About My Network

My Current Network

I have DSL service and have 5 static IP addresses (206.124.146.176-180). My DSL "modem" is connected to eth0. I have a local network connected to eth2 (subnet 192.168.1.0/24) and a DMZ connected to eth1 (192.168.2.0/24). 

I use Static NAT for all internal systems except my Wife's system (tarry) which is masqueraded through the primary gateway address (206.124.146.176) and a server (206.124.146.177) in my DMZ which I manage using proxy ARP.

The firewall runs on a 128MB PII/233 with RH7.2 and Kernel 2.4.16.

My personal Linux System (wookie) is 192.168.1.3 and my personal Windows system (ursa) is 192.168.1.5. Wookie runs Samba and acts as the a WINS server.

The single system in the DMZ (address 206.124.146.177) runs postfix, Courier IMAP (imaps and pop3), DNS, a Web server and an FTP server (Pure-ftpd). The system also runs fetchmail to fetch our email from our old and current ISPs.

The firewall system itself runs a DHCP server that serves the local network.

All administration and publishing is done using ssh/scp.

I run PoPToP on my firewall system for when I was on the road with my Win2k laptop and the firewall serve as the endpoints of a PPTP tunnel to my employer (Compaq).

I run an SNMP server on my firewall to serve MRTG running on my personal system.

Finally, we have a WAP for when I'm roaming around the house with my laptop.

 

The ethernet interface in the Server is configured with IP address 206.124.146.177, netmask 255.255.255.0. The server's default gateway is 206.124.146.176 (the primary IP address of the firewall's external interface). On the firewall, Shorewall automatically adds a host route to 206.124.146.177 through eth1 (192.168.2.1) because of the entry in /etc/shorewall/proxyarp (see below).

I configure IP "aliases" 206.124.146.178-180 on the firewall's eth0 so I have ADD_IP_ALIASES=No in my /etc/shorewall/shorewall.conf.

Note: My files use features not available before Shorewall version 1.2.5.

Zones File:

     #ZONE DISPLAY COMMENTS
     net     Internet         Internet
     loc     Local            Local networks
     dmz     DMZ              Demilitarized zone
     cpq     Compaq           Compaq Intranet
     #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Interfaces File:

This is set up so that I can start the firewall before bringing up my Ethernet interfaces. It is important that 'loc' is defined before 'cpq' in the zones file since 'loc' also uses a ppp interface (see hosts file below).

     #ZONE    INTERFACE BROADCAST       OPTIONS
     net      eth0      206.124.146.255 routefilter,norfc1918
     loc      eth2      192.168.1.255   dhcp
     dmz      eth1      192.168.2.255   routestopped
     -        ppp+
     #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Hosts File:

Note that PPTP clients connected to my firewall are treated as part of the local zone (loc). They are given IP addresses in the 192.168.1.0/24 subnet.

     #ZONE HOST(S)               OPTIONS
     # Note - Samba is running on the firewall so we need 255.255.255.255
     #        included in the eth2 'loc' address range.
     loc   eth2:0.0.0.0/0        routestopped
     loc   ppp+:192.168.1.0/24
     cpq   ppp+:!192.168.1.0/24
     #LAST LINE -- ADD YOUR ENTRIES ABOVE -- DO NOT REMOVE

Common File:

     run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT
     run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT
     run_iptables -A common -p udp --dport 137:139 -j DROP
     run_iptables -A common -p tcp --dport 445 -j REJECT
     run_iptables -A common -p tcp --dport 135 -j REJECT
     run_iptables -A common -d 255.255.255.255 -j DROP
     run_iptables -A common -d 224.0.0.0/4 -j DROP
     ## The following rule is non-standard and compensates for tardy
     # DNS replies
     #
     run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP

Policy File:

     #CLIENT SERVER POLICY LOG LEVEL
     cpq     loc    ACCEPT
     cpq     fw     DROP
     fw      cpq    DROP
     loc     cpq    ACCEPT
     loc     net    ACCEPT
     fw      loc    ACCEPT
     net     all    DROP   info
     all     all    REJECT info
     #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Masq File:

Although most of our internal systems use static NAT, my test system (192.168.1.8) uses IP Masquerading (actually SNAT) as do visitors with laptops. Masquerading traffic from my server to Compaq ensures that all email I send to Compaq employees is sent through the encrypted tunnel.

