Samba, ICS, Shorewall

[Guest linuxnewb]

I just installed Linux for the first time. It took me forever to figure out how to configure samba for network shares. Finally got it up, shares and security the way I want it. Next thing I worked on was ICS. Went thru the wizard, then bam...cannot connect to my shares, ping.... nothing. Tried bring the local ethernet interface down, up, changed ip addresses, all kinds of crap. Figured out that shorewall is a firewall so I started browsing the config files. Tried this and that, still nothing. So I added an entry to the routestop file accepting all traffic from my workstation with a /32 subnet mask. Then I shut down shorewall....everything works, pings, samba shares. Can anyone tell me what the ICS wizard did and how to fix it back so I can run shorewall again. Thanks

 

 

Linuxnewb

[roland]

Hi,

 

you should install shorewall doc and have a look there:

 

file:/usr/share/doc/shorewall-doc-1.3.14/shorewall_quickstart_guide.htm#Documentation

 

( I assume you are Mdk9.1 )

 

The doc is very well made and clear

 

I just installed Linux for the first time. It took me forever to figure out how to configure samba for network shares.

It depend what you call forever. For a first time linux user, i don't know what you were using before but going directly from the install to network setting look already not so bad to me.

Concerning ICS: sorry I don't evenn know what ICS is.

 

by

 

roland

[Guest linuxnewb]

Thanks Roland, I'll check that out.

 

( I assume you are Mdk9.1

 

Yes I am

 

It depend what you call forever. For a first time linux user, i don't know what you were using before but going directly from the install to network setting look already not so bad to me.

 

Forever to me is a long time heheh. (a day). I've got about 3 years experience with Novell and about 5 years with Microsoft. I just kept popping thru all the the tools to kinda figure this out. Its my own server so who cares if I screw it up heheh. I am getting frustrated here, but I can see the potential. When I can't even access my shares from a local network...must be awesome security. I am sure my permissions are set right, cause when I do a shorewall stop, I dont have any problems accessing them.

 

Concerning ICS: sorry I don't evenn know what ICS is.

 

Sorry, MS term...ICS=Internet Connection Sharing.

 

This is what I got so far. Correct me if I am wrong.

 

Shorewall doesn't run by default. When I ran the ICS wizard, it set up shorewall for me. I tried entering these rules:

 

ACCEPT fw loc udp 137,139 -

ACCEPT fw loc tcp 137,139 -

ACCEPT fw loc udp 1024 137

ACCEPT loc fw udp 137,139 -

ACCEPT loc fw tcp 137,139 -

ACCEPT loc fw udp 1024 137

 

Got those from the .pdf document I downloaded from shorewall.org. Still didnt work, but will keep messing around with it.

[Gowator]

Shorewall

 

IMHO ... read the "Read this if your a mandrake user" part of the shorewall page.

 

IMHO... The shorewall documentaiton is VERY GOOD when applied to their configuration and useless with Mandrakes config via the ICS.

 

 

My advice is either

1) Use the shorewall 'quick start' and the shorewall documentation

2) Use the Mandrake ICS which as FAR as I can find is completely undocumented and only works for certain configs.

 

If you can find the doc's for the mandrkae ICS them please let me know....

 

If you are a real expert at iptables I guess you can use the mandrake generated config and modify it.... I wasted 3 days!!!

 

Or you can use the shorewall config and documentaiton and I had it running in 5 minutes... 10 mins later I'd customised it with webmin and thats ALL.

[alaa]

you'll be better of ditching Mandrake configs and using one of Shorewalls standard config files.

shorewall is a great tool but for some reason Mandrake configs are hard to work with.

 

so read the quick start up guide here http://www.shorewall.net/1.3/two-interface.htm

and get the two interface skeleteon config files and add the rules you just posted they should work fine.

 

cheers,

Alaa

[roland]

Forever to me is a long time heheh. (a day).

one day=forever to install linux, set a file sharing server and an internet sharing server ? hem. Me I've spend 3 month (well on the spare time of my spare time )

 

Sorry, MS term...ICS=Internet Connection Sharing.

 

okay ! so I have the answer. If the file sharing does not work any more after you run DrakGw, its normal.

modify /etc/shorewall/policy like this:

 

###############################################################################

#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST

masq net ACCEPT

fw net ACCEPT

#rv

masq fw ACCEPT #<==== HERE

fw masq ACCEPT #<==== and HERE

#fin rv

net all DROP info

all all REJECT info

 

###############################################################################

 

roland

[Guest linuxnewb]

Cool, thx all for your help B)

 

Samba/firewall works.

 

Now I need to figure out why I cant get dhcpd to start. :blink:

[roland]

Cool, thx all for your help B)

 

Samba/firewall works.

 

Now I need to figure out why I cant get dhcpd to start. :blink:

Now I need to figure out why I cant get dhcpd to start. :blink:

 

I don't know if it's 9.1 but i know a DHCP Wizard "forgot" to set /etc/dhcp.conf (at least for me as it seems nobody noticed )

here is one. Just replace with your value.

to sumarize:

install dhcpd with RpmDrake

customize and put this dhcpd.conf in /etc

check if dhcpd service is enabled (MCC->System->Services from memory)

retart the network

 

Here it is:

 

# default file for dhcpd

# replace 192.168.1.1 by the IP adress of the server (same server for

# all services in this config file)

 

server-identifier serveur;

 

#rv default-lease-time 36000;

default-lease-time 12000;

 

max-lease-time 144000;

 

ddns-update-style ad-hoc;

 

not authoritative;

#rv authoritative;

 

subnet 192.168.1.0 netmask 255.255.255.0{

range 192.168.1.100 192.168.1.254;

option domain-name "reseau.local";

option domain-name-servers 192.168.1.1;

option nis-servers 192.168.1.1;

option lpr-servers 192.168.1.1;

option netbios-name-servers 192.168.1.1;

option routers 192.168.1.1;

option subnet-mask 255.255.255.0;

option time-servers 192.168.1.1;

ddns-updates on;

ddns-domainname "reseau.local";

ddns-rev-domainname "in-addr.arpa";

 

}