* need help firewalling homebrew http+smtp+dns+vpn
@ 2003-12-21 7:07 Andrea Tasso
2003-12-21 10:38 ` Antony Stone
2003-12-21 16:12 ` Mark E. Donaldson
0 siblings, 2 replies; 3+ messages in thread
From: Andrea Tasso @ 2003-12-21 7:07 UTC (permalink / raw)
To: netfilter
hello, these are my naive questions, I am a newbie:
I need to firewall my homebrew linux boxes, say to close everything I can to/from outside (internet), and do
everything inside my vpn. On the FIREWALL machine I also run some server whose services/ports must keep to be
accessible to/from outside. Those kinds of connections I need to do also to servers outside.
All the machines of the VPN need to be free to suft the outside internet. So also masquerading and forwarding are
needed.
thanks a lot for your help,
Andrea
That's my box: (see also below for explanations)
------------------ -----------
| 192.168.8.2 eth0 |-----| | FIREWALL |
------------------ | ---------- - - - - - - ----------
|-----| eth1 192.168.8.1 |
------------------ | | |
| 192.168.8.3 eth0 |-----| | 10.0.0.1 eth0 |----------|
------------------ | | |
|----| wlan0 192.168.2.1 | |
------------------- | --- - - - - - - - - - - - - - --- |
| 192.168.2.2 wlan0 |-----| | servers: ssh:22 | |
------------------- | http:80 | |
| https:443 | |
| dns:42/53(?) | | my VPN: everything
| smtp:25 | |
------------------------- --------- in/out (ssh,http,https,dns,smtp +
| "masqued web browsing")
|
| "outside"
|
-------------------------
----------| eth0 |
| dsl 10.0.0.138 |
| router |
----------| |
| dummy(*) ip |
| 111.69.96.69.96 |
| ppp0 (?) |
-------------------------
|
|
internet
(*) dummy ip: the dsl router has a fixed ip I do not write for security
(?) the question mark is for stuffs I am not sure about
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: need help firewalling homebrew http+smtp+dns+vpn
2003-12-21 7:07 need help firewalling homebrew http+smtp+dns+vpn Andrea Tasso
@ 2003-12-21 10:38 ` Antony Stone
2003-12-21 16:12 ` Mark E. Donaldson
1 sibling, 0 replies; 3+ messages in thread
From: Antony Stone @ 2003-12-21 10:38 UTC (permalink / raw)
To: netfilter
On Sunday 21 December 2003 7:07 am, Andrea Tasso wrote:
> hello, these are my naive questions, I am a newbie:
>
> I need to firewall my homebrew linux boxes, say to close everything I can
> to/from outside (internet), and do everything inside my vpn. On the
> FIREWALL machine I also run some server whose services/ports must keep to
> be accessible to/from outside. Those kinds of connections I need to do also
> to servers outside. All the machines of the VPN need to be free to suft the
> outside internet. So also masquerading and forwarding are needed.
I don't really see anything about this setup which is not dealt with very well
by the tutorials available at
http://www.netfilter.org/documentation/index.html#tutorials
The only thing I would say about the protocols marked with "?" on your diagram
is that DNS uses TCP port 53 and UDP port 53; it does not use port 42. I
can't understand why you have marked the DSL router with "?" as this is
nothing to do with the netfilter setup.
It would help us greatly if you could read one of the tutorials, use a ruleset
which you think will do (part of) what you want, and then tell us if you are
having specific problems afterwards.
Read the documentation - it really is good, and it will not only give you good
examples of what to do, but help you understand why it works as well.
Regards,
Antony.
--
Behind the counter a boy with a shaven head stared vacantly into space,
a dozen spikes of microsoft protruding from the socket behind his ear.
- William Gibson, Neuromancer (1984)
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 3+ messages in thread
* RE: need help firewalling homebrew http+smtp+dns+vpn
2003-12-21 7:07 need help firewalling homebrew http+smtp+dns+vpn Andrea Tasso
2003-12-21 10:38 ` Antony Stone
@ 2003-12-21 16:12 ` Mark E. Donaldson
1 sibling, 0 replies; 3+ messages in thread
From: Mark E. Donaldson @ 2003-12-21 16:12 UTC (permalink / raw)
To: 'Andrea Tasso', netfilter
This is a pretty nifty setup Andrea. As for the specific rules you are
going to need to allow it to perform, I agree with Anthony in that you
should consult the tutorials as this will be a somewhat complex rule set
(too much for me to list here). Couple of comments:
1. Port 42 is WINS replication so you do not need to worry about it unless
you are using a complex & pure SAMBA setup on the internal machines.
2. Double layer of SNAT is fine and provides an extra layer of security of
internal machines.
3. It's not clear to me where or how your VPN is connecting, and where the
end points are. However, since it appears to be in-line to the double SNAT,
architecturally it is sound and should work.
4. It's not clear why you are concerned with ppp0 or PPPoE encapsulation.
Your DSL router should handle that just fine. Since your interface to the
outside world has a static IP, you can use SNAT for these rules instead of
MASQ. If you have a typical DSL router, is not your external interface an
eth? And not a ppp?.
-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Andrea Tasso
Sent: Saturday, December 20, 2003 11:08 PM
To: netfilter@lists.netfilter.org
Subject: need help firewalling homebrew http+smtp+dns+vpn
hello, these are my naive questions, I am a newbie:
I need to firewall my homebrew linux boxes, say to close everything I can
to/from outside (internet), and do everything inside my vpn. On the FIREWALL
machine I also run some server whose services/ports must keep to be
accessible to/from outside. Those kinds of connections I need to do also to
servers outside.
All the machines of the VPN need to be free to suft the outside internet. So
also masquerading and forwarding are needed.
thanks a lot for your help,
Andrea
That's my box: (see also below for explanations)
------------------ -----------
| 192.168.8.2 eth0 |-----| | FIREWALL |
------------------ | ---------- - - - - - - ----------
|-----| eth1 192.168.8.1 |
------------------ | | |
| 192.168.8.3 eth0 |-----| | 10.0.0.1 eth0
|----------|
------------------ | |
|
|----| wlan0 192.168.2.1 |
|
------------------- | --- - - - - - - - - - - - - - ---
|
| 192.168.2.2 wlan0 |-----| | servers: ssh:22 |
|
------------------- | http:80 |
|
| https:443 |
|
| dns:42/53(?) |
| my VPN: everything
| smtp:25 |
|
-------------------------
--------- in/out (ssh,http,https,dns,smtp +
| "masqued web browsing")
|
| "outside"
|
-------------------------
----------|
eth0 |
| dsl
10.0.0.138 |
| router
|
----------|
|
|
dummy(*) ip |
|
111.69.96.69.96 |
|
ppp0 (?) |
-------------------------
|
|
internet
(*) dummy ip: the dsl router has a fixed ip I do not write for security
(?) the question mark is for stuffs I am not sure about
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2003-12-21 16:12 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-12-21 7:07 need help firewalling homebrew http+smtp+dns+vpn Andrea Tasso
2003-12-21 10:38 ` Antony Stone
2003-12-21 16:12 ` Mark E. Donaldson
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.