/srv/irclogs.ubuntu.com/2006/03/11/#ubuntu-server.txt

=== Xoritor [n=xoritor@xorit.net] has joined #ubuntu-server
=== Psi-Jack [i=psi-jack@cpe-70-112-220-160.austin.res.rr.com] has joined #ubuntu-server
Psi-JackMan, I am so, so.. Blah when it comes to firewall setups on Linux these days. heh12:46
maswanpfft on firewalls.12:46
Psi-JackNot really even just firewall. Mainly just port forwarding.. Namely from a single NIC.12:47
spikeeh?12:47
spikePsi-Jack: if it's just forwarding, why not using "redirect"?12:48
Psi-Jackspike: redirect?12:48
spikeif just want that and have no iptables in place I do not see why taking the hassle12:48
spikePsi-Jack: apt-cache show rinetd12:49
Psi-JackOh, I want iptables in place. Basically the general thumb is, I'm setting up one Linux system as a a DMZ from the front-end router, to make Linux handle all the necessary port forwards.12:49
Psi-JackAnd, I most DEFINATELY want all external IP's to remain external to the servers receiving it.12:50
spikeuhm, what frontendrouter is that? cant u just setup and dmz there?12:50
Psi-JackIt's just a netgear router, actually.12:50
maswanPsi-Jack: isn't it better to just put all the hosts on the network? nat does break some applications in rather subtle and evil ways.12:51
Psi-JackIt has a port forwarding limit of 20 entries, too, which is definately /not/ enough.12:51
spikeI c12:51
Psi-Jackmaswan: Heh, when it comes to that, I know what to do. I just suck at iptables. I'm used to ipf.12:52
Psi-JackBasically, right now, what I want to do, is block all external IP's, and chain in a couple accept rules in front of that, to allow specific services to run over the internet. Then setup specific port forwards to go elsewhere in the LAN, which I have about 6 other servers I need to forward for12:54
=== lionelp [n=lionel@ip-128.net-82-216-65.rev.numericable.fr] has joined #ubuntu-server
=== spike [n=spike@unaffiliated/spike] has joined #ubuntu-server
=== JulienH [i=kvirc@jem75-2-82-233-232-223.fbx.proxad.net] has joined #ubuntu-server
=== spike [n=spike@unaffiliated/spike] has joined #ubuntu-server
Psi-JackHmm.02:01
Psi-JackI'm having trouble with shorewall's hosts file. :/02:02
Psi-JackIt keeps saying all my hosts have Invalid HOST(S) column contents. For things like 192.168.1.0/24, and 192.168.1.1 etc02:02
=== nictuku [n=yves@200.163.24.8] has joined #ubuntu-server
=== ealden [n=ealden@203.76.212.213] has joined #ubuntu-server
=== Psi-Jack-v2 [i=psi-jack@cpe-70-112-220-160.austin.res.rr.com] has joined #ubuntu-server
Psi-Jack-v2Anyone here use shorewall, and handy?04:08
nictukuI do04:09
=== rinick [n=rinick@202.121.192.119] has joined #ubuntu-server
nictukumilestone1 of nwu is very close  :-) https://trac.ubuntubrasil.org/nwu05:45
Psi-Jacknictuku: Do you by chance know how to do a single NIC NAT?06:05
nictukui think so06:06
Psi-JackI'm basically trying to make my firewall/router server run the gateway for my servers, having all the servers use it as the default gateway, while it itself uses the front-end router for it's own default gateway.06:06
nictukuwell06:07
nictukubut if the default gateway and the servers are all in the same subnet that won't work as expected, unless you put the server as a physical bridge06:08
nictukuor are they in split sub networks?06:08
Psi-JackNo, there's no split sub networking involved. :)06:08
Psi-JackI'm basically just splitting off the servers as more of a side dish, than anything. For now.06:09
nictukuso, servers are like 10.0.0.20, default gateway is 10.0.0.1 and your linux router is 10.0.0.2?06:09
Psi-JackMy front-end router is 192.168.1.1, which all my local's use, and the backend router, (which is the DMZ point of the front-end-router as well), is 192.168.1.2006:10
nictukuthat won't work, since the linux router will tell the servers and station to update their route and your design will be useless06:10
nictukuyou have to split them physically and use the linux server as a bridge, not a router06:11
infinityNah.06:11
nictukualso, no NAT is involved there06:11
Psi-JackEh? I setup all the servers to use the backend firewall/router as the default gateway.06:11
nictukuPsi-Jack, and check the nodes routes after you try to talk to the outer world06:12
infinityWhat subnet are you using for the internal machines?06:12
nictukuif you use icmp PING, you'll get a 'nexthop: 192.168.1.1' message and they will just update their own routing tables.06:12
Psi-JackThey're all using 192.168.1.0/24 for the network. There's no subnetting involved.06:12
infinityPsi-Jack: That's your problem, then.06:12
nictukuinfinity, he's not using subnets06:12
infinityPsi-Jack: You need a subnet (but it doesn't have to be physical, just logical), so you can tell the frontend router that all traffice to 192.168.2.0/24 should go to 192.168.1.20 with a static route.06:13
nictukuPsi-Jack, anyway you have to split it physically, or you will have no security if you leave the nodes in the same network bus as the backend router06:13
Psi-Jacknictuku: Why would the routes get changed, when I specifically set them otherwise?06:13
nictukuI disagree with infinity :-)06:13
nictukusplit logical bus is a bad idea, if you don't split them physically06:14
Psi-Jacknictuku: Security is not the issue. ;)06:14
nictukuPsi-Jack, that's an IP protocol stuff06:14
nictukuThat's still a bad idea, but if you really hate your job and doesn't take security into account, then just split the subnets06:15
nictukuthat can be administratively painful though. I'd make your linux server a bridge. That works really fine for me, with 5 sites and 1k+ nodes06:16
Psi-JackHmm. Well, the backend router itself does have two NIC's, so as an alternative, I /can/ make it use it.06:16
infinityIf you bridge the subnets, you've not bought any more security.06:16
infinityYour argument kinda falls apart there.06:16
infinityTwo bridged ethernet networks are still one physical network.06:16
nictukuinfinity, if his goal is to make all trafic pass by the linux machine, my point does stand06:17
nictukuNo because we can filter traffic the same as a router. A bridge firewall is exactly like a router firewall.06:17
nictukuI mean, from the filtering point of view.06:17
Psi-Jacknictuku: My goal is to have ONE NAT for the local clients, and two NAT's for the servers. While still allowing the local network to communicate efficiently with the server network.06:18
infinityYeah, or you could run VLANs at the previous router, or a variety of solutions.06:18
nictukuindeed06:18
nictukuwhy so many "NAT" (better call them masquerade networks, i think)?06:19
Psi-JackMasuqerading == NAT, mind you. :)06:19
nictukuthat will just create a myriad of subnets06:19
Psi-Jacknictuku: The reason for this is, this is, in fact, a home network, with a bunch of servers sitting in the back-end.06:19
nictukuI know that06:19
nictukuhm06:20
Psi-JackRather than all the servers sitting in the front-end, with all the locals behind those, I have all the locals in the front, with the front-end re-directing all non-addressed traffic to the backend.06:20
nictukuI still see no reason for a masqueraded network. But that's me, because I have a strong, personal opinion about "NAT's"06:20
nictukuoh i see then06:21
Psi-JackThat make more sense? I don't have a diagram to show it, so I try to explain it best as I can. ;)06:21
nictukuI'm still confused hehe. let me re-read that06:21
Psi-JackI have about 6 front-end local clients that all use the front-end router for the default gateway. Some ports from the front-end PAT to individual clients. Stuff like ssh, game ports, VNC, etc..06:23
Psi-JackAnything not port-forwarded from the front-end, gets DMZ'd to the backend, which has the heavier firewall on it.06:23
