On 14/10/10 10:53, Simon Hobson wrote: > Ian Barton wrote: > >> I am using Shorewall 4.4.10, which comes with Ubuntu Lucid. My internal >> network is 192.168.0.0/24 on eth1 and my external network adaptor eth0 >> is configured as 192.168.1.2. I am connecting to the Internet via an >> ADSL modem/router connected to eth0. I have disabled the firewall in >> the modem router. My ISP gives me a fixed ip address 217.146.125.41. > > Before going ANY further - is it a modem or a router or both ? > > I'll guess you have two layers of NAT going on here - one in the > router from your outside public address to 192.168.1.0/24, and a > second in your Shorewall setup going from 192.168.1.0/24 to > 192.168.0.0/24. > Assuming this is the case, you MUST forward the ports in your router > AS WELL as in your Shorewall setup. > > However, I would suggest getting rid of one of the NAT translations. > NAT == Broken, and IMnsHO anyone suggesting it "fixes" anything is an > idiot. > > If you can configure your ADSL device as a modem and NOT a router, so > you can put your public IP (217.146.125.41) on the outside (eth0) of > your Shorewall setup then I would suggest doing that. You can then do > all your NAT, firewall, and port forwarding setup in one place. > If your ADSL device can't do that, then consider replacing it. I use > a Netgear DM111P at home - although it has one or two quirks. At > work, I have a number of Draytek Vigor 120 modems in use at customers > and find it works very well. > > The DM111P takes care of the ADSL stuff (including authentication > etc), so all you do is configure your ethernet port with DHCP and > plug in. The quirk is that the device only works if you use DHCP, and > on Debian at least, I've found the default route disappears if your > ADSL line drops. > > The Vigor 120 is different - it acts as a PPPoE to PPPoA converter > (we use PPPoA in the UK), so you can use the PPPoE client provided > with just about all Linux distros. This gives more visibility of the > ADSL status to your box. >
Thanks, I was using a Thomson Speedtouch, which was effectively doing double NAT and can't be made into a bridge or simple modem. I have switched to using a Belkin modem/router, which I can set in ADSL modem only mode. I can now port forward successfully. At the moment I am using eBox as a firewall. It works well, but as it's an appliance type of thing, it installs shed loads of stuff I don't want/need. All I require is a firewall and Squid. If there is lots of other stuff installed there is more chance of things going wrong/getting hacked. I live in the UK, so I'll look at the Vigor 120. I can then use my Belkin box as a Wireless access point. Ian. ------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
