I see I have broken the thread by adding [SOLVED] to the subject.
Just to keep it in this thread:
I have tried a third option: arno-iptables-firewall.
Now I can reach the internet from the local network. I still don't
understand why I could not
get it working with Shorewall which I have used for many years.
Johann
On 10 March 2018 at 11:04, Johann Spies <johann.sp...@gmail.com> wrote:
> Thanks Bob.
>
> Regards
> Johann
>
> On 9 March 2018 at 23:50, Bob Weber <bobrwe...@gmail.com> wrote:
>> On 3/9/18 2:52 PM, Johann Spies wrote:
>>
>> On 9 March 2018 at 17:31, Bob Weber <bobrwe...@gmail.com> wrote:
>>
>> There are other things that you can do once you get the basics working. I
>> have a caching DNS (with dns crypt to opendns to keep dns querys from being
>> forged) and ntp server on my router and I use the shorewall redirect command
>> to force all internal machines to use these servers instead of going outside
>> to the internet for each inside machine.
>>
>> Bob, can you share your dns setup please. My bind9 now gives me problems:
>> e.g. named[25623]: error (network unreachable) resolving
>> 'activity-stream-icons.services.mozilla.com...'
>> but I can ping the outside world.
>>
>> Regards
>> Johann
>>
>> Answers from previous messages also.
>>
>> The eth0 port needs to be static. If it wasn't and dchp changed the address
>> then all the local net machines couldn't connect to it to use it as a router
>> since they need to know its exact address. My interfaces file is as
>> follows:
>>
>> #This file describes the network interfaces available on your system
>> # and how to activate them. For more information, see interfaces(5).
>>
>> # The loopback network interface
>> auto lo
>> iface lo inet loopback
>>
>> auto eth0
>> iface eth0 inet static
>> address 172.16.0.1
>> netmask 255.255.0.0
>> network 172.16.0.0
>> broadcast 172.16.255.255
>> dns-nameservers 127.0.0.1
>> dns-search weberhome.net
>>
>> # auto eth1 -- dont need auto since using netplug
>> iface eth1 inet dhcp
>>
>> ----------------
>> My internal net is 172.16.0.0/16 and is from the days I worked as net admin
>> for a local school so you will have to change these to 192.168.... if you
>> use them (or keep the 172 net for your system). Notice eth1 is DHCP since
>> it has to connect to the ISP via the ISP's routers and addresses. I have a
>> pi3 that I have played with. At one point I had a second ethernet port
>> attached through a usb adapter and I don't remember it being slow or the
>> main port being slow. I even installed KDE and played with a 7" touch
>> display. The only reservation I have about the pi is the flash drive. I
>> just don't trust them... especially for something that just needs to work
>> all the time (that is why I use raid).
>>
>> I'll first post the pertinent lines in my shorewall files (bingo is my
>> firewall machine .. a small form factor intel atom board running debian
>> testing with 2 sata drives in raid1 configuration):
>>
>> ---- interfaces
>> ###############################################################################
>> ?FORMAT 2
>> ###############################################################################
>> #ZONE INTERFACE OPTIONS
>> Ex eth1
>> dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
>>
>> Loc eth0 dhcp,tcpflags,nosmurfs,routefilter,logmartians
>>
>> ---- zones
>> ###############################################################################
>> #ZONE TYPE OPTIONS IN OUT
>> # OPTIONS OPTIONS
>> Bingo firewall # Bingo
>> Loc ipv4 # Local 172 network
>> Ex ipv4 # The Internet
>>
>>
>> ---- policy
>> ###############################################################################
>> #SOURCE><------>DEST<--><------>POLICY<><------>LOG LEVEL<----->LIMIT:BURST