Psi-JackAnd that backend needs to handle routing for the 16 servers behind it.06:23
nictukuI see06:25
nictukuyou have a strange DMZ there, then hehe06:25
nictukuseems like your 'local clients' act like a DMZ :-)06:25
Psi-JackIt's strange, yes.. But it works better for a home-based network. ;)06:25
Psi-JackThey are, essentially. ;)06:25
nictukuand this 'strong firewall' is that linux router we have discussed?06:26
Psi-JackCorrect.06:26
nictukuI whish I had such a home network myself :-)06:26
Psi-JackAll the servers using IT as the default gateway, will need DNAT's to portforward specific ports to their needed destinations, while they route back through the backend firewall, back to the front, and out the internet.06:27
Psi-JackI parallellized all my servers in the backend. Seperate computers for webserver, mailserver, maildelivery, mysql database, ldap database, and etc...06:27
nictukuok then. Suppose you don't want to split into subnets, one possible design is (though I think infinity could provide a better solution):06:27
nictukuhmm use a bridge :-)06:29
Psi-Jackheh06:29
nictukuin the first NIC of linux-router, plug the IT-signaled bus06:30
nictukuin the second NIC, plug your servers06:30
nictukuconfigure PAT rules in the IT router only06:30
nictukusetup netfilters in the linux router, with rules for the traffic to and from the servers06:31
nictukufinally, use shorewall for all that. I believe you mentioned it in the beggining.. shorewall is really nice06:31
Psi-JackHmmm. I have 4 DNS servers in the server area, 2 of which are mydns, and 2 resolvers, that the mydns resort to for resolving. If I split them out like that, How exactly would I still get my local clients to talk to /both/ of them?06:32
nictukuAltough you have to setup the bridge in /etc/network/interfaces, with pre-up post-down commands. I don't have them in handy, unfortunately, but I think shorewall online docs has a sample of that for debian06:32
nictukuhow wouldn't them?06:34
nictukuall boxes *could* have access to all other nodes, if you allows so in the firewall rules06:34
Psi-JackHmmm..06:34
nictukuthey can have full network connectivity. No PAT here06:34
Psi-JackI guess I don't see how that works.06:34
Psi-JackPAT, basically is a port to a port.06:35
nictukuand no DNAT either06:35
nictukunode1 is a local client: 192.168.1.201.     server1 is a dns server: 192.168.1.21.06:36
nictukufrom node1 you can ping 192.168.1.21 and connect to any of its ports06:36
Psi-JackHmm...06:36
nictukuobviously you have to create rules to block or allow traffic from 'nodes' to 'servers'06:37
nictukuin /etc/shorewall/policy:06:37
nictukunodes       server     DROP06:37
nictukuin /etc/shorewall/rules:06:37
nictukuACCEPT       nodes       server:192.168.1.21 udp 5306:38
nictukuACCEPT       nodes       server:192.168.1.21 tcp 5306:38
nictukuthen nodes will only be able to do DNS requests to server106:38
nictukualso you have to setup policies and/or rules for the traffic from server106:39
Psi-JackHmm. Okay. Could you walk me through some of this, to get me started? I'm about to bring the second NIC of the firewall/router up, and wire it up. heh06:40
nictukuhmm that is a lot of work you'll have to do, and it's 02:40 AM here, I'm crashing :-)06:40
nictukuI suggest you to read shorewall.net about bridges06:41
nictukuit's a nice documentation as far as I remember06:41
=== bpuccio [n=brian@ool-457a9c38.dyn.optonline.net] has joined #ubuntu-server
nictukuPsi-Jack, I can try to help with specific issues, though06:46
Psi-Jackalrighty06:46
nictuku203.41.193.137: icmp_seq=2 Redirect Host(New nexthop: 202.5.165.81)06:47
nictukuthis is the 'redirection' I mentioned early06:47
nictukuthat's why it's useless to setup a gateway for the nodes, but this gateway redirects to another router in the same subnet. result: "Redirect host"06:48
