This guide assumes you have some basic knowledge of linux (shell) and networking though it is recommended that you have basic knowledge about the following.
* networking
* DHCP – what is it used for
* DNS – what is it used for
* firewalls – same
If something is unclear in regard to protocols, or other tech thingies i recommend using Google / Wikipedia though you should know this already, if not.. go back to school.
Setting up Debian
Make sure you have a box setup with debian, debian runs fine from a USB stick so if you want it quiet, do that. A minimum Debian install is sufficient. Though it usually isn’t recommended, during the installation and configuration i tend to do everything as root so i don’t get annoyed with permissions problems. Furthermore 2 ethernet cards are required for a basic setup. I recommend installing atleast openssh-server and telnet so we can do some troubleshooting and manage it remotely.
Code: Select all
~# apt-get install openssh-server telnetCode: Select all
~# ping google.com -c2
PING google.com (x.x.x.x) 56(84) bytes of data.
64 bytes from google.com (x.x.x.x): icmp_seq=1 ttl=54 time=17.7 ms
64 bytes from google.com (x.x.x.x): icmp_seq=2 ttl=54 time=50.4 msSetting up your ip ranges
Computers are reached via certain routes in which it’s defined for what ip range to use what gateway and go where. To find out what’s your WAN nic type the following and find out what nic is used for your ‘default’ route.
~# ip route ls
24.123.123.0/24 dev eth0 proto kernel scope link src 24.123.123.123
default via 24.123.123.1 dev eth0
If you have a 10.x.x.x (/8) or 192.168.x.x (/16) or 172.16.x.x-172.31.x.x address make sure you use a different one for you internal network. More about these private addresses can be found at Wikipedia
We assume that eth0 is your WAN interface (the card where the internet is on). Now find out what other card you have using for e.g. mii-tool, lspci or ifconfig -a . We assume it’s eth1. Now setup an internal ip for it. We can do this in the /etc/network/interfaces file. Edit this using your favorite editor (nano, pico, vi, mc).
Code: Select all
~# vi /etc/networking/interfacesCode: Select all
allow-hotplug eth0
iface eth0 inet dhcpCode: Select all
auto eth1
iface eth1 inet static
address 10.0.0.1
netmask 255.255.255.0
broadcast 10.0.0.255Code: Select all
~# /etc/init.d/networking restartCode: Select all
~# ip route lsSetting up Shorewall
Lets install shorewall some dependencies should be installed as well.
Code: Select all
~# apt-get install shorewallCode: Select all
~# cp /usr/share/doc/shorewall/examples/two-interfaces/* /etc/shorewall
Code: Select all
~# vi /etc/default/shorewall/etc/shorewall/ contains the following files
* interfaces – contains mapping information
* masq – used for masquerading (snat)
* policy – global policies for allowing or blocking traffic
* routestopped – allows the box to be reachable via this interface if shorewall is switched off
* rules – specific rules for your firewall
* shorewall.conf -global configuration
* zones – zone definition
At this point you should take a look in the files and see what it does.
In the zones file you will find definitions for the zones.
fw – the firewall itself
net – the internet
loc – your local (safe) network
these definitions are used throughout the shorewall configs so make yourself familiar.
now lets edit the interfaces file, this defines what interface is used for what zone.
Set your interfaces correctly and add the ‘dhcp’ option for the local zone.
Code: Select all
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,tcpflags,nosmurfs,routefilter,logmartians
loc eth1 detect dhcp,tcpflags,nosmurfs,routefilter,logmartiansSTARTUP_ENABLED=No
to
STARTUP_ENABLED=Yes
Lets setup masqerading since if we request Google from inside the network, we want Google to reply to our WAN address and not to 10.0.0.X .
edit the masquerading file and make sure it’s set to your wan interface (eth0)
Code: Select all
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
eth3 10.0.0.0/8,\
169.254.0.0/16,\
172.16.0.0/12,\
192.168.0.0/16
We also want to use DHCP and DNS for computers in the local network. Therefore we can either add a policy to allow communications from the local network to the firewall and vicaversa, or just open up specific ports
Option 1; policy
Allow communications from the local network to the firewall and back
Code: Select all
~# vi /etc/shorewall/policy
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT infoCode: Select all
loc $FW ACCEPT
$FW loc ACCEPT
Code: Select all
$FW net ACCEPTEdit the rules file and append some extra rules after the following:
Code: Select all
Ping(ACCEPT) loc $FWCode: Select all
DNS(ACCEPT) loc $FW
DNS(ACCEPT) $FW loc
Installing DHCP and DNS
There are several programs that give those feature though dnsmasq is easy to use and configure.
Code: Select all
~# apt-get install dnsmasqIf we just wanted it to function as a nameserver, we are done configuring. dnsmasq does this by default.
Though to make life easy, lets setup a DHCP server.
Code: Select all
~# vi /etc/dnsmasq.confCode: Select all
#interface=Code: Select all
interface=eth1Code: Select all
#dhcp-range=192.168.0.50,192.168.0.150,12hCode: Select all
dhcp-range=10.0.0.2-10.0.0.100,12hCode: Select all
~# /etc/init.d/dnsmasq start
~# shorewall restartNow think of the nifty tools you can install like imspector, some user/password sniffing.. for as far as it’s legal and for educational purposes of course. nor do i take any responsibility for anything.
Troubleshooting
if things don’t work try pinging to the internet or issue a shorewall stop command
try pinging to an IP instead of hostname
Do your clients get an ip?
Make sure you don’t mixup your local and internet interfaces
References
When i setup Shorewall for the first time i had great help from the links below. See for yourself
http://wiki.debian.org/HowTo/dnsmasq
http://www.shorewall.net/two-interface.htm
Original Posting at my blog: http://www.owit.nl/2010/01/debian-shore ... ter-howto/