Re: [Ltsp-discuss] internet access + shorewall

[Varun]

Jason Young wrote:

Varun,

If you're using Shorewall under Webmin, your file called "policy" in
"/etc/shorewall" should look something like this:
#SOURCE         DEST            POLICY          LOG            
LIMIT:BURST
#                                               LEVEL
loc             net             ACCEPT
net             all             DROP            info
#
# THE FOLLOWING POLICY MUST BE LAST
#
$FW     all     ACCEPT  -
loc     $FW     ACCEPT  -
all             all             REJECT          info
#LAST LINE -- DO NOT REMOVE

I have some extra rules in here that allow me to access my firewall from
local clients and also to access the net from the firewall itself. 
Also, if you're Masquerading you need to make sure that's configured as
well.  Regarding your original Internet Access problem, how are you
handling logons for your fat and thin clients?  Is everyone performing a
local logon or are you doing unified logons through NIS or LDAP?  If
you're doing local logons for your LTSP/squid server, you can apply
firewall rules in shorewall based on users and/or groups.  Apparently,
user/group based rules only apply to the machine shorewall is running
on, so you could limit access to the net from your LTSP clients that
way.  I believe the solutions Kai mentioned would work equally as well,
perhaps better using only squid.  From what I've read so far, I believe
his solution also requires installing and enabling IDENT on the server
and clients that will be hitting accessing squid.

As Jim has mentioned before, which me see the light, simple firewall
rules aren't going to help due to the fact all of the instances of
Mozilla (or any other browser) your LTSP clients are running are
actually running on the server.  So as far as the firewall's concerned,
he'll apply rules to your LTSP clients as if it was your LTSP server (in
your case the firewall itself) originating the traffic.  This creates a
situation in which your server becomes a bit of a paranoid
schizophrenic.
- Jason

On Tue, 2004-05-04 at 22:26, Varun wrote:
 

Hello Lanman,
                     I am just not able to set the rules.
Right now I have only 2 NIC one for net and one lan. I will have three 
on my new server.
In the meantime I need to learn howto do the settings.
I don't know where I am making the msitake. I have tried all settings in 
" *default Policies* "
But the moment I add any policies it blocks net acccess to my lan. I 
hope I am doing
the settings in the right section.
I have pasted my shorewall details as left now. With this my lan has net 
access.
Tell me where I am going wrong and which are sections where I need to do
any settings. I could not see the ' fw ' option .
I feel strongly it should work but I have to get it. I hope to achieve 
that with your help.
I will also have look if any tutorial is available on the net on 
Webmin.                                                    

  *************shorewall settings ************

_*Shorewall version 1.4.8*_

_*Network Zones*_

(zones)

*Zone ID     Displayed name    Description    Move*

net              Net                  Internet zone    

lan            SAALan            Local

_*Network Interfaces*_

(interfaces)

*Interface            Zone name            Broadcast address            
Options            Move*

eth0                         net                    Automatic         
                      None               

eth1                         lan                    Automatic            
                   None

_*Default Policies*_

(policy)

*Source zone            Destination zone            Policy               
Syslog level     Traffic limit*

Any                             Any                              
ACCEPT                 None                None



Anything just blocks net to lan.



_*Firewall Rules*_

(rules)

*No firewall rules have been defined yet.*



_*Types of Service*_

(tos)

*Left as default* 

_*Masquerading*_

(masq)

*No masquerading rules have been defined yet.*

_*Static NAT*_

(nat)

*No static NAT entries have been defined yet.*

_*Proxy ARP*_

(proxyarp)

*No proxy ARP addresses have been defined yet.*

* *

I am not sure about this option !

_*When Stopped*_

(routestopped)

* *

*No addresses to be accessible when stopped have been defined yet.*

_*VPN Tunnels*_

(tunnels)

No VPN tunnels to allow have been defined yet.

                                                          
*************  end shorewall    **************

Thanks  in advance

Varun

Right now my proxy server and ltsp server are two different machines.
   

This whole exercise is to make tlsp and proxy run on one machine with 
necessary controls
As for ltsp version 4 server on Mdk 10 right now we have a 6 thin 
clients where individual come
and use. Al l user have their login account on the server.
As for the lan my server is part of our regular network with about 75 
computers.
It is thru lan that we share DSL connection.
We want to have two proxy server running one is windows and the other is 
on linux
to which I am trying to apply firewall rules.

I hope this helpful

Varun

   

 



-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_____________________________________________________________________
Ltsp-discuss mailing list.   To un-subscribe, or change prefs, goto:
     https://lists.sourceforge.net/lists/listinfo/ltsp-discuss
For additional LTSP help,   try #ltsp channel on irc.freenode.net