nictukuhttps://lists.netfilter.org/pipermail/netfilter/2003-November/048077.html06:49
nictukuit is possible to disable those, it seems06:49
=== nictuku wonders if it's time to add nwu to freshmeat
Psi-JackThere we go. Re-wired them up a bit. One of my network cables just suddenly died, in the proccess. Could explain why that particular server was flakey on the connection at times. ;)07:02
nictuku:-)07:02
Psi-JackYay! Finally Skype has USD instead of JUST Euro! :D07:03
Psi-JackAnyway.07:05
nictukugood news07:07
Psi-JackWassat?07:07
Psi-JackBasically now, from the firewall/router, which I will now refer to as the IG, is using eth0 tying it in with the rest of the network, and eth1 tying in all the servers.07:12
Psi-Jackheh.07:26
Psi-JackGreat, and now my DNS is failing. :/07:26
nictukucan you ping it?07:29
Psi-JackI can ping the servers, just fine, yes.07:29
Psi-JackBut, now even the IG server can't ping an internet IP07:30
Psi-JackHowever, the LAN can communicate fine with the SLAN.07:31
Psi-JackLAN == Locals, while SLAN == Server LAN.07:31
Psi-JackAnd I have shorewall completely shut off at the moment.07:32
Psi-JackTechnically, it should be able to do it. heh07:33
Psi-JackAhh, there we go.07:33
Psi-Jacktwo 0.0.0.0 gw 192.168.1.1's. One for eth0 and eth1 existed.07:34
Psi-JackBut, now, still, the servers can't get to the internet. That's my stumping point.07:35
=== ubijtsa2 [n=anders@213.208.70.150] has joined #ubuntu-server
=== ubijtsa_ [n=anders@213.208.70.150] has joined #ubuntu-server
=== allee [n=ach@allee.exgal.mpe.mpg.de] has joined #ubuntu-server
=== spike [n=spike@unaffiliated/spike] has joined #ubuntu-server
=== Pygi [n=mario@83-131-247-17.adsl.net.t-com.hr] has joined #ubuntu-server
=== Pygi [n=mario@83-131-247-17.adsl.net.t-com.hr] has joined #ubuntu-server
=== hunger [n=tobias@p54A61F1A.dip0.t-ipconnect.de] has joined #ubuntu-server
hungerIs xfonts-75dpi needed?02:23
hungerBoth KDE and Gnome seem to hardcode font resolution to ~100dpi02:23
=== Pygi [n=mario@83-131-247-17.adsl.net.t-com.hr] has joined #ubuntu-server
=== Pygi [n=mario@83-131-242-196.adsl.net.t-com.hr] has joined #ubuntu-server
alleehunger: KDE uses whatever is was autodetected by xserver (75 dpi as fallback)03:15
alleehunger: oh, this is (k)ubuntu.  Sorry :(  Then for KDE:  75-110 dpi are mapped to 96 dpi, 110-140 DPI are set to 120 dpi. > 140 dpi: use the resolution03:18
=== mgalvin [n=mgalvin@ubuntu/member/mgalvin] has joined #ubuntu-server
=== mgalvin [n=mgalvin@ubuntu/member/mgalvin] has joined #ubuntu-server
=== JulienH [n=JulienH@ATuileries-152-1-26-16.w82-123.abo.wanadoo.fr] has joined #ubuntu-server
=== lionelp [n=lionel@ip-128.net-82-216-65.rev.numericable.fr] has joined #ubuntu-server
=== ivoks [n=ivoks@ubuntu/member/ivoks] has joined #ubuntu-server
=== lionelp_ [n=lionel@ip-128.net-82-216-65.rev.numericable.fr] has joined #ubuntu-server
=== lionelp [n=lionel@ip-128.net-82-216-65.rev.numericable.fr] has joined #ubuntu-server
=== lionelp [n=lionel@ip-128.net-82-216-65.rev.numericable.fr] has joined #ubuntu-server
=== lbm [n=lbm@x1-6-00-13-10-7a-d1-e4.k233.webspeed.dk] has joined #ubuntu-server
=== Psi-Jack-v2 [n=psi-jack@cpe-70-112-220-160.austin.res.rr.com] has joined #ubuntu-server
=== |JulienH| [n=JulienH@ATuileries-152-1-60-171.w82-123.abo.wanadoo.fr] has joined #ubuntu-server
=== lionelp [n=lionel@ip-128.net-82-216-65.rev.numericable.fr] has joined #ubuntu-server
=== Pygi [n=mario@83-131-249-20.adsl.net.t-com.hr] has joined #ubuntu-server
=== nictuku [n=yves@201.24.19.127] has joined #ubuntu-server
nictukuhi11:36
Pygihi hi11:38
=== |JulienH| [n=JulienH@ATuileries-152-1-60-171.w82-123.abo.wanadoo.fr] has joined #ubuntu-server
=== spike [n=spike@unaffiliated/spike] has joined #ubuntu-server

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!