=== Xoritor [n=xoritor@xorit.net]  has joined #ubuntu-server
=== Psi-Jack [i=psi-jack@cpe-70-112-220-160.austin.res.rr.com]  has joined #ubuntu-server
[12:46] <Psi-Jack> Man, I am so, so.. Blah when it comes to firewall setups on Linux these days. heh
[12:46] <maswan> pfft on firewalls.
[12:47] <Psi-Jack> Not really even just firewall. Mainly just port forwarding.. Namely from a single NIC.
[12:47] <spike> eh?
[12:48] <spike> Psi-Jack: if it's just forwarding, why not using "redirect"?
[12:48] <Psi-Jack> spike: redirect?
[12:48] <spike> if just want that and have no iptables in place I do not see why taking the hassle
[12:49] <spike> Psi-Jack: apt-cache show rinetd
[12:49] <Psi-Jack> Oh, I want iptables in place. Basically the general thumb is, I'm setting up one Linux system as a a DMZ from the front-end router, to make Linux handle all the necessary port forwards.
[12:50] <Psi-Jack> And, I most DEFINATELY want all external IP's to remain external to the servers receiving it.
[12:50] <spike> uhm, what frontendrouter is that? cant u just setup and dmz there?
[12:50] <Psi-Jack> It's just a netgear router, actually.
[12:51] <maswan> Psi-Jack: isn't it better to just put all the hosts on the network? nat does break some applications in rather subtle and evil ways.
[12:51] <Psi-Jack> It has a port forwarding limit of 20 entries, too, which is definately /not/ enough.
[12:51] <spike> I c
[12:52] <Psi-Jack> maswan: Heh, when it comes to that, I know what to do. I just suck at iptables. I'm used to ipf.
[12:54] <Psi-Jack> Basically, right now, what I want to do, is block all external IP's, and chain in a couple accept rules in front of that, to allow specific services to run over the internet. Then setup specific port forwards to go elsewhere in the LAN, which I have about 6 other servers I need to forward for
=== lionelp [n=lionel@ip-128.net-82-216-65.rev.numericable.fr]  has joined #ubuntu-server
=== spike [n=spike@unaffiliated/spike]  has joined #ubuntu-server
=== JulienH [i=kvirc@jem75-2-82-233-232-223.fbx.proxad.net]  has joined #ubuntu-server
=== spike [n=spike@unaffiliated/spike]  has joined #ubuntu-server
[02:01] <Psi-Jack> Hmm.
[02:02] <Psi-Jack> I'm having trouble with shorewall's hosts file. :/
[02:02] <Psi-Jack> It keeps saying all my hosts have Invalid HOST(S) column contents. For things like 192.168.1.0/24, and 192.168.1.1 etc
=== nictuku [n=yves@200.163.24.8]  has joined #ubuntu-server
=== ealden [n=ealden@203.76.212.213]  has joined #ubuntu-server
=== Psi-Jack-v2 [i=psi-jack@cpe-70-112-220-160.austin.res.rr.com]  has joined #ubuntu-server
[04:08] <Psi-Jack-v2> Anyone here use shorewall, and handy?
[04:09] <nictuku> I do
=== rinick [n=rinick@202.121.192.119]  has joined #ubuntu-server
[05:45] <nictuku> milestone1 of nwu is very close  :-) https://trac.ubuntubrasil.org/nwu
[06:05] <Psi-Jack> nictuku: Do you by chance know how to do a single NIC NAT?
[06:06] <nictuku> i think so
[06:06] <Psi-Jack> I'm basically trying to make my firewall/router server run the gateway for my servers, having all the servers use it as the default gateway, while it itself uses the front-end router for it's own default gateway.
[06:07] <nictuku> well
[06:08] <nictuku> but if the default gateway and the servers are all in the same subnet that won't work as expected, unless you put the server as a physical bridge
[06:08] <nictuku> or are they in split sub networks?
[06:08] <Psi-Jack> No, there's no split sub networking involved. :)
[06:09] <Psi-Jack> I'm basically just splitting off the servers as more of a side dish, than anything. For now.
[06:09] <nictuku> so, servers are like 10.0.0.20, default gateway is 10.0.0.1 and your linux router is 10.0.0.2?
[06:10] <Psi-Jack> My front-end router is 192.168.1.1, which all my local's use, and the backend router, (which is the DMZ point of the front-end-router as well), is 192.168.1.20
[06:10] <nictuku> that won't work, since the linux router will tell the servers and station to update their route and your design will be useless
[06:11] <nictuku> you have to split them physically and use the linux server as a bridge, not a router
[06:11] <infinity> Nah.
