> to force all internal machines to use these servers instead of going outside
>> to the internet for each inside machine.
>>
>> Bob, can you share your dns setup please.  My bind9 now gives me problems:
>> e.g. named[25623]: error (network unreachable) resolving
>> 'activity-stream-icons.services.mozilla.com...'
>> but I can ping the outside world.
>>
>> Regards
>> Johann
>>
>> Answers from previous messages also.
>>
>> The eth0 port needs to be static.  If it wasn't and dchp changed the address
>> then all the local net machines couldn't connect to it to use it as a router
>> since they need to know its exact address.  My interfaces file is as
>> follows:
>>
>> #This file describes the network interfaces available on your system
>> # and how to activate them. For more information, see interfaces(5).
>>
>> # The loopback network interface
>> auto lo
>> iface lo inet loopback
>>
>> auto eth0
>> iface eth0 inet static
>>         address 172.16.0.1
>>         netmask 255.255.0.0
>>         network 172.16.0.0
>>         broadcast 172.16.255.255
>>         dns-nameservers 127.0.0.1
>>         dns-search weberhome.net
>>
>> # auto eth1 -- dont need auto since using netplug
>> iface eth1 inet dhcp
>>
>> ----------------
>> My internal net is 172.16.0.0/16 and is from the days I worked as net admin
>> for a local school so you will have to change these to 192.168.... if you
>> use them (or keep the 172 net for your system).  Notice eth1 is DHCP since
>> it has to connect to the ISP via the ISP's routers and addresses.  I have a
>> pi3 that I have played with.  At one point I had a second ethernet port
>> attached through a usb adapter and I don't remember it being slow or the
>> main port being slow.  I even installed KDE and played with a 7" touch
>> display.  The only reservation I have about the pi is the flash drive.  I
>> just don't trust them... especially for something that just needs to work
>> all the time (that is why I use raid).
>>
>> I'll first post the pertinent  lines in my shorewall files (bingo is my
>> firewall machine .. a small form factor intel atom board running debian
>> testing with 2 sata drives in raid1 configuration):
>>
>> ---- interfaces
>> ###############################################################################
>> ?FORMAT 2
>> ###############################################################################
>> #ZONE   INTERFACE       OPTIONS
>> Ex      eth1
>> dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
>>
>> Loc     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians
>>
>> ---- zones
>> ###############################################################################
>> #ZONE   TYPE            OPTIONS         IN                      OUT
>> #                                       OPTIONS                 OPTIONS
>> Bingo   firewall                # Bingo
>> Loc     ipv4                    # Local 172 network
>> Ex      ipv4                    # The Internet
>>
>>
>> ---- policy
>> ###############################################################################
>> #SOURCE><------>DEST<--><------>POLICY<><------>LOG LEVEL<----->LIMIT:BURST
>> Bingo           Loc             ACCEPT
>> Bingo           Ex              ACCEPT
>> Loc             Ex              ACCEPT
>> Ex              all             DROP            info
>>
>> # THE FOLLOWING POLICY MUST BE LAST
>> all             all             REJECT          info
>>
>>
>> --- rules
>> ############################################################################################################################
>> #ACTION><------>SOURCE<><------>
>> DEST<-->PROTO<->DEST<-->SOURCE<><------>ORIGINAL<------>RATE<--><------>USER/<->MARK
>> #<-----><------><------><------><------><------>
>> PORT<-->PORT(S)><------>DEST<--><------>LIMIT<-><------>GROUP
>> #
>> #SECTION ESTABLISHED
>> #
>> #SECTION RELATED
>> #
>> #
>> ?SECTION NEW
>> Ping/ACCEPT     Loc                     all
>> #
>> allowBcast      Loc                     Bingo   all
>> HTTP/ACCEPT     Loc:172.16.0.0/16       Bingo
>> ACCEPT          Loc:172.16.0.0/16       Bingo   tcp     3128
>> POP3/ACCEPT     Loc:172.16.0.0/16       Bingo
>> SMTP/ACCEPT     Loc:172.16.0.0/16       Bingo
>> DNS/ACCEPT      Loc:172.16.0.0/16       Bingo
>> Rdate/ACCEPT    Loc:172.16.0.0/16       Bingo
>> Auth/ACCEPT     Loc:172.16.0.0/16       Bingo
>> SSH/ACCEPT      Loc:172.16.0.0/16       Bingo
>> FTP/ACCEPT      Loc:172.16.0.0/16       Bingo
>> FTP/ACCEPT      Loc:172.16.0.0/16       Ex
>> NTP/ACCEPT      Loc:172.16.0.1/16       Bingo
>>
>> REDIRECT        Loc                     53      tcp,udp  53     -
>>
>> REDIRECT        Loc                     123     tcp,udp  123    -
>>
>>
>> ----------------------
>> note that the redirect commands above allow me to capture all dns and ntp
>> calls and answer them from my firewall no matter what server the local
>> machine )in loc zone) asks for.
>>
>>
>> ---- snat
>> ###################################################################################################################
>> #ACTION         SOURCE          DEST            PROTO   PORT   IPSEC  MARK
>> USER    SWITCH  ORIGDEST   PROBABILITY
>> #
>> # Rules generated from masq file /etc/shorewall/masq by Shorewall 5.0.15.6 -
>> Fri May 5 14:33:33 EDT 2017
>> #
>> MASQUERADE      172.16.0.1/16   eth1
>>
>> ----------------------------------
>> I wouldn't worry about the iptables -L output except to see that shorewall
>> is working.
>>
>> As far as bind goes the config is split up into several files most of which
>> don't need changing.  I have commented out the lines that connect to opendns
>> via dns crypt since I suppose you won't need that.  dnscrypt makes a secure
>> (like https) connection to opendns (or others as configured) so that dns
>> queries can't be spoofed and uses the local (to the firewall machine)
>> address 127.0.2.1 which bind can connect to.
