Set Up Ubuntu-Server 6.10 As A Firewall/Gateway For Your Small Business Environment - Page 2

Now do:

apt-get install libmd5-perl libnet-ssleay-perl libauthen-pam-perl libio-pty-perl shorewall dnsmasq

wget http://surfnet.dl.sourceforge.net/sourceforge/webadmin/webmin_1.330_all.deb

"surfnet" is the dutch server. Change that to "heanet"(for Ireland), "belnet"(for Belgium), "mesh" (for Germany) and so on.

dpkg -i webmin_1.330_all.deb

cp /usr/share/doc/shorewall/examples/two-interfaces/* /etc/shorewall/

cd /etc/shorewall

gunzip interfaces.gz masq.gz rules.gz policy.gz

Now open your browser and login to webmin at https://192.168.1.1:10000 as root with your root password and, using webmin's shorewall module, change the policy's and rules of your firewall as needed (for now, I only set the policy file to the example as shown, you may copy and paste my policy file for starters, if you don't like webmin).

Also set in /etc/shorewall.conf  the line "IP_FORWARDING=Keep"  to  "IP_FORWARDING=On" (without quotes) and enable the firewall in /etc/default/shorewall.

My /etc/shorewall/policy  now looks like this:

###############################################################################
#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
#
# Note about policies and logging:
#	This file contains an explicit policy for every combination of
#	zones defined in this sample.  This is solely for the purpose of
#	providing more specific messages in the logs.  This is not
#	necessary for correct operation of the firewall, but greatly
#	assists in diagnosing problems.
#
#
# Policies for traffic originating from the local LAN (loc)
#
# If you want to force clients to access the Internet via a proxy server
# on your firewall, change the loc to net policy to REJECT info.
loc		net		ACCEPT
loc	$FW	ACCEPT
loc		all		REJECT		info
#
# Policies for traffic originating from the firewall ($FW)
#
# If you want open access to the Internet from your firewall, change the
# $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL.
# This may be useful if you run a proxy server on the firewall.
$FW	net	ACCEPT
$FW	loc	ACCEPT
$FW		all		REJECT		info
#
# Policies for traffic originating from the Internet zone (net)
#
net		$FW		DROP		info
net		loc		DROP		info
net		all		DROP		info
# THE FOLLOWING POLICY MUST BE LAST
all		all		REJECT		info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Next do:

/etc/init.d/shorewall start

You should be able now to surf the net.

DO NOT PROCEED UNTILL YOU SUCCEED IN SURFING THE NET.  SINCE THIS IS YOUR FRAMEWORK. IT HAS TO BE OK.

Share this page:

5 Comment(s)

Add comment

Comments

From: Chris Angelico at: 2011-02-25 05:28:11

You suggest in this howto that users 'sudo passwd' and then log in as root. There's an easier way, in the versions of Ubuntu that I've used: just use 'sudo -i'. It'll create an "initial login" system, which will give you bash and everything you need. Less fiddling, more safety.

From: at: 2007-01-30 17:28:02

Before this command can be done, you need to install mysql-server

apt-get install mysql-server-5.0

Now do:

mysqladmin -u root password yourrootsqlpassword ##USE A REAL PASSWORD HERE!

After this is done, then you can run the next command

Thanks

From: at: 2007-04-20 18:26:55

If the steps are followed and you install LAMP , it includes the installation of mysql.

From: at: 2007-04-20 18:34:47

This really doesn't have to happen. Later on this guide we compile dcc.

<quote>

cd /root

wget http://www.dcc-servers.net/dcc/source/dcc.tar.Z

gunzip dcc.tar.Z

tar -xvf dcc.tar

cd dcc-1.3.45     ##or whatever version is current.

./configure

make

make install

 </quote>

Simply add to the ./configure line  --bindir=/usr/bin , it should look like this:

./configure --bindir=/usr/bin

and everything should be fine. 

 

 

 


 

From: at: 2007-06-08 08:38:09

Sorry, I was not understandable and choose wrong place to comment.

A. When I wrote /etc/shorewall/rules exactly  as written here (Page 10, up to words:

To comlete this step, do:

/etc/init.d/shorewall restart)

- I couldn't establish connection to my VPN-server.

I had to add new zone "vpn" in such a way: in /etc/shorewall/interfaces before the last line:

vpn ppp0

 in

/etc/shorewall/zones before the last line:

vpn ipv4

in

/etc/shorewall/policy before the last line:

##### for VPN

vpn loc ACCEPT

vpn $FW ACCEPT

loc vpn ACCEPT

$FW vpn ACCEPT

and modify in /etc/shorewall/rules the line:

DNAT net loc:192.168.1.1 tcp 1723

to the line: 

DNAT net $FW:192.168.1.1 tcp 1723

After all that the connection to VPN-server started properly .

B. When I wrote in /etc/shorewall/rules first to other rules

LOG:warning:L2    net     loc:192.168.1.1    47 

I found nothing in kern.log           

So I wonder, is protocol 47 necessary here in /etc/shorewall/rules ?

I hope, my comments help you to improve your brilliant HowTo