Mageia forum

[isadora]

Hello,

after days of googling and trying hopelessly, I need to configure firewall as such:

Network scheme as follows:

Code: Select all


Internet -> NAT -> WAN 10.0.0.0/24 -> NAT -> LAN 192.168.1.0/8 (my LAN)



How do I allow traffic from WAN to dest. port 80 on 192.168.1.2 (my server)? Port redirection on the router is configured properly (tested with Windows machine). Thanks for the answer.

[JoesCat]

Hi sojkovec,
First, configure computer 192.168.1.2:80 so that it does what you expect it to do with port 80.
Try with another computer connected on the same LAN, example, 192.168.1.3 or 192.168.1.4
If you cannot connect to 192.168.1.2 using another computer on the same 192.168.1.0/8 LAN, then fix 192.168.1.2:80 until it works.
If it works at this stage, then you move to the WAN to LAN connection.

These steps needs to be done at the router, not your computer.
1. You need an ethernet cable connection from the router to computer 192.168.1.2, wifi isn't good enough.
2. Update your router to latest firmware.
3. Ensure you cannot login into the router from the WAN side and ensure your router is not one with a compromised backdoor entry.
4. Configure your router to do "Forward" port 80 from 10.0.0.0/24 -> 192.168.1.2

Depending on what you are doing with 192.168.1.2, port 80 (http) might not be enough, and you may also need to port forward other ports on the router to 192.168.1.2

[sojkovec]

Hello JoesCat,

thank you.

Ad 1. Yes, it's wired 1gbit Ethernet.
Ad 2. I always keep my FW current (I might have try Merlin's asusWRT anyway)
Ad 3. I never expose web admin interface to WAN side, it's also on different port than default 80 and SSL enabled with my own CA.
Ad 4. Already done (checked just to be sure).

The default page "It Works!" from Apache is accessible from LAN by other devices, but not from WAN.

Any suggestions appreciated.

[defwxyz]

Hi,

I post this message although I know it does no match precisely you request but can help people.
I was searching to enable ssh so that I can connect to my virtualbox vm installed with mageia from my host.
I did add one line in /etc/shorewall/rules

ACCEPT net $FW tcp 22

For you case you need to read the doc at shorewall.org and search for shorewall-rules and shorewall-zones
net source is defined in zones file and defines all ipv4 adresses which is not restrictive at all.

[doktor5000]

You don't need to do that manually, this can be done easily via MCC: https://doc.mageia.org/mcc/8/en/content ... akfirewall

[isadora]

I have already done that before posting.

[doktor5000]

That was a direct reply to defwxyz.