-- MikeGore - 14 Feb 2012

Files

Dependencies

  • DNSMASQ - the dnsmasq package has to be installed and configured

Documentation

How to setup

  • Details in the following sections
    • Update setvars
    • Optionally update firewall
    • Install firewall.rc

Primary Configuration files

setvars

  • common interface names and networks for the firewall scripts
  • EXTIP is the IP for your External interface
  • EXTIF is teh name of the external interface
  • COMM is the name of your private network
  • VLAN_COMM is the address scope of the private network
       # Your external network address and interface
       # CHANGE ME
       EXTIP="129.97.nnn.nnn"
       EXTIF=eth0
    
       # Private NAT/MASQ network
       # Compute Node COMM traffic
       COMM=eth1
       VLAN_COMM="192.168.2.0/24"
       
  • Notes: to add more private networks just you need create new entries and duplicate the COMM rules in the firewall script with a new keyword
    • Example we can add NFS like this
         # NFS network
         # Compute Node COMM traffic
         NFS=eth2
         VLAN_NFS="10.0.1.0/24"
         

firewall

  • This is the actual firewall script

features of the firewall script example

  • Forwards using NAT/MASQ traffic between internal network COMM and the external interface
  • Blocks sending SMTP port 25 from the COMM network to the outside world
  • Blocks all outbound SMB destine to port 137:139 445 outside of UofW address space
  • Commented out example that allows SAMBA access from the University networks
  • Allows SSH from the University Networks
  • Allows WEB and CUPS access from 129.97.15 University Network
  • Allows access for backup.cs

firewall.rc

  • firewall init.d service script
    • Install:
      • cp -p firewall.rc /etc/init.d/firewall
      • update-rc.d firewall defaults

Helper scripts

allow

  • resets and disable the firewall NAT MASQ Forwarding functions

addhost IP

  • add a host IP for SSH access - until reboot

delhost IP

  • remove a host IP for SSH access - until reboot

checkhost

  • check if a host has SSH access

openhost IP

  • add a host IP for ALL access - until reboot

blockhost MAC

  • block a host by MAC - untill reboot
Topic revision: r2 - 2015-02-18 - RonaldoGarcia
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback