On 3/9/2018 3:30 PM, Johann Spies wrote:
For many years I have used my desktp as a network/firewall server with
two interfaces one facing the internet (through ADSL) and the other the
local network.
Now I have a fibre connection and for a month both connections will be
available in parallel.
I have decided to use my Raspberry Pi3 as the firewall/network server in
future but have after many hours failed to do so successfully.
First I have tried a similar Shorewall setup that I have on my desktop
and after failing successful connections I tried ufw with no success.
My shorewall configuration:
Zones
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
Interfaces
#ZONE INTERFACE BROADCAST OPTIONS
loc eth0 detect
tcpflags,nosmurfs,routefilter,logmartians
net eth1 detect
tcpflags,nosmurfs,routefilter,logmartians
Policy
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc $FW ACCEPT
$FW loc ACCEPT
$FW net ACCEPT
loc net ACCEPT
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
snat
#ACTION SOURCE DEST PROTO PORT IPSEC
MARK USER SWITCH ORIGDEST PROBABILITY
#
# Rules generated from masq file /etc/shorewall/masq by Shorewall
5.0.15.2 - Fri Feb 24 08:52:03 SAST 2017
#
MASQUERADE 192.168.0.0/24 eth1
Rules
DNS(ACCEPT) $FW net
SSH(ACCEPT) loc $FW
SSH(ACCEPT) $FW loc
SSH(ACCEPT) $FW net
SSH(ACCEPT) loc net
HTTP(ACCEPT) $FW net
HTTPS(ACCEPT) $FW net
FTP(ACCEPT) $FW net
FTP(ACCEPT) loc $FW
SMTP(ACCEPT) loc $FW
SMTP(ACCEPT) $FW net:195.190.146.50
DNS(ACCEPT) loc $FW
Ping(DROP) net $FW
Ping(ACCEPT) loc $FW
ACCEPT loc net icmp
ACCEPT $FW net icmp
ACCEPT $FW loc icmp
Given your policies your rules file is almost not needed.
In sysctl.conf I have
net.ipv4.ip_forward=1
net.ipv4.conf.all.log_martians = 1
Shorewall takes care of this.
You need to set 'IP_FORWARDING=Yes' in /etc/shorewall/shorewall.conf and
logmartians is properly set in /etc/shorewall/interfaces.
If your willing to play with multiple ISP configuration you should look
on shorewall.org and for the corresponding examples provided with the
Shorewall.
$ sudo ifconfig
eth0 Link encap:Ethernet HWaddr b8:27:eb:63:94:ea
inet addr:192.168.0.9 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::dbe4:63c:a02b:cb1e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11223527 errors:0 dropped:0 overruns:0 frame:0
TX packets:4414187 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3648814410 (3.3 GiB) TX bytes:381642127 (363.9 MiB)
eth1 Link encap:Ethernet HWaddr 00:e0:4c:20:bf:5d
inet addr:192.168.1.249 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::9d48:f754:2113:9a80/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:103887 errors:0 dropped:0 overruns:0 frame:0
TX packets:91137 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:124760139 (118.9 MiB) TX bytes:13325394 (12.7 MiB)
$ ip route ls
default via 192.168.1.1 dev eth1
default via 192.168.1.1 dev eth1 metric 204
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.9
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.249
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.249 metric 204
I really do not know the way forward from here. Help will be
appreciated.
If your interfaces are not configured by dhcp in your shorewall config
you should use SNAT() and not MASQUERATE in /etc/shorewall/snat.
Do you want to buy some new hardware or can you elaborate on what you
would like to have?
--
John Doe
