Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 15th September 2006, 00:26
Morons Morons is offline
Senior Member
 
Join Date: Aug 2006
Posts: 189
Thanks: 8
Thanked 15 Times in 7 Posts
Cool Internet sharing and Gateway in Same ISPConfig Box

Hi,
I have used iptables and mandriva's shorewall with huge success in setting the nat/pat up in the Internet sharing environment. Shorewall is disabled in Mandriva and ISPConfig add Bastille, or an version thereof. I do not know not understand Bastille yet, It seem to be using Masq and literal IP's therefore IP changes int he Interfaces does not automatically set-up the firewaal at re-boot like Shorewall would were you only say e.g. NET = eth0 and LAN = eth1

I see that ISPConfig include only parts of the Bastille software (bastille executable seem to be removed / renamed) I ran updatedb and locate bastille - empty I came up and i could not use the bastill utility as descrived on their Website.

My problem is to now change the bastile config files to allow for proper GW sever w/o interfering with the ISPconfig controll over this bastill software.

I have an DSL router with ETH 10.0.0.2, thus my Default GW, My Fedora 5 box has eth1 10.0.0.1 and the inside network is 192.168.1.1 on eth0

In shorewall I only need to define the internet interface and the lan interface - is there such an easy way with bastile config files that will not be modified by ISPConfig?

Last edited by Morons; 15th September 2006 at 00:32.
Reply With Quote
Sponsored Links
  #2  
Old 15th September 2006, 02:09
pablito pablito is offline
Junior Member
 
Join Date: Jan 2006
Location: Great White North, eh
Posts: 16
Thanks: 0
Thanked 0 Times in 0 Posts
Default

If you're happy with Shorewall then use it instead. If you turn off firewalling in ISP then there isn't any interference. That's what I do....
Reply With Quote
  #3  
Old 15th September 2006, 09:36
Morons Morons is offline
Senior Member
 
Join Date: Aug 2006
Posts: 189
Thanks: 8
Thanked 15 Times in 7 Posts
Default

Quote:
Originally Posted by pablito
If you're happy with Shorewall then use it instead. If you turn off firewalling in ISP then there isn't any interference. That's what I do....
FC5 Does not have Shorewall! and for some stupid reason the Hardware I have does not run Mandriva.
Reply With Quote
  #4  
Old 15th September 2006, 10:31
Ben Ben is offline
Moderator
 
Join Date: Jul 2006
Posts: 1,029
Thanks: 7
Thanked 62 Times in 56 Posts
Default

Well I just set up an exit; to the bastille firewallscript so that ISPConfigs settings do not influence my iptables settings set up with firehol (firehol.sf.net, an abstraction shellscript, easy to configure and very flexible) maybe that can help you?

Because I set up a NAT rule to forward a port served by our proxy to 81 which is messed up everytime I restart any service with ipsconfig...
Reply With Quote
  #5  
Old 15th September 2006, 10:36
Morons Morons is offline
Senior Member
 
Join Date: Aug 2006
Posts: 189
Thanks: 8
Thanked 15 Times in 7 Posts
Default Elegant way

Quote:
Originally Posted by Ben
Well I just set up an exit; to the bastille firewallscript so that ISPConfigs settings do not influence my iptables settings set up with firehol (firehol.sf.net, an abstraction shellscript, easy to configure and very flexible) maybe that can help you?

Because I set up a NAT rule to forward a port served by our proxy to 81 which is messed up everytime I restart any service with ipsconfig...
Yes the point is NOT to use External (Other than pure ISPConfig set-up) here.
Standard install on any platform for easy reproduction is the need. I have plenty ways of doing it outside this environment, but all I need is the modification required inside /root/ispconfig/isp/conf/bastille-firewall.cfg.master to make this work. That will give me and nice PURE install much more elegant than otherwise.
Reply With Quote
  #6  
Old 16th September 2006, 11:42
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,421
Thanks: 834
Thanked 5,500 Times in 4,329 Posts
Default

1) The bastile firewall sctipt is namde "Bastille" and not "bastille", so locate "Bastille" will give you the locations of the scripts.

2) If you want to change the Bastille firewall script globally, edit the template file in /root/ispconfig/isp/conf/

3) If you dont like bastille, you may use any other firewall with ISPConfig as well.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #7  
Old 18th September 2006, 09:21
Morons Morons is offline
Senior Member
 
Join Date: Aug 2006
Posts: 189
Thanks: 8
Thanked 15 Times in 7 Posts
Default GW via SNAT and NOT MASq

HI,
I did find it, It is an MOD and this shoeld only be done if you know yr stuff. I do not like this, althow clearly the intended method by the author, It is messy and non-elegant. I would of liked to see an setting in the bastille-firewall.cfg file asking to SNAT or MASq

vi /sbin/bastille-netfilter or edit /sbin/bastille-netfilter
remark the line Around line 390-391
# ${IPTABLES} -t nat -A POSTROUTING -s ${net} -o ${pub} -j MASQUERADE
# ${IPTABLES} -A FORWARD -s ${net} -o ${pub} -j ACCEPT
Around line 397 Remove the # (uncomment it)
${IPTABLES} -t nat -A POSTROUTING -o ${DEFAULT_GW_IFACE} -j SNAT --to ${DEFAULT_GW_IP}

What is great is that the DEFAULT_GW_IFACE is self-detected and come from your interface set-up.

Last edited by Morons; 18th September 2006 at 09:30.
Reply With Quote
  #8  
Old 21st September 2006, 15:18
Morons Morons is offline
Senior Member
 
Join Date: Aug 2006
Posts: 189
Thanks: 8
Thanked 15 Times in 7 Posts
 
Default

My solution Above din't work for some reason, I mised another setting althow the inscript comments allow this, I had to in the end use masq. (: Ran out off time.
Till/Falco can't you guys look into this and give us an solution inside the ISPConfig system as this is surely needed.? Bastille is very badly documented!
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
linux pc sharing its internet connection Ovidiu Technical 2 5th December 2005 16:43
Internet connection sharing fdawy Server Operation 5 27th September 2005 21:57


All times are GMT +2. The time now is 18:57.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.