[06:11] <nictuku> also, no NAT is involved there
[06:11] <Psi-Jack> Eh? I setup all the servers to use the backend firewall/router as the default gateway.
[06:12] <nictuku> Psi-Jack, and check the nodes routes after you try to talk to the outer world
[06:12] <infinity> What subnet are you using for the internal machines?
[06:12] <nictuku> if you use icmp PING, you'll get a 'nexthop: 192.168.1.1' message and they will just update their own routing tables.
[06:12] <Psi-Jack> They're all using 192.168.1.0/24 for the network. There's no subnetting involved.
[06:12] <infinity> Psi-Jack: That's your problem, then.
[06:12] <nictuku> infinity, he's not using subnets
[06:13] <infinity> Psi-Jack: You need a subnet (but it doesn't have to be physical, just logical), so you can tell the frontend router that all traffice to 192.168.2.0/24 should go to 192.168.1.20 with a static route.
[06:13] <nictuku> Psi-Jack, anyway you have to split it physically, or you will have no security if you leave the nodes in the same network bus as the backend router
[06:13] <Psi-Jack> nictuku: Why would the routes get changed, when I specifically set them otherwise?
[06:13] <nictuku> I disagree with infinity :-)
[06:14] <nictuku> split logical bus is a bad idea, if you don't split them physically
[06:14] <Psi-Jack> nictuku: Security is not the issue. ;)
[06:14] <nictuku> Psi-Jack, that's an IP protocol stuff
[06:15] <nictuku> That's still a bad idea, but if you really hate your job and doesn't take security into account, then just split the subnets
[06:16] <nictuku> that can be administratively painful though. I'd make your linux server a bridge. That works really fine for me, with 5 sites and 1k+ nodes
[06:16] <Psi-Jack> Hmm. Well, the backend router itself does have two NIC's, so as an alternative, I /can/ make it use it.
[06:16] <infinity> If you bridge the subnets, you've not bought any more security.
[06:16] <infinity> Your argument kinda falls apart there.
[06:16] <infinity> Two bridged ethernet networks are still one physical network.
[06:17] <nictuku> infinity, if his goal is to make all trafic pass by the linux machine, my point does stand
[06:17] <nictuku> No because we can filter traffic the same as a router. A bridge firewall is exactly like a router firewall.
[06:17] <nictuku> I mean, from the filtering point of view.
[06:18] <Psi-Jack> nictuku: My goal is to have ONE NAT for the local clients, and two NAT's for the servers. While still allowing the local network to communicate efficiently with the server network.
[06:18] <infinity> Yeah, or you could run VLANs at the previous router, or a variety of solutions.
[06:18] <nictuku> indeed
[06:19] <nictuku> why so many "NAT" (better call them masquerade networks, i think)?
[06:19] <Psi-Jack> Masuqerading == NAT, mind you. :)
[06:19] <nictuku> that will just create a myriad of subnets
[06:19] <Psi-Jack> nictuku: The reason for this is, this is, in fact, a home network, with a bunch of servers sitting in the back-end.
[06:19] <nictuku> I know that
[06:20] <nictuku> hm
[06:20] <Psi-Jack> Rather than all the servers sitting in the front-end, with all the locals behind those, I have all the locals in the front, with the front-end re-directing all non-addressed traffic to the backend.
[06:20] <nictuku> I still see no reason for a masqueraded network. But that's me, because I have a strong, personal opinion about "NAT's"
[06:21] <nictuku> oh i see then
[06:21] <Psi-Jack> That make more sense? I don't have a diagram to show it, so I try to explain it best as I can. ;)
[06:21] <nictuku> I'm still confused hehe. let me re-read that
[06:23] <Psi-Jack> I have about 6 front-end local clients that all use the front-end router for the default gateway. Some ports from the front-end PAT to individual clients. Stuff like ssh, game ports, VNC, etc..
[06:23] <Psi-Jack> Anything not port-forwarded from the front-end, gets DMZ'd to the backend, which has the heavier firewall on it.
[06:23] <Psi-Jack> And that backend needs to handle routing for the 16 servers behind it.
[06:25] <nictuku> I see
[06:25] <nictuku> you have a strange DMZ there, then hehe
[06:25] <nictuku> seems like your 'local clients' act like a DMZ :-)
[06:25] <Psi-Jack> It's strange, yes.. But it works better for a home-based network. ;)
[06:25] <Psi-Jack> They are, essentially. ;)
[06:26] <nictuku> and this 'strong firewall' is that linux router we have discussed?
[06:26] <Psi-Jack> Correct.