     #INTERFACE           SUBNET		ADDRESS
     eth0                 192.168.1.0/24	206.124.146.176
     ppp+:!192.168.1.0/24 192.168.1.0/24
     ppp+:!192.168.1.0/24 206.124.146.177
     #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

NAT File:

     #EXTERNAL       INTERFACE INTERNAL    ALL LOCAL
     206.124.146.178 eth0      192.168.1.5 No  No
     206.124.146.179 eth0      192.168.1.3 No  No
     206.124.146.180 eth0      192.168.1.7 No  No

     #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Proxy ARP File:

     #ADDRESS        INTERFACE EXTERNAL HAVEROUTE
     206.124.146.177 eth1      eth0     No
     #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Rules Files:

     #RESULT     CLIENT(S)       SERVER(S)         PROTO PORT(S) CLIENT ADDRESS
     #
     # Local Network to Internet - Reject attempts by Trojans to call home using IRC
     #
     REJECT:info loc             net               tcp   6667
     #  
     # Local Network to Firewall
     #
     ACCEPT      loc             fw                tcp   ssh,time
     ACCEPT      loc             fw                udp   snmp

     # Local Network to DMZ
     #
     ACCEPT      loc             dmz               udp   domain
     ACCEPT      loc             dmz               tcp   domain,smtp,ssh,auth,imaps
     ACCEPT      loc             dmz               tcp   www,ftp,pop3
     ACCEPT loc dmz icmp echo-request
     #
     #
     # Internet to DMZ -- Note: My secondary Name Server is 4.3.113.178
     #
     ACCEPT      net             dmz                tcp   www,ftp,smtp,imaps
     ACCEPT      net             dmz                udp   domain
     ACCEPT      net:4.3.113.178 dmz                tcp   domain
     REJECT      net             dmz                tcp   auth
     #
     # Net to Local -- Allow ICQ to 206.124.146.179 (a.k.a 192.168.1.3)
     #                 and auth to all systems. Silently reject bots
     #
     ACCEPT      net             loc:192.168.1.3    tcp   4000:4100
     ACCEPT      net             loc                tcp   auth
     REJECT      net             loc                tcp   www
     #
     # DMZ to Internet
     #
     ACCEPT      dmz             net                icmp  echo-request
     ACCEPT      dmz             net                tcp   smtp,auth,domain
     ACCEPT      dmz             net                udp   domain
     ACCEPT      dmz             net                udp   ntp
     #
     # I have an email account with my ISP and for the time being, both my
     # wife and I have email accounts at our old ISP. These are for fetchmail
     # running in the DMZ.
     #
     ACCEPT      dmz             net:206.124.128.18 tcp   pop3
     ACCEPT      dmz             net:206.191.151.2  tcp   pop3
     #
     # DMZ to Firewall -- Silently reject Auth since I don't run identd on the
     #                    firewall.
     #
     REJECT      dmz             fw                 tcp   auth
     #
     # DMZ to Local Network
     #
     ACCEPT      dmz             loc                tcp   smtp,auth
     ACCEPT      dmz             loc                icmp  echo-request
     #
     # DMZ to Compaq -- DNS queries and email to compaq.com, cpqcorp.net and
     #                  dec.com are sent through the PPTP tunnel. The tunnel
     #                  has a large routing table that ensures that all 
     #                  Compaq-bound traffic uses the tunnel.
     #
     ACCEPT      dmz             cpq                udp   domain
     ACCEPT      dmz             cpq                tcp   smtp
     ACCEPT      dmz             cpq                icmp  echo-request
     #
     # Internet to Firewall -- Allow incoming SSH and PPTP. PPTP requires both
     #                         TCP port 1723 and GRE (protocol 47). I have
     #                         modified /etc/protocols to include gre.
     #
     #                         Silently reject Auth since I don't run an ident
     #                         server on the firewall. Silently reject bots. 
     #
     ACCEPT      net             fw                 tcp   ssh,1723
     ACCEPT      net             fw                 gre
     REJECT      net             fw                 tcp   auth,www
     #
     # Firewall to Internet -- Allow NTP, DNS, WWW (for updating my dyndns.org
     #                         registration), SSH, PPTP (tcp port 1723 and GRE), 
     #                         whois and ping.
     #
     ACCEPT      fw              net                udp   ntp
     ACCEPT      fw              net                udp   domain
     ACCEPT      fw              net                tcp   domain,www,ssh,1723,whois
     ACCEPT      fw              net                gre
     ACCEPT      fw              net                icmp  echo-request
     #
     # Firewall to DMZ - FTP and DNS queries.
     #
     ACCEPT      fw              dmz                tcp   ftp
     ACCEPT      fw              dmz                udp   domain
     REJECT      fw              dmz                udp   137:139
     #
     # Firewall to Compaq - Just ping
     #
     ACCEPT      fw              cpq                icmp  echo-request
   
     #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

My Old Network -- Prior to 10/16/2001.