>> Bingo Loc ACCEPT
>> Bingo Ex ACCEPT
>> Loc Ex ACCEPT
>> Ex all DROP info
>>
>> # THE FOLLOWING POLICY MUST BE LAST
>> all all REJECT info
>>
>>
>> --- rules
>> ############################################################################################################################
>> #ACTION><------>SOURCE<><------>
>> DEST<-->PROTO<->DEST<-->SOURCE<><------>ORIGINAL<------>RATE<--><------>USER/<->MARK
>> #<-----><------><------><------><------><------>
>> PORT<-->PORT(S)><------>DEST<--><------>LIMIT<-><------>GROUP
>> #
>> #SECTION ESTABLISHED
>> #
>> #SECTION RELATED
>> #
>> #
>> ?SECTION NEW
>> Ping/ACCEPT Loc all
>> #
>> allowBcast Loc Bingo all
>> HTTP/ACCEPT Loc:172.16.0.0/16 Bingo
>> ACCEPT Loc:172.16.0.0/16 Bingo tcp 3128
>> POP3/ACCEPT Loc:172.16.0.0/16 Bingo
>> SMTP/ACCEPT Loc:172.16.0.0/16 Bingo
>> DNS/ACCEPT Loc:172.16.0.0/16 Bingo
>> Rdate/ACCEPT Loc:172.16.0.0/16 Bingo
>> Auth/ACCEPT Loc:172.16.0.0/16 Bingo
>> SSH/ACCEPT Loc:172.16.0.0/16 Bingo
>> FTP/ACCEPT Loc:172.16.0.0/16 Bingo
>> FTP/ACCEPT Loc:172.16.0.0/16 Ex
>> NTP/ACCEPT Loc:172.16.0.1/16 Bingo
>>
>> REDIRECT Loc 53 tcp,udp 53 -
>>
>> REDIRECT Loc 123 tcp,udp 123 -
>>
>>
>> ----------------------
>> note that the redirect commands above allow me to capture all dns and ntp
>> calls and answer them from my firewall no matter what server the local
>> machine )in loc zone) asks for.
>>
>>
>> ---- snat
>> ###################################################################################################################
>> #ACTION SOURCE DEST PROTO PORT IPSEC MARK
>> USER SWITCH ORIGDEST PROBABILITY
>> #
>> # Rules generated from masq file /etc/shorewall/masq by Shorewall 5.0.15.6 -
>> Fri May 5 14:33:33 EDT 2017
>> #
>> MASQUERADE 172.16.0.1/16 eth1
>>
>> ----------------------------------
>> I wouldn't worry about the iptables -L output except to see that shorewall
>> is working.
>>
>> As far as bind goes the config is split up into several files most of which
>> don't need changing. I have commented out the lines that connect to opendns
>> via dns crypt since I suppose you won't need that. dnscrypt makes a secure
>> (like https) connection to opendns (or others as configured) so that dns
>> queries can't be spoofed and uses the local (to the firewall machine)
>> address 127.0.2.1 which bind can connect to.
>>
>> ---- named.conf.options
>>
>> acl "trusted" {
>> 172.16.0.0/16;
>> 192.168.0.0/16;
>> localhost;
>> };
>>
>>
>> options {
>> directory "/var/cache/bind";
>>
>> // If there is a firewall between you and nameservers you want
>> // to talk to, you may need to fix the firewall to allow multiple
>> // ports to talk. See http://www.kb.cert.org/vuls/id/800113
>>
>> // If your ISP provided one or more IP addresses for stable
>> // nameservers, you probably want to use them as forwarders.
>> // Uncomment the following block, and insert the addresses replacing
>> // the all-0's placeholder.
>>
>> forwarders {
>> // opendns
>> 208.67.222.222;
>> 208.67.220.220;
>> // 127.0.2.1;
>> };
>> forward only;
>>
>>
>> recursion yes;
>>
>> allow-query { any; };
>> allow-recursion { trusted; };
>> allow-query-cache { trusted; };
>>
>> auth-nxdomain no; # conform to RFC1035
>>
>> listen-on { 127.0.0.1; };
>> listen-on { 172.16.0.1; };
>> };
>>
>> The next file is where I set up for my local machines to have a domain
>> called weberhome.net and my bind will serve as master for that domain.
>>
>> ---- named.conf.local
>> /
>> // Do any local configuration here
>> //
>>
>> // Consider adding the 1918 zones here, if they are not used in your
>> // organization
>> //include "/etc/bind/zones.rfc1918";
>>
>> # You can insert further zone records for your own domains below.
