HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=16)
-   -   Internet sharing and Gateway in Same ISPConfig Box (http://www.howtoforge.com/forums/showthread.php?t=6864)

Morons 15th September 2006 01:26

Internet sharing and Gateway in Same ISPConfig Box
 
Hi,
I have used iptables and mandriva's shorewall with huge success in setting the nat/pat up in the Internet sharing environment. Shorewall is disabled in Mandriva and ISPConfig add Bastille, or an version thereof. I do not know not understand Bastille yet, It seem to be using Masq and literal IP's therefore IP changes int he Interfaces does not automatically set-up the firewaal at re-boot like Shorewall would were you only say e.g. NET = eth0 and LAN = eth1

I see that ISPConfig include only parts of the Bastille software (bastille executable seem to be removed / renamed) I ran updatedb and locate bastille - empty I came up and i could not use the bastill utility as descrived on their Website.

My problem is to now change the bastile config files to allow for proper GW sever w/o interfering with the ISPconfig controll over this bastill software.

I have an DSL router with ETH 10.0.0.2, thus my Default GW, My Fedora 5 box has eth1 10.0.0.1 and the inside network is 192.168.1.1 on eth0

In shorewall I only need to define the internet interface and the lan interface - is there such an easy way with bastile config files that will not be modified by ISPConfig?;)

pablito 15th September 2006 03:09

If you're happy with Shorewall then use it instead. If you turn off firewalling in ISP then there isn't any interference. That's what I do....

Morons 15th September 2006 10:36

Quote:

Originally Posted by pablito
If you're happy with Shorewall then use it instead. If you turn off firewalling in ISP then there isn't any interference. That's what I do....

FC5 Does not have Shorewall! and for some stupid reason the Hardware I have does not run Mandriva.

Ben 15th September 2006 11:31

Well I just set up an exit; to the bastille firewallscript so that ISPConfigs settings do not influence my iptables settings set up with firehol (firehol.sf.net, an abstraction shellscript, easy to configure and very flexible) maybe that can help you?

Because I set up a NAT rule to forward a port served by our proxy to 81 which is messed up everytime I restart any service with ipsconfig...

Morons 15th September 2006 11:36

Elegant way
 
Quote:

Originally Posted by Ben
Well I just set up an exit; to the bastille firewallscript so that ISPConfigs settings do not influence my iptables settings set up with firehol (firehol.sf.net, an abstraction shellscript, easy to configure and very flexible) maybe that can help you?

Because I set up a NAT rule to forward a port served by our proxy to 81 which is messed up everytime I restart any service with ipsconfig...

Yes the point is NOT to use External (Other than pure ISPConfig set-up) here.
Standard install on any platform for easy reproduction is the need. I have plenty ways of doing it outside this environment, but all I need is the modification required inside /root/ispconfig/isp/conf/bastille-firewall.cfg.master to make this work. That will give me and nice PURE install much more elegant than otherwise.:rolleyes:

till 16th September 2006 12:42

1) The bastile firewall sctipt is namde "Bastille" and not "bastille", so locate "Bastille" will give you the locations of the scripts.

2) If you want to change the Bastille firewall script globally, edit the template file in /root/ispconfig/isp/conf/

3) If you dont like bastille, you may use any other firewall with ISPConfig as well.

Morons 18th September 2006 10:21

GW via SNAT and NOT MASq
 
HI,
I did find it, It is an MOD and this shoeld only be done if you know yr stuff. I do not like this, althow clearly the intended method by the author, It is messy and non-elegant. I would of liked to see an setting in the bastille-firewall.cfg file asking to SNAT or MASq

vi /sbin/bastille-netfilter or edit /sbin/bastille-netfilter
remark the line Around line 390-391
# ${IPTABLES} -t nat -A POSTROUTING -s ${net} -o ${pub} -j MASQUERADE
# ${IPTABLES} -A FORWARD -s ${net} -o ${pub} -j ACCEPT
Around line 397 Remove the # (uncomment it)
${IPTABLES} -t nat -A POSTROUTING -o ${DEFAULT_GW_IFACE} -j SNAT --to ${DEFAULT_GW_IP}

What is great is that the DEFAULT_GW_IFACE is self-detected and come from your interface set-up.
:cool:

Morons 21st September 2006 16:18

My solution Above din't work for some reason, I mised another setting althow the inscript comments allow this, I had to in the end use masq. (: Ran out off time.
Till/Falco can't you guys look into this and give us an solution inside the ISPConfig system as this is surely needed.? Bastille is very badly documented!


All times are GMT +2. The time now is 07:59.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.