For many years I have used my desktp as a network/firewall server with
two interfaces one facing the internet (through ADSL) and the other the
local network.
Now I have a fibre connection and for a month both connections will be
available in parallel.
I have decided to use my Raspberry Pi3 as the firewall/network server in
future but have after many hours failed to do so successfully.
First I have tried a similar Shorewall setup that I have on my desktop
and after failing successful connections I tried ufw with no success.
First ufw:
$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip
To Action From
-- ------ ----
Anywhere ALLOW IN 192.168.0.0/24
Anywhere ALLOW OUT 192.168.0.0/24
53/udp ALLOW OUT 192.168.0.0/24
443/tcp ALLOW OUT 192.168.0.0/24
(Ihave added the last two lines which I thought should not be
necessary).
I get this in the log:
Mar 9 12:14:15 pi3 kernel: [403782.469448] [UFW BLOCK] IN=eth0
OUT=eth1
MAC=b8:27:eb:63:94:ea:1c:5a:3e:e0:29:fe:08:00:45:00:00:3c:50:e8:40:00:3f:06:fb:f2
SRC=192.168.0.10 DST=207.36.95.10 LEN=60 TOS=0x00 PREC=0x00 TTL=63
ID=20712 DF PROTO=TCP SPT=53337 DPT=443 WINDOW=5840 RES=0x00 SYN
URGP=0
My shorewall configuration:
Zones
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
Interfaces
#ZONE INTERFACE BROADCAST OPTIONS
loc eth0 detect
tcpflags,nosmurfs,routefilter,logmartians
net eth1 detect
tcpflags,nosmurfs,routefilter,logmartians
Policy
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc $FW ACCEPT
$FW loc ACCEPT
$FW net ACCEPT
loc net ACCEPT
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
snat
#ACTION SOURCE DEST PROTO PORT IPSEC
MARK USER SWITCH ORIGDEST PROBABILITY
#
# Rules generated from masq file /etc/shorewall/masq by Shorewall
5.0.15.2 - Fri Feb 24 08:52:03 SAST 2017
#
MASQUERADE 192.168.0.0/24 eth1
Rules
DNS(ACCEPT) $FW net
SSH(ACCEPT) loc $FW
SSH(ACCEPT) $FW loc
SSH(ACCEPT) $FW net
SSH(ACCEPT) loc net
HTTP(ACCEPT) $FW net
HTTPS(ACCEPT) $FW net
FTP(ACCEPT) $FW net
FTP(ACCEPT) loc $FW
SMTP(ACCEPT) loc $FW
SMTP(ACCEPT) $FW net:195.190.146.50
DNS(ACCEPT) loc $FW
Ping(DROP) net $FW
Ping(ACCEPT) loc $FW
ACCEPT loc net icmp
ACCEPT $FW net icmp
ACCEPT $FW loc icmp
In sysctl.conf I have
net.ipv4.ip_forward=1
net.ipv4.conf.all.log_martians = 1
$ sudo ifconfig
eth0 Link encap:Ethernet HWaddr b8:27:eb:63:94:ea
inet addr:192.168.0.9 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::dbe4:63c:a02b:cb1e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11223527 errors:0 dropped:0 overruns:0 frame:0
TX packets:4414187 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3648814410 (3.3 GiB) TX bytes:381642127 (363.9 MiB)
eth1 Link encap:Ethernet HWaddr 00:e0:4c:20:bf:5d
inet addr:192.168.1.249 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::9d48:f754:2113:9a80/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:103887 errors:0 dropped:0 overruns:0 frame:0
TX packets:91137 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:124760139 (118.9 MiB) TX bytes:13325394 (12.7 MiB)
$ ip route ls
default via 192.168.1.1 dev eth1
default via 192.168.1.1 dev eth1 metric 204
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.9
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.249
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.249 metric 204
I really do not know the way forward from here. Help will be
appreciated.
Regards
Johann
--
Because experiencing your loyal love is better than life itself,
my lips will praise you. (Psalm 63:3)