I had DSL service and got my External IP address via DHCP. My DSL "modem" was connected through a  10MB hub to eth0 (I could get up to 3 dynamic IP addresses and I also had an LRP-based firewall connected to this hub). I had a local network connected to eth2 (subnet 192.168.1.0/24) and a DMZ connected to eth1 (192.168.2.0/24). 

Although I got my external IP address via DHCP, I kept the same address until I took the firewall down for an extended period of time or I installed a new NIC as eth0. Consequently, my firewall rules contained explicit references to that address (206.191.149.206). 

The firewall ran on a 128MB PII/233 with RH7.1 and Kernel 2.4.9-2.4.15.

My personal system was 192.168.1.5 and all external icq connection requests were forwarded to that system.

There was a single system (192.168.2.2) in the DMZ and that system ran postfix, pop3, DNS, a Web server and an FTP server (Pure-ftpd). The system also ran fetchmail to fetch our email from our ISP.

The firewall system itself ran a DHCP server that serves the local network.

All administration and publishing was done using ssh/scp.

I ran PoPToP on my firewall system for when I was on the road with my Win2k laptop and the firewall served as the endpoint of a PPTP tunnel to my employer (Compaq).

I ran an SNMP server on my firewall to serve MRTG running on my personal system.

I ran Squid on my firewall and used it as a Transparent HTTP proxy.

Finally, the firewall acted as an IPSEC gateway to a peer network in Dallas Texas. I was using FreeS/Wan 1.91.

Note: My files used features not available before Shorewall version 1.1.12.

Zones File:

     #ZONE  DISPLAY    COMMENTS
     net    Internet   Internet
     loc    Local      Local networks
     dmz    DMZ        Demilitarized zone
     tx     Texas      Peer network in Dallas
     cpq    Compaq     Compaq Intranet
     #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Interfaces File:

This is set up so that I can start the firewall before bringing up my Ethernet interfaces. It is important that 'loc' is defined before 'cpq' since 'loc' also uses a ppp interface (see hosts file below).

     #ZONE    INTERFACE BROADCAST       OPTIONS
     net      eth0      206.191.149.223 dhcp,norfc1918,routefilter,noping
     loc      eth2      192.168.1.255   dhcp
     dmz      eth1      192.168.2.255
     tx       ipsec0 -
     cpq      ppp+
     #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Hosts File: 

Note that PPTP clients connected to my firewall are treated as part of the local zone (loc). They are given IP addresses in the 192.168.1.0/24 subnet.

     #ZONE HOST(S)             OPTIONS
     dmz   eth1:192.168.2.2    routestopped
     loc   eth2:192.168.1.0/24 routestopped
     loc   ppp+:192.168.1.0/24
     tx    ipsec0:192.168.9.0/24
     ##LAST LINE -- ADD YOUR ENTRIES ABOVE -- DO NOT REMOVE

Policy File:

     #CLIENT SERVER POLICY LOG LEVEL
     cpq     loc    ACCEPT
     cpq     fw     DROP
     fw      cpq    DROP
     loc     cpq    ACCEPT
     loc     net    ACCEPT
     fw      loc    ACCEPT
     fw      tx     ACCEPT
     tx      loc    REJECT
     loc     tx     ACCEPT
     net     all    DROP   info
     all     all    REJECT info
     #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Tunnels File (Gateway address falsified):

     # TYPE ZONE GATEWAY
     ipsec  net  130.252.100.21    tx
     #LAST LINE -- DO NOT REMOVE

Masq File:

My local network is masqueraded to the the internet. Note that outbound tunnel traffic to Compaq also gets masqueraded (Compaq does not use 192.168.1.0/24 and my own PPTP clients have addresses in that range). This prevents masquerading of traffic destined for my PPTP clients. 

