NTP and Shorewall

Discuss Networking
Post Reply
X11
guru
guru
Posts: 676
Joined: Sun Jan 19, 2003 11:09 pm
Location: Australia
Contact:

NTP and Shorewall

Post by X11 »

My server computer can update its time with the ntp server because shorewall is blocking it

How do I unblock it?[/i]

X11
guru
guru
Posts: 676
Joined: Sun Jan 19, 2003 11:09 pm
Location: Australia
Contact:

Post by X11 »

In fact, I want everything to be able to go to and from the firewall (but not the Internet of cource) and everything to be allowed to be sent out. Other ports I will block later.

Howz0r?

X11
guru
guru
Posts: 676
Joined: Sun Jan 19, 2003 11:09 pm
Location: Australia
Contact:

Post by X11 »

Actually I think I got it.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

I am assuming you only have two interfaces on your firewall and are not running a DMZ.

In your /etc/shorewall/rules file you could:

Code: Select all

DNAT    net    loc:xxx.xxx.xxx.xxx   tcp   http   -
where xxx.xxx.xxx.xxx is an internal machine you are using as your web server.

In your /etc/shorewall/policy file you could:

Code: Select all

loc    all    ACCEPT
fw     all    ACCEPT
net    all    DROP       info
all    all    REJECT     info
In your /etc/shorewall/masq file you could:

Code: Select all

eth0   eth1
Where eth0 is connected to the internet and eth1 is connected to your local private network.

In your /etc/shorewall/interfaces you could have:

Code: Select all

net   eth0   detect   dhcp
loc   eth1   detect   blacklist
In your /etc/shorewall/blacklist you might have:

Code: Select all

192.168.0.0/24   tcp   80
which would prevent all of your internal machines to connect to the internet via the default http port. This might be useful if you want to also run Squid on your firewall machine and require your internal clients to go through the proxy if they want to get to the net.

I also put some things in my /etc/shorewall/params file:

Code: Select all

NET_IP=`/sbin/ifconfig eth0 | grep "inet addr" | cut -f2 -d":" | cut -f1 -d" "`
LOC_IP=`/sbin/ifconfig eth1 | grep "inet addr" | cut -f2 -d":" | cut -f1 -d" "`
DMZ_IP=`/sbin/ifconfig eth2 | grep "inet addr" | cut -f2 -d":" | cut -f1 -d" "`
The above allows me to use variables ($NET_IP) in place of my interface IP addresses where required in my configuration files. Comes in handy if my external interface (DHCP) gets a new IP address I don't have to change any configuration files.

Post Reply