Set Up Ubuntu-Server 6.10 As A Firewall/Gateway

Discussion in 'Installation/Configuration' started by knowram, Jun 7, 2007.

  1. knowram

    knowram New Member

    I am trying to follow this how to http://www.howtoforge.com/ubuntu6.10_firewall_gateway but I have only gotten to page 2 when you install webmin then I got this error

    Code:
    root@LBox:/home/jmunson# dpkg -i webmin_1.350_all.deb
    (Reading database ... 29202 files and directories currently installed.)
    Preparing to replace webmin 1.330 (using webmin_1.350_all.deb) ...
    Unpacking replacement webmin ...
    dpkg: dependency problems prevent configuration of webmin:
     webmin depends on libnet-ssleay-perl; however:
      Package libnet-ssleay-perl is not installed.
     webmin depends on openssl; however:
      Package openssl is not installed.
     webmin depends on libauthen-pam-perl; however:
      Package libauthen-pam-perl is not installed.
     webmin depends on libio-pty-perl; however:
      Package libio-pty-perl is not installed.
     webmin depends on libmd5-perl; however:
      Package libmd5-perl is not installed.
    dpkg: error processing webmin (--install):
     dependency problems - leaving unconfigured
    Errors were encountered while processing:
     webmin
    
    I tried just installing the missing packages but that didn't seem to work. Any ideas??

    Thanks for the help
     
  2. knowram

    knowram New Member

    So I was going to fast and missed that the step before that gave me this error
    Code:
    root@LBox:/home/jmunson# apt-get install libmd5-perl libnet-ssleay-perl libauthen-pam-perl libio-pty-perl shorewall dnsmasq
    Reading package lists... Done
    Building dependency tree       
    Reading state information... Done
    Package libmd5-perl is not available, but is referred to by another package.
    This may mean that the package is missing, has been obsoleted, or
    is only available from another source
    E: Package libmd5-perl has no installation candidate
    
     
  3. falko

    falko Super Moderator ISPConfig Developer

    Can you run
    Code:
    apt-get update
    and try again?
     
  4. knowram

    knowram New Member

    okay i got past that part. now I am trying to set up the firewall. at the moment on am only using one interface to connect the linux box to my LAN. I added that interface to the interfaces and gave it the appropriate zone. now when i try to start the fire wall i get this error

    Code:
    Starting "Shorewall firewall": not done (check /var/log/shorewall-init.log).
    and the log file looks like this