[06:26] <nictuku> I whish I had such a home network myself :-)
[06:27] <Psi-Jack> All the servers using IT as the default gateway, will need DNAT's to portforward specific ports to their needed destinations, while they route back through the backend firewall, back to the front, and out the internet.
[06:27] <Psi-Jack> I parallellized all my servers in the backend. Seperate computers for webserver, mailserver, maildelivery, mysql database, ldap database, and etc...
[06:27] <nictuku> ok then. Suppose you don't want to split into subnets, one possible design is (though I think infinity could provide a better solution):
[06:29] <nictuku> hmm use a bridge :-)
[06:29] <Psi-Jack> heh
[06:30] <nictuku> in the first NIC of linux-router, plug the IT-signaled bus
[06:30] <nictuku> in the second NIC, plug your servers
[06:30] <nictuku> configure PAT rules in the IT router only
[06:31] <nictuku> setup netfilters in the linux router, with rules for the traffic to and from the servers
[06:31] <nictuku> finally, use shorewall for all that. I believe you mentioned it in the beggining.. shorewall is really nice
[06:32] <Psi-Jack> Hmmm. I have 4 DNS servers in the server area, 2 of which are mydns, and 2 resolvers, that the mydns resort to for resolving. If I split them out like that, How exactly would I still get my local clients to talk to /both/ of them?
[06:32] <nictuku> Altough you have to setup the bridge in /etc/network/interfaces, with pre-up post-down commands. I don't have them in handy, unfortunately, but I think shorewall online docs has a sample of that for debian
[06:34] <nictuku> how wouldn't them?
[06:34] <nictuku> all boxes *could* have access to all other nodes, if you allows so in the firewall rules
[06:34] <Psi-Jack> Hmmm..
[06:34] <nictuku> they can have full network connectivity. No PAT here
[06:34] <Psi-Jack> I guess I don't see how that works.
[06:35] <Psi-Jack> PAT, basically is a port to a port.
[06:35] <nictuku> and no DNAT either
[06:36] <nictuku> node1 is a local client: 192.168.1.201.     server1 is a dns server: 192.168.1.21.
[06:36] <nictuku> from node1 you can ping 192.168.1.21 and connect to any of its ports
[06:36] <Psi-Jack> Hmm...
[06:37] <nictuku> obviously you have to create rules to block or allow traffic from 'nodes' to 'servers'
[06:37] <nictuku> in /etc/shorewall/policy:
[06:37] <nictuku> nodes       server     DROP
[06:37] <nictuku> in /etc/shorewall/rules:
[06:38] <nictuku> ACCEPT       nodes       server:192.168.1.21 udp 53
[06:38] <nictuku> ACCEPT       nodes       server:192.168.1.21 tcp 53
[06:38] <nictuku> then nodes will only be able to do DNS requests to server1
[06:39] <nictuku> also you have to setup policies and/or rules for the traffic from server1
[06:40] <Psi-Jack> Hmm. Okay. Could you walk me through some of this, to get me started? I'm about to bring the second NIC of the firewall/router up, and wire it up. heh
[06:40] <nictuku> hmm that is a lot of work you'll have to do, and it's 02:40 AM here, I'm crashing :-)
[06:41] <nictuku> I suggest you to read shorewall.net about bridges
[06:41] <nictuku> it's a nice documentation as far as I remember
=== bpuccio [n=brian@ool-457a9c38.dyn.optonline.net]  has joined #ubuntu-server
[06:46] <nictuku> Psi-Jack, I can try to help with specific issues, though
[06:46] <Psi-Jack> alrighty
[06:47] <nictuku> 203.41.193.137: icmp_seq=2 Redirect Host(New nexthop: 202.5.165.81)
[06:47] <nictuku> this is the 'redirection' I mentioned early
[06:48] <nictuku> that's why it's useless to setup a gateway for the nodes, but this gateway redirects to another router in the same subnet. result: "Redirect host"
[06:49] <nictuku> https://lists.netfilter.org/pipermail/netfilter/2003-November/048077.html
[06:49] <nictuku> it is possible to disable those, it seems
=== nictuku wonders if it's time to add nwu to freshmeat
[07:02] <Psi-Jack> There we go. Re-wired them up a bit. One of my network cables just suddenly died, in the proccess. Could explain why that particular server was flakey on the connection at times. ;)
[07:02] <nictuku> :-)
[07:03] <Psi-Jack> Yay! Finally Skype has USD instead of JUST Euro! :D
[07:05] <Psi-Jack> Anyway.
[07:07] <nictuku> good news
[07:07] <Psi-Jack> Wassat?
