Hey there,
I have the E2B working great. Thakn you for that awesome documentation
on LEAF. My network only has one subnet so I didnt install Seattle
Firwall. I figgured the basic version would be good enough for now.
I have allowed SMTP, WWW, POP-3 to be forwarded in my network.conf to
my internal Win2k server. But for some reason its not working quite
right. Here is a sample of the port forwarding section of my
network.conf:
########################################################################
#######
# IP Filter setup - can pull in settings from above
########################################################################
#######
# Set up the basic type of filtering. Can be one of
(none|router|firewall)
# You must load the ip_masq_* modules to enable full IP masquerading,
and
# ip_masq_portfw if you want to forward external ports pop-3, mtp, www
# to internal machines below.
IPFILTER_SWITCH=firewall
# This set of variables is used with both sets of filters
SNMP_BLOCK=YES # Block all SNMP (YES/NO)
# List of IP Nos used for SNMP
management
SNMP_MANAGER_IPS=""
# Fair Queuing support
# List of Mark values
MRK_CRIT=1 # Critical traffic, routing, DNS
MRK_IA=2 # Interactive traffic - telnet, ssh, IRC
# List of traffic types and maps to mark values
# Setting this variable turns on the
# fairq chain
CLS_FAIRQ="${MRK_CRIT}_89_0/0 ${MRK_CRIT}_udp_0/0_route
${MRK_CRIT}_tcp_0/0_bgp ${MRK_CRIT}_tcp_0/0_domain
${MRK_CRIT}_udp_0/0_domain ${MRK_IA}_tcp_0/0_telnet
${MRK_IA}_tcp_0/0_ssh"
# This set of variables is used with the basic routing filter setup
# This set of variables is used with a basic IP masquerading firewall
setup
#Notation - IP addresses/masklen
#
# NOTE: Do NOT turn on the DMZ network or ANY external port
masquerading/
# port forwarding when EXTERN_DYNADDR is on because some security
# leaks will result. You may also want to limit the external open
# ports to domain (UDP) for DNS. Anyhow, these features are not that
# usable unless you have a static external address
#
EXTERN_IF="eth0" # External Interface
#
# Start of changes by Charles Steinkuehler for DHCP
#
# Added for DHCP support
# Setting this to YES causes the script to read EXTERN_IP directly from
# the interface
EXTERN_DHCP=NO # - YES/NO
# The interface to configure via dhcp
#IF_DHCP=$EXTERN_IF
# If YES, your firewall filters use 0/0 for your IP address, instead of
your
# actual IP address. Set this to NO for typical ethernet setups, even
if you
# are using DHCP
# External Address dynamically assigned
EXTERN_DYNADDR=NO # - YES/NO
# -- OR --
EXTERN_IP=61.128.41.41 # External Interface IP number
# If external interface is DHCP, read the IP address
# This should probably be moved to the init.d network script, but it
seemed
# I put it here for now, as it is more obvious what it is doing, in case
it
# messes something else up.
if [ "$EXTERN_DHCP" = "YES" ] || \
[ "$EXTERN_DHCP" = "Yes" ] || \
[ "$EXTERN_DHCP" = "yes" ]; then
# This computes the IP address of $EXTERN_IF
# Grep extracts just the line(s) with IP address information from the
output
# of ip addr. The first sed gets rid of all but the first line (in
case
# there are several IP addresses for some reason), and next sed
extracts
# just the IP address in dot quad notation.
EXTERN_IP=`ip addr list label $EXTERN_IF | \
grep inet | \
sed '1!d' | \
sed 's/^[^.0-9]*\([.0-9]*\).*$/\1/'`
# Debugging - Remove if you like
# echo Extern IP: $EXTERN_IP
# If the external address is not configured, use a bogus address for
the
# external interface to prevent a bunch of (harmless) errors that spit
out
# when the IPCHAINS script is called.
if [ x$EXTERN_IP = x ]; then
EXTERN_IP=192.168.254.254
fi
fi
# UDP Services open to outside world
# - srcip/mask_dstport
# NOTE: bootpc port is used for dhcp client
EXTERN_UDP_PORTS="0/0_domain 0/0_www"
#
# End of changes made by Charles Steinkuehler for dhcp support
#
# TCP services open to outside world
# - srcip/mask_dstport
EXTERN_TCP_PORTS="0/0_ssh 0/0_smtp 0/0_pop-3 0/0_www"
# Internal interface
INTERN_IF="eth1" # Internal Interface
INTERN_NET=192.168.1.0/24 # Internal network (to be masqueraded)
INTERN_IP=192.168.1.254 # IP number of Internal Interface
# (to allow forwarding to external IP)
MASQ_SWITCH=YES # Masquerade internal network to outside
# world - YES/NO
# These services are not masqueraded from inside to outside.
proto_destnet_port
# Allows the firewall to be trusted for ssh access to routers...
# Override for below
#NOMASQ_DEST_BYPASS="tcp_10.0.0.1_ssh"
# services not to be masqueraded
#NOMASQ_DEST="tcp_0/0_ssh"
# Uncomment following for internal services.
# The following is an example of what should be put here.
# Tuples are as follows:
# <protocol>_<extern-ip>_<extern-port>_<intern-ip>_<intern-port>
#INTERN_SERVERS="tcp_${EXTERN_IP}_ftp_192.168.1.1_ftp
tcp_${EXTERN_IP}_smtp_192.168.1.1_smtp"
# These lines use the primary external IP address...if you need to
port-forward
# an aliased IP address, use the INTERN_SERVERS setting above
#INTERN_FTP_SERVER=192.168.1.1 # Internal FTP server to make available
INTERN_WWW_SERVER=192.168.1.210 # Internal WWW server to make available
INTERN_SMTP_SERVER=192.168.1.210 # Internal SMTP server to make
available
INTERN_POP3_SERVER=192.168.1.210 # Internal POP3 server to make
available
INTERN_IMAP_SERVER=192.168.1.210 # Internal IMAP server to make
available
#INTERN_SSH_SERVER=192.168.1.1 # Internal SSH server to make available
#EXTERN_SSH_PORT=24 # External port to use for internal SSH access
Where am I going wrong here? I would also like to open a few external
ports but I can do this through IPCHAINS commands. Do I save those
IPCHAIN commands in memory like I would on a normal Linux system? Or di
I put it in one of the CONF files?
Thank you in advance for putting up with newbie questions. Things to
keep in mind:
1. I am running the Basic E2B from Charles Steinkuehler's site
2. I am running it in Static IP external mode and I have deleted the
DHCPClients module
3. I have SSHD running as well
4. I am not using Seawall or Shorewall on this disk yet.
Timothy H. Schilbach
[EMAIL PROTECTED]
yj)b bizb,y+mlqzlX)ߣ^iz