    Code:
    Loading /usr/share/shorewall/functions...
    Processing /etc/shorewall/shorewall.conf...
    Loading Modules...
    Clearing Shorewall...Disabling IPV6...
    IP Forwarding Enabled
    done.
    Loading /usr/share/shorewall/functions...
    Processing /etc/shorewall/shorewall.conf...
    Loading Modules...
    Starting Shorewall...
    Initializing...
    Shorewall has detected the following iptables/netfilter capabilities:
       NAT: Available
       Packet Mangling: Available
       Multi-port Match: Available
       Extended Multi-port Match: Available
       Connection Tracking Match: Available
       Packet Type Match: Available
       Policy Match: Available
       Physdev Match: Available
       IP range Match: Available
       Recent Match: Available
       Owner Match: Available
       Ipset Match: Not available
       CONNMARK Target: Not available
       Connmark Match: Available
       Raw Table: Available
       CLASSIFY Target: Available
       FORWARD Mangle Chain: Not available
    Determining Zones...
       IPv4 Zones: net loc
       Firewall Zone: fw
    Validating interfaces file...
    Validating hosts file...
    Validating Policy file...
    Determining Hosts in Zones...
       net Zone: eth4:0.0.0.0/0 eth0:0.0.0.0/0
       WARNING: Zone loc is empty
    Pre-processing Actions...
       Pre-processing /usr/share/shorewall/action.Drop...
       ..Expanding Macro /usr/share/shorewall/macro.Auth...
       ..End Macro
       ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
       ..End Macro
       ..Expanding Macro /usr/share/shorewall/macro.SMB...
       ..End Macro
       ..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
       ..End Macro
       ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
       ..End Macro
       Pre-processing /usr/share/shorewall/action.Reject...
       Pre-processing /usr/share/shorewall/action.Limit...
    Deleting user chains...
    Processing /etc/shorewall/routestopped ...
    Creating Interface Chains...
    Configuring Proxy ARP
    Setting up NAT...
    Setting up NETMAP...
    Adding Common Rules
    Adding Anti-smurf Rules
    Adding rules for DHCP
    Enabling RFC1918 Filtering
    Setting up TCP Flags checking...
    Setting up Kernel Route Filtering...
       WARNING: Cannot set route filtering on eth0
    Setting up Martian Logging...
       WARNING: Cannot set Martian logging on eth0
    IP Forwarding Enabled
    Setting up IPSEC...
    Processing /etc/shorewall/rules...
       Warning -- Rule "ACCEPT net fw all     " is a POLICY
                   -- and should be moved to the policy file
       Rule "ACCEPT net fw all     " added.
    ..Expanding Macro /usr/share/shorewall/macro.DNS...
       Rule "ACCEPT fw net udp 53 - - - -" added.
       Rule "ACCEPT fw net tcp 53 - - - -" added.
    ..End Macro
    ..Expanding Macro /usr/share/shorewall/macro.SSH...
       Rule "ACCEPT loc fw tcp 22 - - - -" added.
    ..End Macro
    ..Expanding Macro /usr/share/shorewall/macro.Ping...
       Rule "ACCEPT loc fw icmp 8 - - - -" added.
    ..End Macro
    ..Expanding Macro /usr/share/shorewall/macro.Ping...
       Rule "REJECT net fw icmp 8 - - - -" added.
    ..End Macro
       Rule "ACCEPT fw loc icmp     " added.
       Rule "ACCEPT fw net icmp     " added.
    Processing Actions...
       Generating Transitive Closure of Used-action List...
    Processing /usr/share/shorewall/action.Drop for Chain Drop...
    ..Expanding Macro /usr/share/shorewall/macro.Auth...
       Rule "REJECT - - tcp 113 -  -" added.
    ..End Macro
       Rule "dropBcast       " added.
    ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
       Rule "ACCEPT - - icmp fragmentation-needed -  -" added.
       Rule "ACCEPT - - icmp time-exceeded -  -" added.
    ..End Macro
       Rule "dropInvalid       " added.
    ..Expanding Macro /usr/share/shorewall/macro.SMB...
       Rule "DROP - - udp 135,445 -  -" added.
       Rule "DROP - - udp 137:139 -  -" added.
       Rule "DROP - - udp 1024: 137  -" added.
       Rule "DROP - - tcp 135,139,445 -  -" added.
    ..End Macro
    ..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
       Rule "DROP - - udp 1900 -  -" added.
    ..End Macro
       Rule "dropNotSyn - - tcp    " added.
    ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
       Rule "DROP - - udp - 53  -" added.
    ..End Macro
    Processing /usr/share/shorewall/action.Reject for Chain Reject...
    ..Expanding Macro /usr/share/shorewall/macro.Auth...
       Rule "REJECT - - tcp 113 -  -" added.
    ..End Macro
       Rule "dropBcast       " added.
    ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
       Rule "ACCEPT - - icmp fragmentation-needed -  -" added.
       Rule "ACCEPT - - icmp time-exceeded -  -" added.
    ..End Macro
       Rule "dropInvalid       " added.
    ..Expanding Macro /usr/share/shorewall/macro.SMB...
       Rule "REJECT - - udp 135,445 -  -" added.
       Rule "REJECT - - udp 137:139 -  -" added.
       Rule "REJECT - - udp 1024: 137  -" added.
       Rule "REJECT - - tcp 135,139,445 -  -" added.
    ..End Macro
    ..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
       Rule "DROP - - udp 1900 -  -" added.
    ..End Macro
       Rule "dropNotSyn - - tcp    " added.
    ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
       Rule "DROP - - udp - 53  -" added.
    ..End Macro
    Processing /etc/shorewall/policy...
       Policy ACCEPT for fw to net using chain fw2net
       Policy ACCEPT for fw to loc using chain fw2loc
       Policy DROP for net to fw using chain net2fw
       Policy DROP for net to loc using chain net2loc
       Policy ACCEPT for loc to fw using chain loc2fw
       Policy ACCEPT for loc to net using chain loc2net
    Masqueraded Networks and Hosts:
       ERROR: Unable to determine the routes through interface "eth1"
    Disabling IPV6...
    IP Forwarding Enabled
    Terminated
    Loading /usr/share/shorewall/functions...
    Processing /etc/shorewall/shorewall.conf...
    Loading Modules...
    Clearing Shorewall...Disabling IPV6...
    IP Forwarding Enabled
    done.
    
    If I try to access webmin after doing that i can't i have to stop the firewall
    Not sure what i am looking for. Or what to do next.

    Thanks for the help
     
  5. falko

    falko Super Moderator ISPConfig Developer

    Have you stopped all other firewalls before starting this one? If so, what's the output of
    Code:
    iptables -L
    now?

    For webmin, you must open port 10000 in the firewall.
     
  6. knowram

    knowram New Member

    I don't have any other firewalls on my system that i know of unless there is a default that comes with ubuntu server.

    The output of iptables -L is

    Code:
    Chain INPUT (policy DROP)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     udp  --  anywhere             anywhere            udp dpts:bootps:bootpc 
    ACCEPT     udp  --  anywhere             anywhere            udp dpts:bootps:bootpc 
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
    ACCEPT     udp  --  anywhere             anywhere            udp dpts:bootps:bootpc 
    ACCEPT     udp  --  anywhere             anywhere            udp dpts:bootps:bootpc 
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere       
    The other thing i don't understand is what's the difference between /etc/shorewall/policy and the firewall section in webmin?

    Thanks for the help
     
  7. falko

    falko Super Moderator ISPConfig Developer

    Can you switch off Shorewall and reboot the system? What's the output of
    Code:
    iptables -L
    then?

    I'm not sure, but I think that webmin lets you configure Shorewall.
     
  8. knowram

    knowram New Member

    ok here is what it looks like with it off

    Code:
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination   
     
  9. falko

    falko Super Moderator ISPConfig Developer

    Ok, then there's no other firewall...
     
  10. knowram

    knowram New Member

    right i am only using the shorewall firewall. the question is how do i configure it so that it works properly? it looks to me like the shorewall/policy and what you do in webmin are two separated things. do you need both? is the /policy where you tell it witch interfaces to use the firewall on and then webmin is where you set up the firewall its self allowing certain ports to certain destinations etc..?

    Any ideas?
     
  11. falko

    falko Super Moderator ISPConfig Developer

    No, just use one, but not both at the same time. Otherwise both methods could interfere with each other.
     

Share This Page