TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [TCLUG:11279] Hit The Routes!!!
On 21 Dec, Brian J. Ackermann wrote:
> Ignoring the 192.168.6.x subnet for now, I'm primarily concerned with just
> getting the 205.218.57.x subnet working across the firewall. I currently
> have NO ipchains rules in place(all ACCEPT), and ip_forward is set to 1.
> The servers gateway is set to 205.218.57.18 (this may be the problem? The
> servers are connected via the hub to eth1 on the firewall, which is .18, and
> eth0 is .25 -- also, pings from the server machines to 205.218.57.25
> fail...they cannot see that address...).
Can the servers ping 205.218.57.18? I suspect that the reason that the
servers can't see 205.218.57.25 is that the routes on the firewall
aren't quite right, more below.
I'm still no network genius, but I did get my DSL setup so I have eth0 and
eth1, working fine. I don't need eth2 though. So here's how I'd go about
trying to set this up. As I go through this I'm assuming you don't mind
the server machines being open to attack because of a lack of a firewall.
I'd just have one of the server machines on with the services shut off in
case some script kiddie decides to play around.
On some server machine
Set default gateway to 205.218.57.18
On firewall machine:
ifconfig eth0 205.218.57.25 up
ifconfig eth1 205.218.57.18 up
route add -net 205.218.57.25 eth0
route add default 205.218.57.25
Should make Firewallmachine talk to the internet. At this point the
firewall should be able to ping anything on the internet and the internet
should be able to ping the firewall. Check this, just to be sure.
I'm not sure about how to talk to the server block from the firewall
machine. I believe it has something to do with the netmask you select. I
believe the key here is to figure out the correct netmask that allocates
you're block of IP's that are behind the firewall machine so that it knows
that all traffic for those IPs should go out eth1 and anything else in
205.218.57.* should go out eth0. Something like this:
route add -net 205.218.57.0 netmask 255.255.255.252 eth1
That should allow the firewall machine to see your server block, so the
firewall machine should be able to ping those machines and they should be
able to ping the firewall. Now if don't you want the server machines IPs
to be seen outside the firewall, setup masquerading entries in the
ipchains. If not I believe you want to setup bridging. So your firewall
machine acts like a bridger router. That should allow the server machines
to ping the internet. And depending on if you use masquerading or not, the
internet should be able to ping your server machines.
Now I'd try and setup eth2 before doing the firewall for eth1, since I know
how to setup masquerading.
On a workstation:
set the default gateway to 192.168.6.2 and make sure it's
IP is 192.168.6.? and the netmask is 255.255.255.0
On the firewall machine:
ifconfig eth2 192.168.6.2 up
route add -net 192.168.6.0 eth2
This will allow the firewall to see the workstations and vice versa. Check
this here with pings.
The to get the workstations out to the internet I've got a very basic
firewall script:
#!/bin/sh
/sbin/ipchains -P forward DENY
/sbin/ipchains -P input ACCEPT
/sbin/ipchains -P output ACCEPT
/sbin/ipchains -A forward -j MASQ -s 192.168.6.0/255.255.255.0
echo "1" > /proc/sys/net/ipv4/ip_forward
This doesn't do any special protection, but it gets you started.
Now the workstations should be able to see the internet. Remember to do
all of the tests with IP addresses, not names. That way you don't have to
worry about the nameserver being configured. Set that up later.
Now you have a basic setup. From here I'd start reading up on ipchains, in
the man page and the HOWTO and see what other rules you want to setup. You
can also look through the history of this list for some ideas too. I don't
have any here because I don't know that much about ipchains either.
I hope this helps.
--
Jon Schewe
http://eggplant.mtu.net/~jpschewe
schewe@tcfreenet.org