Set Up Ubuntu-Server 6.10 As A Firewall/Gateway

[knowram]

I am trying to follow this how to http://www.howtoforge.com/ubuntu6.10_firewall_gateway but I have only gotten to page 2 when you install webmin then I got this error

Code:

root@LBox:/home/jmunson# dpkg -i webmin_1.350_all.deb
(Reading database ... 29202 files and directories currently installed.)
Preparing to replace webmin 1.330 (using webmin_1.350_all.deb) ...
Unpacking replacement webmin ...
dpkg: dependency problems prevent configuration of webmin:
 webmin depends on libnet-ssleay-perl; however:
  Package libnet-ssleay-perl is not installed.
 webmin depends on openssl; however:
  Package openssl is not installed.
 webmin depends on libauthen-pam-perl; however:
  Package libauthen-pam-perl is not installed.
 webmin depends on libio-pty-perl; however:
  Package libio-pty-perl is not installed.
 webmin depends on libmd5-perl; however:
  Package libmd5-perl is not installed.
dpkg: error processing webmin (--install):
 dependency problems - leaving unconfigured
Errors were encountered while processing:
 webmin

I tried just installing the missing packages but that didn't seem to work. Any ideas??

Thanks for the help

[knowram]

So I was going to fast and missed that the step before that gave me this error

Code:

root@LBox:/home/jmunson# apt-get install libmd5-perl libnet-ssleay-perl libauthen-pam-perl libio-pty-perl shorewall dnsmasq
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Package libmd5-perl is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
E: Package libmd5-perl has no installation candidate

[falko]

Can you run

Code:

apt-get update

and try again?

[knowram]

okay i got past that part. now I am trying to set up the firewall. at the moment on am only using one interface to connect the linux box to my LAN. I added that interface to the interfaces and gave it the appropriate zone. now when i try to start the fire wall i get this error

Code:

Starting "Shorewall firewall": not done (check /var/log/shorewall-init.log).

and the log file looks like this

Code:

Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Clearing Shorewall...Disabling IPV6...
IP Forwarding Enabled
done.
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Starting Shorewall...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Extended Multi-port Match: Available
   Connection Tracking Match: Available
   Packet Type Match: Available
   Policy Match: Available
   Physdev Match: Available
   IP range Match: Available
   Recent Match: Available
   Owner Match: Available
   Ipset Match: Not available
   CONNMARK Target: Not available
   Connmark Match: Available
   Raw Table: Available
   CLASSIFY Target: Available
   FORWARD Mangle Chain: Not available
Determining Zones...
   IPv4 Zones: net loc
   Firewall Zone: fw
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
   net Zone: eth4:0.0.0.0/0 eth0:0.0.0.0/0
   WARNING: Zone loc is empty
Pre-processing Actions...
   Pre-processing /usr/share/shorewall/action.Drop...
   ..Expanding Macro /usr/share/shorewall/macro.Auth...
   ..End Macro
   ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
   ..End Macro
   ..Expanding Macro /usr/share/shorewall/macro.SMB...
   ..End Macro
   ..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
   ..End Macro
   ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
   ..End Macro
   Pre-processing /usr/share/shorewall/action.Reject...
   Pre-processing /usr/share/shorewall/action.Limit...
Deleting user chains...
Processing /etc/shorewall/routestopped ...
Creating Interface Chains...
Configuring Proxy ARP
Setting up NAT...
Setting up NETMAP...
Adding Common Rules
Adding Anti-smurf Rules
Adding rules for DHCP
Enabling RFC1918 Filtering
Setting up TCP Flags checking...
Setting up Kernel Route Filtering...
   WARNING: Cannot set route filtering on eth0
Setting up Martian Logging...
   WARNING: Cannot set Martian logging on eth0
IP Forwarding Enabled
Setting up IPSEC...
Processing /etc/shorewall/rules...
   Warning -- Rule "ACCEPT net fw all     " is a POLICY
               -- and should be moved to the policy file
   Rule "ACCEPT net fw all     " added.
..Expanding Macro /usr/share/shorewall/macro.DNS...
   Rule "ACCEPT fw net udp 53 - - - -" added.
   Rule "ACCEPT fw net tcp 53 - - - -" added.
..End Macro
..Expanding Macro /usr/share/shorewall/macro.SSH...
   Rule "ACCEPT loc fw tcp 22 - - - -" added.
..End Macro
..Expanding Macro /usr/share/shorewall/macro.Ping...
   Rule "ACCEPT loc fw icmp 8 - - - -" added.
..End Macro
..Expanding Macro /usr/share/shorewall/macro.Ping...
   Rule "REJECT net fw icmp 8 - - - -" added.
..End Macro
   Rule "ACCEPT fw loc icmp     " added.
   Rule "ACCEPT fw net icmp     " added.
Processing Actions...
   Generating Transitive Closure of Used-action List...
Processing /usr/share/shorewall/action.Drop for Chain Drop...
..Expanding Macro /usr/share/shorewall/macro.Auth...
   Rule "REJECT - - tcp 113 -  -" added.
..End Macro
   Rule "dropBcast       " added.
..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
   Rule "ACCEPT - - icmp fragmentation-needed -  -" added.
   Rule "ACCEPT - - icmp time-exceeded -  -" added.
..End Macro
   Rule "dropInvalid       " added.
..Expanding Macro /usr/share/shorewall/macro.SMB...
   Rule "DROP - - udp 135,445 -  -" added.
   Rule "DROP - - udp 137:139 -  -" added.
   Rule "DROP - - udp 1024: 137  -" added.
   Rule "DROP - - tcp 135,139,445 -  -" added.
..End Macro
..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
   Rule "DROP - - udp 1900 -  -" added.
..End Macro
   Rule "dropNotSyn - - tcp    " added.
..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
   Rule "DROP - - udp - 53  -" added.
..End Macro
Processing /usr/share/shorewall/action.Reject for Chain Reject...
..Expanding Macro /usr/share/shorewall/macro.Auth...
   Rule "REJECT - - tcp 113 -  -" added.
..End Macro
   Rule "dropBcast       " added.
..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
   Rule "ACCEPT - - icmp fragmentation-needed -  -" added.
   Rule "ACCEPT - - icmp time-exceeded -  -" added.
..End Macro
   Rule "dropInvalid       " added.
..Expanding Macro /usr/share/shorewall/macro.SMB...
   Rule "REJECT - - udp 135,445 -  -" added.
   Rule "REJECT - - udp 137:139 -  -" added.
   Rule "REJECT - - udp 1024: 137  -" added.
   Rule "REJECT - - tcp 135,139,445 -  -" added.
..End Macro
..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
   Rule "DROP - - udp 1900 -  -" added.
..End Macro
   Rule "dropNotSyn - - tcp    " added.
..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
   Rule "DROP - - udp - 53  -" added.
..End Macro
Processing /etc/shorewall/policy...
   Policy ACCEPT for fw to net using chain fw2net
   Policy ACCEPT for fw to loc using chain fw2loc
   Policy DROP for net to fw using chain net2fw
   Policy DROP for net to loc using chain net2loc
   Policy ACCEPT for loc to fw using chain loc2fw
   Policy ACCEPT for loc to net using chain loc2net
Masqueraded Networks and Hosts:
   ERROR: Unable to determine the routes through interface "eth1"
Disabling IPV6...
IP Forwarding Enabled
Terminated
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Clearing Shorewall...Disabling IPV6...
IP Forwarding Enabled
done.

If I try to access webmin after doing that i can't i have to stop the firewall
Not sure what i am looking for. Or what to do next.

Thanks for the help

[falko]

Have you stopped all other firewalls before starting this one? If so, what's the output of

Code:

iptables -L

now?

For webmin, you must open port 10000 in the firewall.

[knowram]

I don't have any other firewalls on my system that i know of unless there is a default that comes with ubuntu server.

The output of iptables -L is

Code:

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere            udp dpts:bootps:bootpc 
ACCEPT     udp  --  anywhere             anywhere            udp dpts:bootps:bootpc 

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     udp  --  anywhere             anywhere            udp dpts:bootps:bootpc 
ACCEPT     udp  --  anywhere             anywhere            udp dpts:bootps:bootpc 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere

The other thing i don't understand is what's the difference between /etc/shorewall/policy and the firewall section in webmin?

Thanks for the help

[falko]

Can you switch off Shorewall and reboot the system? What's the output of

Code:

iptables -L

then?

I'm not sure, but I think that webmin lets you configure Shorewall.

[knowram]

ok here is what it looks like with it off

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

[falko]

Ok, then there's no other firewall...

[knowram]

right i am only using the shorewall firewall. the question is how do i configure it so that it works properly? it looks to me like the shorewall/policy and what you do in webmin are two separated things. do you need both? is the /policy where you tell it witch interfaces to use the firewall on and then webmin is where you set up the firewall its self allowing certain ports to certain destinations etc..?

Any ideas?