     #INTERFACE                 SUBNET
     eth0                       192.168.1.0/24
     eth0                       192.168.2.0/24
     ppp+:!192.168.1.0/24       192.168.1.0/24
     ppp+:!192.168.1.0/24       192.168.2.0/24
     #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Rules File:

     #RESULT CLIENT(S) SERVER(S)       PROTO PORT(S)CLIENT PORT(S) ADDRESS
     #
     # Local Network to Internet - Reject attempts by Trojans to call home
     #
     REJECT:info loc   net             tcp   6667
     #
     # Local Network to Firewall - Allow SSH, swat, time, NETBIOS
     # noise and SNMP. I also run Squid on my firewall as a Transparent Proxy. I
     # don't want local requests for my web server to use the proxy.
     #
     # (note: if I access my webserver using the address 192.168.2.2, the proxy
     #  _is_ used).
     #
     ACCEPT  loc       fw              tcp   ssh,swat,135,137:139,445,time
     ACCEPT  loc       fw              udp   137:139,snmp
     ACCEPT  loc       fw::8080        tcp   http    -              !206.191.149.206
     #
     # Local Network to DMZ - Allow SMTP, POP3, SSH, AUTH, PING, FTP, WWW, SMTP
     #
     ACCEPT  loc       dmz             udp   domain
     ACCEPT  loc       dmz             tcp   domain,smtp,ssh,auth
     ACCEPT  loc       dmz             icmp  echo-request
     ACCEPT  loc       dmz:192.168.2.2 tcp   ftp,www,pop3 -         206.191.149.206
     #
     #
     # Internet to DMZ - Allow SMTP, WWW, FTP
     #
     ACCEPT  net       dmz:192.168.2.2 tcp   www,ftp,smtp -         all
     ACCEPT  net       dmz:192.168.2.2 udp   domain  -              all
     #
     # Net to Local -- ICQ
     #
     ACCEPT  net       loc:192.168.1.5 tcp   4000:4100 -            all
     #
     # DMZ to Internet - Allow ping, SMTP, NTP, Auth, POP3 and DNS
     #
     # Note: 206.191.149.193 is the IP address of the stata 2 time server that I
     #       sync to.
     # Note: 206.191.151.2 is our ISP's POP3 server.
     #
     ACCEPT  dmz       net                 icmp  echo-request
     ACCEPT  dmz       net                 tcp   smtp,auth,domain
     ACCEPT  dmz       net:206.191.149.193 udp   ntp
     ACCEPT  dmz       net:206.191.151.2   tcp   pop3
     ACCEPT  dmz       net                 udp   domain
     #
     # DMZ to Firewall -- Silently reject Auth
     #
     REJECT  dmz       fw                  tcp   auth
     #
     # DMZ to Local Network - Allow SMTP, AUTH, PING, and NFS
     #
     ACCEPT  dmz       loc             tcp   smtp,auth
     ACCEPT  dmz       loc             icmp  echo-request
 
     #
     # DMZ to Compaq -- DNS
     #
     ACCEPT  dmz        cpq            udp   domain
     ACCEPT  dmz        cpq            tcp   domain,smtp
     ACCEPT  dmz        cpq            icmp  echo-request
     #
     # DMZ to Texas -- STMP, POP3, AUTH and ping
     #
     ACCEPT  dmz        tx             tcp   smtp,pop3,auth
     ACCEPT  dmz        tx             icmp  echo-request
     #
     # Texas to DMZ -- SMTP, POP3, AUTH and ping
     #
     ACCEPT  tx         dmz            tcp   smtp,pop3,auth
     ACCEPT  tx         dmz            icmp  echo-request
     # 
     # Internet to Firewall - Allow PPTP, Auth and SSH
     #
     ACCEPT  net        fw             tcp   ssh,auth,1723
     ACCEPT  net        fw             gre
     #
     # Firewall to Internet - Allow NTP, DNS, PPTP, HTTP and Whois
     #
     ACCEPT  fw         net:206.191.149.193 udp ntp
     ACCEPT  fw         net            udp   domain,33434:33500
     ACCEPT  fw         net            tcp   domain,www,ssh,1723,whois
     ACCEPT  fw         net            gre
     ACCEPT  fw         net            icmp  echo-request
     #
     # Firewall to DMZ - Reject NETBIOS noise but accept http, ftp and DNS
     #
     ACCEPT  fw         dmz            tcp   http,ftp
     ACCEPT  fw         dmz            udp   domain
     REJECT  fw         dmz            udp   137:139
     #
     # Firewall to Compaq - Ping
     #
     ACCEPT  fw         cpq            icmp  echo-request
     #
     # Allow Texas access to my personal system
     
     #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Last updated 4/15/2002 - Tom Eastep

Copyright © 2001, 2002 Thomas M. Eastep.