>>
>> ---- named.conf.options
>>
>> acl "trusted" {
>>         172.16.0.0/16;
>>         192.168.0.0/16;
>>         localhost;
>>  };
>>
>>
>> options {
>>         directory "/var/cache/bind";
>>
>>         // If there is a firewall between you and nameservers you want
>>         // to talk to, you may need to fix the firewall to allow multiple
>>         // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
>>
>>         // If your ISP provided one or more IP addresses for stable
>>         // nameservers, you probably want to use them as forwarders.
>>         // Uncomment the following block, and insert the addresses replacing
>>         // the all-0's placeholder.
>>
>>         forwarders {
>>         // opendns
>>            208.67.222.222;
>>            208.67.220.220;
>>         // 127.0.2.1;
>>         };
>>         forward only;
>>
>>
>>         recursion yes;
>>
>>         allow-query { any; };
>>         allow-recursion { trusted; };
>>         allow-query-cache { trusted; };
>>
>>         auth-nxdomain no;    # conform to RFC1035
>>
>>         listen-on  { 127.0.0.1; };
>>         listen-on  { 172.16.0.1; };
>> };
>>
>> The next file is where I set up for my local machines to have a domain
>> called weberhome.net  and my bind will serve as master for that domain.
>>
>> ---- named.conf.local
>> /
>> // Do any local configuration here
>> //
>>
>> // Consider adding the 1918 zones here, if they are not used in your
>> // organization
>> //include "/etc/bind/zones.rfc1918";
>>
>> # You can insert further zone records for your own domains below.
>>
>>
>> zone "weberhome.net" in {
>>         type master;
>>         file "/etc/bind/db.weberhome.net";
>>         notify no;
>>         };
>>
>> zone "0.16.172.IN-ADDR.ARPA" in {
>>         type master;
>>         notify no;
>>         file "/etc/bind/db.172.16.0";
>>         };
>>
>> ---------------------
>> The file /etc/bind/db.weberhome.net has lines like:
>>
>> $TTL 1W
>> @       IN      SOA     bingo.weberhome.net. postmaster.bingo.weberhome.net.
>> (
>>                         2006112600
>>                         10800
>>                         3600
>>                         3600000
>>                         86400 )
>> ;
>> bingo           IN      A       172.16.0.1
>> bob              IN      A       172.16.0.3
>>
>> So that access to the firewall machine can be just the name bingo (like ping
>> bingo).
>>
>> The file /etc/bind/db.172.16.0 looks like this:
>> $TTL 1W
>> @       IN      SOA     bingo.weberhome.net. postmaster.bingo.weberhome.net.
>> (
>>                         2006112600
>>                         10800
>>                         3600
>>                         3600000
>>                         86400 )
>> ;
>> 1               PTR     bingo.weberhome.net.
>> 3               PTR     bob.weberhome.net.
>>
>> Which allows for reverse dns (the command "host 172.16.0.1" gives back
>> bingo.weberhome.net.
>>
>> Now for the local dhcp server.  The file /etc/dhcp/dhcpd.conf looks like
>> this:
>>
>> #
>> # Sample configuration file for ISC dhcpd for Debian
>> #
>> #
>>
>> # The ddns-updates-style parameter controls whether or not the server will
>> # attempt to do a DNS update when a lease is confirmed. We default to the
>> # behavior of the version 2 packages ('none', since DHCP v2 didn't
>> # have support for DDNS.)
>> ddns-update-style none;
>>
>> # option definitions common to all supported networks...
>> #option domain-name "example.org";
>> #option domain-name-servers ns1.example.org, ns2.example.org;
>>
>> option routers                  172.16.0.1;
>> option subnet-mask              255.255.0.0;
>>
>> option domain-name              "weberhome.net";
>> option domain-name-servers      172.16.0.1;
>> option domain-search            "weberhome.net";
>>
>> option time-offset              -5;     # Eastern Standard Time
>>
>>
>>
>> default-lease-time 600;
>> max-lease-time 7200;
>>
>> # If this DHCP server is the official DHCP server for the local
>> # network, the authoritative directive should be uncommented.
>> authoritative;
>>
>> # Fixed IP addresses can also be specified for hosts.
>>
>> host bob {
>>         hardware ethernet 48:5b:39:29:c3:ae;
>>         fixed-address   172.16.0.3;
>> }
>>
>> ---------------
>> So that is the setup for firewall, dns and dhcpd.  I also use openntpd for
>> the time server on the firewall machine.  As for bind if you don't want a
>> local domain then you should only need to change the named.conf.options
>> file.
>>
>> Remember ping is your friend.  You need to be able to ping to the outside
>> and inside from the firewall machine.  So "ping 208.67.222.222" has to work
>> if you have any chance of getting bind to work.
>>
>> One last thing... the output of my "route -n" command:
>>
>> Kernel IP routing table
>> Destination     Gateway         Genmask         Flags Metric Ref    Use
>> Iface
>> 0.0.0.0         24.153.63.1     0.0.0.0         UG    0      0        0 eth1
>> 24.153.63.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
>> 172.16.0.0      0.0.0.0         255.255.0.0     U     0      0        0 eth0
>>
>> So the first two entries are set up by the ISP (on eth1) and the third
>> should be set up by the firewall's networking ifup configuration run at boot
>> using the static entry in the interfaces file.
>>
>> WOW that's a lot to go through.  I hope I haven't forgotten anything.
>>
>> ...Bob
>
>
>
> --
> Because experiencing your loyal love is better than life itself,
> my lips will praise you.  (Psalm 63:3)



-- 
Because experiencing your loyal love is better than life itself,
my lips will praise you.  (Psalm 63:3)