>>
>>
>> zone "weberhome.net" in {
>> type master;
>> file "/etc/bind/db.weberhome.net";
>> notify no;
>> };
>>
>> zone "0.16.172.IN-ADDR.ARPA" in {
>> type master;
>> notify no;
>> file "/etc/bind/db.172.16.0";
>> };
>>
>> ---------------------
>> The file /etc/bind/db.weberhome.net has lines like:
>>
>> $TTL 1W
>> @ IN SOA bingo.weberhome.net. postmaster.bingo.weberhome.net.
>> (
>> 2006112600
>> 10800
>> 3600
>> 3600000
>> 86400 )
>> ;
>> bingo IN A 172.16.0.1
>> bob IN A 172.16.0.3
>>
>> So that access to the firewall machine can be just the name bingo (like ping
>> bingo).
>>
>> The file /etc/bind/db.172.16.0 looks like this:
>> $TTL 1W
>> @ IN SOA bingo.weberhome.net. postmaster.bingo.weberhome.net.
>> (
>> 2006112600
>> 10800
>> 3600
>> 3600000
>> 86400 )
>> ;
>> 1 PTR bingo.weberhome.net.
>> 3 PTR bob.weberhome.net.
>>
>> Which allows for reverse dns (the command "host 172.16.0.1" gives back
>> bingo.weberhome.net.
>>
>> Now for the local dhcp server. The file /etc/dhcp/dhcpd.conf looks like
>> this:
>>
>> #
>> # Sample configuration file for ISC dhcpd for Debian
>> #
>> #
>>
>> # The ddns-updates-style parameter controls whether or not the server will
>> # attempt to do a DNS update when a lease is confirmed. We default to the
>> # behavior of the version 2 packages ('none', since DHCP v2 didn't
>> # have support for DDNS.)
>> ddns-update-style none;
>>
>> # option definitions common to all supported networks...
>> #option domain-name "example.org";
>> #option domain-name-servers ns1.example.org, ns2.example.org;
>>
>> option routers 172.16.0.1;
>> option subnet-mask 255.255.0.0;
>>
>> option domain-name "weberhome.net";
>> option domain-name-servers 172.16.0.1;
>> option domain-search "weberhome.net";
>>
>> option time-offset -5; # Eastern Standard Time
>>
>>
>>
>> default-lease-time 600;
>> max-lease-time 7200;
>>
>> # If this DHCP server is the official DHCP server for the local
>> # network, the authoritative directive should be uncommented.
>> authoritative;
>>
>> # Fixed IP addresses can also be specified for hosts.
>>
>> host bob {
>> hardware ethernet 48:5b:39:29:c3:ae;
>> fixed-address 172.16.0.3;
>> }
>>
>> ---------------
>> So that is the setup for firewall, dns and dhcpd. I also use openntpd for
>> the time server on the firewall machine. As for bind if you don't want a
>> local domain then you should only need to change the named.conf.options
>> file.
>>
>> Remember ping is your friend. You need to be able to ping to the outside
>> and inside from the firewall machine. So "ping 208.67.222.222" has to work
>> if you have any chance of getting bind to work.
>>
>> One last thing... the output of my "route -n" command:
>>
>> Kernel IP routing table
>> Destination Gateway Genmask Flags Metric Ref Use
>> Iface
>> 0.0.0.0 24.153.63.1 0.0.0.0 UG 0 0 0 eth1
>> 24.153.63.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
>> 172.16.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
>>
>> So the first two entries are set up by the ISP (on eth1) and the third
>> should be set up by the firewall's networking ifup configuration run at boot
>> using the static entry in the interfaces file.
>>
>> WOW that's a lot to go through. I hope I haven't forgotten anything.
>>
>> ...Bob
>
>
>
> --
> Because experiencing your loyal love is better than life itself,
> my lips will praise you. (Psalm 63:3)
--
Because experiencing your loyal love is better than life itself,
my lips will praise you. (Psalm 63:3)