[07:12] <Psi-Jack> Basically now, from the firewall/router, which I will now refer to as the IG, is using eth0 tying it in with the rest of the network, and eth1 tying in all the servers.
[07:26] <Psi-Jack> heh.
[07:26] <Psi-Jack> Great, and now my DNS is failing. :/
[07:29] <nictuku> can you ping it?
[07:29] <Psi-Jack> I can ping the servers, just fine, yes.
[07:30] <Psi-Jack> But, now even the IG server can't ping an internet IP
[07:31] <Psi-Jack> However, the LAN can communicate fine with the SLAN.
[07:31] <Psi-Jack> LAN == Locals, while SLAN == Server LAN.
[07:32] <Psi-Jack> And I have shorewall completely shut off at the moment.
[07:33] <Psi-Jack> Technically, it should be able to do it. heh
[07:33] <Psi-Jack> Ahh, there we go.
[07:34] <Psi-Jack> two 0.0.0.0 gw 192.168.1.1's. One for eth0 and eth1 existed.
[07:35] <Psi-Jack> But, now, still, the servers can't get to the internet. That's my stumping point.
=== ubijtsa2 [n=anders@213.208.70.150]  has joined #ubuntu-server
=== ubijtsa_ [n=anders@213.208.70.150]  has joined #ubuntu-server
=== allee [n=ach@allee.exgal.mpe.mpg.de]  has joined #ubuntu-server
=== spike [n=spike@unaffiliated/spike]  has joined #ubuntu-server
=== Pygi [n=mario@83-131-247-17.adsl.net.t-com.hr]  has joined #ubuntu-server
=== Pygi [n=mario@83-131-247-17.adsl.net.t-com.hr]  has joined #ubuntu-server
=== hunger [n=tobias@p54A61F1A.dip0.t-ipconnect.de]  has joined #ubuntu-server
[02:23] <hunger> Is xfonts-75dpi needed?
[02:23] <hunger> Both KDE and Gnome seem to hardcode font resolution to ~100dpi
=== Pygi [n=mario@83-131-247-17.adsl.net.t-com.hr]  has joined #ubuntu-server
=== Pygi [n=mario@83-131-242-196.adsl.net.t-com.hr]  has joined #ubuntu-server
[03:15] <allee> hunger: KDE uses whatever is was autodetected by xserver (75 dpi as fallback)
[03:18] <allee> hunger: oh, this is (k)ubuntu.  Sorry :(  Then for KDE:  75-110 dpi are mapped to 96 dpi, 110-140 DPI are set to 120 dpi. > 140 dpi: use the resolution
=== mgalvin [n=mgalvin@ubuntu/member/mgalvin]  has joined #ubuntu-server
=== mgalvin [n=mgalvin@ubuntu/member/mgalvin]  has joined #ubuntu-server
=== JulienH [n=JulienH@ATuileries-152-1-26-16.w82-123.abo.wanadoo.fr]  has joined #ubuntu-server
=== lionelp [n=lionel@ip-128.net-82-216-65.rev.numericable.fr]  has joined #ubuntu-server
=== ivoks [n=ivoks@ubuntu/member/ivoks]  has joined #ubuntu-server
=== lionelp_ [n=lionel@ip-128.net-82-216-65.rev.numericable.fr]  has joined #ubuntu-server
=== lionelp [n=lionel@ip-128.net-82-216-65.rev.numericable.fr]  has joined #ubuntu-server
=== lionelp [n=lionel@ip-128.net-82-216-65.rev.numericable.fr]  has joined #ubuntu-server
=== lbm [n=lbm@x1-6-00-13-10-7a-d1-e4.k233.webspeed.dk]  has joined #ubuntu-server
=== Psi-Jack-v2 [n=psi-jack@cpe-70-112-220-160.austin.res.rr.com]  has joined #ubuntu-server
=== |JulienH| [n=JulienH@ATuileries-152-1-60-171.w82-123.abo.wanadoo.fr]  has joined #ubuntu-server
=== lionelp [n=lionel@ip-128.net-82-216-65.rev.numericable.fr]  has joined #ubuntu-server
=== Pygi [n=mario@83-131-249-20.adsl.net.t-com.hr]  has joined #ubuntu-server
=== nictuku [n=yves@201.24.19.127]  has joined #ubuntu-server
[11:36] <nictuku> hi
[11:38] <Pygi> hi hi
=== |JulienH| [n=JulienH@ATuileries-152-1-60-171.w82-123.abo.wanadoo.fr]  has joined #ubuntu-server
=== spike [n=spike@unaffiliated/spike]  has joined #ubuntu-server