Re: [gentoo-user] Idiots guide to NAT and DHCP

Sun, 28 Sep 2003 01:48:23 -0700 

Hi,

I'm doing this using Shorewall, DHCP and dnsmasq.
One PC with one interface to the internet and the second one on a little 
switch. A notebook and another PC connected to the switch. All of them use 
the internet. My internet connection has a fixed IP.

Just install Shorewall and follow the "Two-Interfaces" guide in the QuickStart 
guides section on the Shorewall website.
http://www.shorewall.net/
http://www.shorewall.net/two-interface.htm

Below are entries from my configuration files (eth0=local net, eth1=internet).


I hope this helps. For me this works great and I dont't have to know anything 
about iptables stuff because Shorewall is doing this for me.
Don't forget to do a "rc-update add shorewall default".


Rgds,
 -Markus-




/etc/shorewall/interfaces:

#ZONE    INTERFACE      BROADCAST       OPTIONS
net     eth1            detect          routefilter,norfc1918
loc     eth0            192.168.0.255


/etc/shorewall/masq:

#ZONE    INTERFACE      BROADCAST       OPTIONS
net     eth1            detect          routefilter,norfc1918
loc     eth0            192.168.0.255


/etc/shorewall/policy:

#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
loc             net             ACCEPT
fw              net             ACCEPT
net             all             DROP            warning
all             all             DROP            warning

/etc/shorewall/routestopped:

#INTERFACE      HOST(S)
eth0            192.168.0.0/24


/etc/shorewall/rules:
##############################################################################
#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL
#                                               PORT    PORT(S)    DEST
#
#       Accept SSH connections from the local network for administration
#
ACCEPT          loc             fw              tcp     22
#
#       Accept SSH connections from the firewall to local network
#
ACCEPT          fw              loc             tcp     22
#
#       Allow Ping To And From Firewall
#
ACCEPT          loc             fw              icmp    8
ACCEPT          net             fw              icmp    8
ACCEPT          fw              loc             icmp    8
ACCEPT          fw              net             icmp    8
#
#       Accept DNS connections to the internal caching nameserver
#
ACCEPT          loc             fw              tcp     53
ACCEPT          loc             fw              udp     53
#
#       Accept ftp sessions to local network
#
ACCEPT          fw              loc             tcp     20,21
#
#       Allow DHCP communication
#
ACCEPT          fw              loc             tcp     67,68
ACCEPT          fw              loc             udp     67,68
ACCEPT          loc             fw              tcp     67,68
ACCEPT          loc             fw              udp     67,68
#
# Accept Samba sessions from local network
# See http://www.shorewall.net/samba.htm
# Note: In W2K MS has created new transport over TCP 445!
# See http://www.iss.net/security_center/advice/Exploits/Ports/445/default.htm
#
ACCEPT          fw              loc             udp     137:139
ACCEPT          fw              loc             tcp     137,139
ACCEPT          fw              loc             udp     1024:   137
ACCEPT          loc             fw              udp     137:139
ACCEPT          loc             fw              tcp     137,139
ACCEPT          loc             fw              udp     1024:   137
#
#       Accept NFS sessions from local network to firewall
#       Port    Usage
#       111     portmapper
#       2049    nfsd or rpc.nfsd ("nfs" in rpcinfo)
#       4000    rpc.statd ("status" in rpcinfo)
#               (see /etc/conf.d/nfs)
#       4001    lockd or rpc.lockd ("nlockmgr" in rpcinfo)
#               (see /etc/modules.d/nfs)
#       4002    rpc.mountd ("mountd" in rpcinfo)
#               (see /etc/conf.d/nfs)
#       4003    rpc.quotad ("rquotad" in rpcinfo)
#               (see /etc/conf.d/nfs)
#
ACCEPT          loc             fw              tcp     111
ACCEPT          loc             fw              udp     111
ACCEPT          loc             fw              tcp     2049
ACCEPT          loc             fw              udp     2049
ACCEPT          loc             fw              tcp     4000
ACCEPT          loc             fw              udp     4000
ACCEPT          loc             fw              tcp     4001
ACCEPT          loc             fw              udp     4001
ACCEPT          loc             fw              tcp     4002
ACCEPT          loc             fw              udp     4002
ACCEPT          loc             fw              tcp     4003
ACCEPT          loc             fw              udp     4003
#
#       Accept BitTorrent sessions from the internet to firewall
#       See http://bitconjurer.org/BitTorrent/index.html
#
ACCEPT          net             fw              tcp     6881:6889
#
#       Accept SMTP from local network to firewall
#
ACCEPT          loc             fw              tcp     25


/etc/shorewall/shorewall.conf:

ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=No
BLACKLIST_DISPOSITION=DROP
BLACKLIST_LOGLEVEL=
CLAMPMSS=No
CLEAR_TC=Yes
DETECT_DNAT_IPADDRS=No
FW=fw
IP_FORWARDING=On
LOGBURST=
LOGFILE=/var/log/shorewall/warn.log
LOGFORMAT="Shorewall:%s:%s:"
LOGNEWNOTSYN=info
LOGRATE=
LOGUNCLEAN=info
MACLIST_DISPOSITION=REJECT
MACLIST_LOG_LEVEL=info
MARK_IN_FORWARD_CHAIN=No
MODULESDIR=
MUTEX_TIMEOUT=60
NAT_BEFORE_RULES=Yes
NEWNOTSYN=No
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
RFC1918_LOG_LEVEL=info
ROUTE_FILTER=No
SHOREWALL_SHELL=/bin/sh
STATEDIR=/var/lib/shorewall
SUBSYSLOCK=/var/lock/subsys/shorewall
TCP_FLAGS_DISPOSITION=DROP
TCP_FLAGS_LOG_LEVEL=info
TC_ENABLED=No


/etc/shorewall/zones:

#ZONE   DISPLAY         COMMENTS
net     Net             Internet
loc     Local           Local networks


/etc/conf.d/dnsmasq:
DNSMASQ_OPTS="-q -i eth0"


/etc/conf.d/dhcp:

IFACE="eth0"
DHCPD_OPTS="-q"


/etc/dhcp/dhcpd.conf:

ddns-update-style none;
option domain-name "local.net";
option domain-name-servers 192.168.0.1;
default-lease-time 600;
max-lease-time 7200;
log-facility local7;
subnet 192.168.0.0 netmask 255.255.255.0 {
  range dynamic-bootp 192.168.0.20 192.168.0.29;
  option routers 192.168.0.1;
  option subnet-mask 255.255.255.0;
}
host mb2 {
  hardware ethernet 00:01:02:f2:b4:dd;
  fixed-address 192.168.0.30;
}
host mb3 {
  hardware ethernet 00:04:75:17:bf:72;
  fixed-address 192.168.0.31;
}



ifconfig eth0:

eth0      Link encap:Ethernet  HWaddr 00:04:76:A0:22:2E
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0



/etc/conf.d/net:

iface_eth0="192.168.0.1 broadcast 192.168.0.255 netmask 255.255.255.0"




On Sunday 21 September 2003 18:16, Adam Mercer wrote:
> Hi
>
> I want to setup a DHCP server on my desktop machine so that I can plug
> my laptop into my second network port and then access the internet
> through my desktop using NAT. However I can't get it too work. I've
> followed as much of the NAT and DHCP howtos that I can but can't get it
> too work.
>
> Does anyone know of an idiots guide to setting this up?
>
> Cheers
>
> Adam
>
> --
> [EMAIL PROTECTED] mailing list


--
[EMAIL PROTECTED] mailing list

Reply via email to