Some notes on configuring Shorewall on a debian Sarge ===================================================== Version: 1.1 / 2005-01-09 Setting: - a debian Sarge machine, with two network interfaces, eth0 and eth1; - eth0 is connected to external network (ISP, Internet Service Provider), using DHCP; - eth1 is connected to the local network and gives IP addresses and DNS through DHCP (i.e. is a DHCP server) ; - by default, all network traffic coming from the internal network is allowed to go outside; - by default, all network traffic coming from the external network is filtered; - shorewall version is 2.0.x. Good link: read the excellent tutorial at: http://shorewall.net/two-interface.htm Configuring the DHCP server --------------------------- # apt-get install dnsmasq # vi /etc/dnsmasq.conf uncomment the line starting with: dhcp-range=192.168.0.50,192.168.0.150,12h Configuring Shorewall --------------------- # apt-get install shorewall shorewall-doc # vi /etc/default/shorewall enable "shorewall=1" # cp /usr/share/doc/shorewall/default-config/modules /etc/shorewall/ # vi /etc/shorewall/shorewall.conf set "IP_FORWARDING=On" get from http://france.shorewall.net/pub/shorewall/Samples/ the two-interfaces.tgz corresponding to your version of shorewall (in my case, http://france.shorewall.net/pub/shorewall/Samples/samples-2.0.1/two-interfaces.tgz) # tar xvf two-interfaces.tgz # cp two-interfaces/* /etc/shorewall/ # vi /etc/shorewall/interfaces on the line: net eth0 detect dhcp,routefilter,norfc1918,tcpflags you can delete norfc1918 if your IP provider gives you IP addresses in the 192.168.* or 10.* ranges. modify line: loc eth1 detect tcpflags into: loc eth1 detect tcpflags,dhcp to allow the DHCP server (dnsmasq) to do its jobs. # vi /etc/shorewall/rules Add at the end of the file, before the last comment: AllowDNS loc fw ACCEPT fw net tcp 80 The "AllowDNS" line allows the Shorewall machine to relay DNS request from the internal network to the external one. The "ACCEPT" line allows the Shorewall machine to make HTTP requests (usefull to use apt ;). Diff of modifications on Sample config files -------------------------------------------- diff -ru /tmp/two-interfaces/interfaces /etc/shorewall/interfaces --- /tmp/two-interfaces/interfaces 2004-03-29 04:48:13.000000000 +0200 +++ /etc/shorewall/interfaces 2005-01-05 21:29:12.000000000 +0100 @@ -167,6 +167,7 @@ # ############################################################################## #ZONE INTERFACE BROADCAST OPTIONS -net eth0 detect dhcp,routefilter,norfc1918,tcpflags -loc eth1 detect tcpflags +#net eth0 detect dhcp,routefilter,tcpflags,norfc1918 +net eth0 detect dhcp,routefilter,tcpflags +loc eth1 detect tcpflags,dhcp #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff -ru /tmp/two-interfaces/rules /etc/shorewall/rules --- /tmp/two-interfaces/rules 2004-03-14 19:16:35.000000000 +0100 +++ /etc/shorewall/rules 2005-01-05 21:51:49.000000000 +0100 @@ -308,4 +308,12 @@ ACCEPT fw loc icmp ACCEPT fw net icmp # +# Allow DNS request from local network to firewall +# +AllowDNS loc fw +# +# Allow HTTP resquests from firewall to external network +# +ACCEPT fw net tcp 80 +# #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE TODO ---- - add rules to filter internal network;