Internet sharing and Gateway in Same ISPConfig Box

Discussion in 'Installation/Configuration' started by Morons, Sep 15, 2006.

  1. Morons

    Morons Member

    I have used iptables and mandriva's shorewall with huge success in setting the nat/pat up in the Internet sharing environment. Shorewall is disabled in Mandriva and ISPConfig add Bastille, or an version thereof. I do not know not understand Bastille yet, It seem to be using Masq and literal IP's therefore IP changes int he Interfaces does not automatically set-up the firewaal at re-boot like Shorewall would were you only say e.g. NET = eth0 and LAN = eth1

    I see that ISPConfig include only parts of the Bastille software (bastille executable seem to be removed / renamed) I ran updatedb and locate bastille - empty I came up and i could not use the bastill utility as descrived on their Website.

    My problem is to now change the bastile config files to allow for proper GW sever w/o interfering with the ISPconfig controll over this bastill software.

    I have an DSL router with ETH, thus my Default GW, My Fedora 5 box has eth1 and the inside network is on eth0

    In shorewall I only need to define the internet interface and the lan interface - is there such an easy way with bastile config files that will not be modified by ISPConfig?;)
    Last edited: Sep 15, 2006
  2. pablito

    pablito New Member

    If you're happy with Shorewall then use it instead. If you turn off firewalling in ISP then there isn't any interference. That's what I do....
  3. Morons

    Morons Member

    FC5 Does not have Shorewall! and for some stupid reason the Hardware I have does not run Mandriva.
  4. Ben

    Ben ISPConfig Developer ISPConfig Developer

    Well I just set up an exit; to the bastille firewallscript so that ISPConfigs settings do not influence my iptables settings set up with firehol (, an abstraction shellscript, easy to configure and very flexible) maybe that can help you?

    Because I set up a NAT rule to forward a port served by our proxy to 81 which is messed up everytime I restart any service with ipsconfig...
  5. Morons

    Morons Member

    Elegant way

    Yes the point is NOT to use External (Other than pure ISPConfig set-up) here.
    Standard install on any platform for easy reproduction is the need. I have plenty ways of doing it outside this environment, but all I need is the modification required inside /root/ispconfig/isp/conf/bastille-firewall.cfg.master to make this work. That will give me and nice PURE install much more elegant than otherwise.:rolleyes:
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    1) The bastile firewall sctipt is namde "Bastille" and not "bastille", so locate "Bastille" will give you the locations of the scripts.

    2) If you want to change the Bastille firewall script globally, edit the template file in /root/ispconfig/isp/conf/

    3) If you dont like bastille, you may use any other firewall with ISPConfig as well.
  7. Morons

    Morons Member

    GW via SNAT and NOT MASq

    I did find it, It is an MOD and this shoeld only be done if you know yr stuff. I do not like this, althow clearly the intended method by the author, It is messy and non-elegant. I would of liked to see an setting in the bastille-firewall.cfg file asking to SNAT or MASq

    vi /sbin/bastille-netfilter or edit /sbin/bastille-netfilter
    remark the line Around line 390-391
    # ${IPTABLES} -t nat -A POSTROUTING -s ${net} -o ${pub} -j MASQUERADE
    # ${IPTABLES} -A FORWARD -s ${net} -o ${pub} -j ACCEPT
    Around line 397 Remove the # (uncomment it)

    What is great is that the DEFAULT_GW_IFACE is self-detected and come from your interface set-up.
    Last edited: Sep 18, 2006
  8. Morons

    Morons Member

    My solution Above din't work for some reason, I mised another setting althow the inscript comments allow this, I had to in the end use masq. :) Ran out off time.
    Till/Falco can't you guys look into this and give us an solution inside the ISPConfig system as this is surely needed.? Bastille is very badly documented!

Share This Page