TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Firewalling / Routing
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sorry for the long message, but ..
I've been allowed to setup an experimental Linux firewall at work (yay!)
on our testbed set of machines, for potential implementation for the
entire building. I had it all setup and working fine using ip masq the
usual way .. but now I need the machines behind the firewall to have
real-world IP addresses because they're going to represent our major
database servers.
The physical setup in the office has the firewall with its two nics, one
plugged into the wall and the other plugged into the hub containing the
client testbed. Due to our limited IP pool, the machines on both sides of
the firewall need to be in the same subnet (100.200.300.x, for example).
As I have it setup now, the routing table for the firewall explicitly
routes to each of the hosts that are behind it (because they're on the
same subnet I can't just map the subnet to one side or another):
Kernel IP routing table
Destination Gatewać Genmask Flaags Metric Ref Use Iface
100.200.300.10 0.0.0.0 255.255.255.255 UH 0 0 4 eth1
100.200.300.11 0.0.0.0 255.255.255.255 UH 0 0 2 eth1
100.200.300.12 0.0.0.0 255.255.255.255 UH 0 0 0 eth1
100.200.300.0 0.0.0.0 255.255.252.0 U 0 0 247 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 2 lo
0.0.0.0 100.200.300.1 0.0.0.0 UG 1 0 159 eth0
where 100.200.300.{10,11,12} are the testbed machines (behind the
firewall), and the gateway for the entire subnet (not just behind the
wall) is 100.200.300.1 .
The firewall forwarding table is setup as:
IP firewall forward rules, default policy: deny
type prot source destination ports
acc all 0.0.0.0/0 100.200.300.10 n/a
acc all 100.200.300.10 0.0.0.0/0 n/a
acc all 0.0.0.0/0 100.200.300.11 n/a
acc all 100.200.300.11 0.0.0.0/0 n/a
acc all 0.0.0.0/0 100.200.300.12 n/a
acc all 100.200.300.12 0.0.0.0/0 n/a
using ipfwadm lines like:
/sbin/ipfwadm -F -i accept -S <protected_host> -D 0.0.0.0/0 \
-V 192.168.0.13 -W eth1
/sbin/ipfwadm -F -i accept -S 0.0.0.0/0 -D <protected_host> \
-W eth0
where 192.168.0.13 is the internal, unpublished, on-the-hub-only IP
address of the firewall, eth0 is the external (outside-world) nic, and
eth1 is the internal (on-the-hub) nic.
A few things about the network connections in the office:
+ Each RJ45 port on the wall will remember up to four nic hardware
addresses at a time.
+ The testbed hub contains a total of four hosts (three behind the wall +
the wall itself) so the RJ45 port on the wall should be filled to its
limit.
My questions are these:
- - Would forwarding (using ipfwadm) packets from the protected hosts
through the wall preserve their original, originating hardware address ?
This would cause the RJ45 port to "remember" it so the rest of the routers
in the building can know where to send packets destined for it.
- - If yes or no, how would a machine outside the wall know that it would
need to go through the wall to reach one of the protected hosts (if it
knew its ip address, for example) ?
- - Am I missing something crucial here ? I'm kinda drawing a blank on how
this should work. I've only used firewalls in situations where ip masq was
involved, prior to this.
Thanks.
- --
[------------------------------------------------------------------------]
| Josh Becker - aka - JellyD |
| email: jellyd@jellyd.org IRC: EFnet, DALnet |
[------------------------------------------------------------------------]
-----BEGIN PGP SIGNATURE-----
Version: GNUPG v0.4.3 (GNU/Linux)
Comment: For info finger gcrypt@ftp.guug.de
iD8DBQE2t+wYcmkpI69BOLwRAgm7AJ9mEEI1YGv7bRbhRWhwMP/e99Sf9QCeMGnx
qKLNyLADccXwAbLkXnszatI=
=Co3s
-----END PGP SIGNATURE-----