TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TCLUG:8342] Multiple Ethernet



On Mon, 20 Sep 1999, Brian J. Ackermann wrote:

> Yeah...thats probably the case...I'm not currently using the
> configuration I will be using in the end.
> 
> Final config is Router <> HUB <> Firewall <> Switch <>
> Workstations ..

Ok.  I'm going to construct a little of your detail into what I think
you're trying to do...

Routed Networks: 205.218.57.0/24 (Internet) and 192.168.0.0/16 (Medical)

 (Internet)----[R]------[F]-------[S]---[WA]
                |                  |
  (Medical)_____|                  +----[WB]
				   |
				   +---- etc..

Can I assume that your router handles both "routed" networks?  If so,
what do you wish to accomplish for your workstations?  Do you want them
to exist on both networks?  Do you want/need them to have an internet
accessible IP as well as the private IP?

I see two options here.  One, you use IP Masquerading at the firewall
and use your own private IP block behind it.  If your ISP is using 
192.168.x.x, then I would use something like 10.0.0.0/8.  On your
workstations, you would use the internal interface IP address of the
gateway (firewall) computer as the default gateway.  Any traffic other
than that reserved for the local IP block would be directed to the
gateway.

Now, your traffic passes on to the firewall.  It's default gateway is
the IP address of the router.  I would suggest using the most up to date
kernel (2.2.12) and firewall tools (ipchains).  Compile the kernel to
use firewalling, and install the ipchains tools.[1]  Remember, if your
kernel does not have IP Firewall and IP Masquerading enabled, you will
not be able to forward packets regardless of what 
/proc/sys/net/ipv4/ip_forward says.  Then if you want to pass an internet
originating connection on to a server behind the firewall, you can use
the portforwarding tools (ipfwadm portfw).[2]

If you want WA, WB, etc... to have Internet IP addresses and use the
firewall simply as a packet filter, you will need to configure your
kernel to be a Bridge [3], not a masquerading gateway.  This is still in
beta development.  Perhaps you could find more versatility in the NAT
package for Linux [4].

I'm guessing here, but I believe you could go with either set of IP's
and all other requests would be correctly routed by the router.  
(Just remember to set up your default gateways correctly -- use "route
-n"  to check).

Good Luck.

References
==========
[1] http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html
    http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html
    http://www.linuxdoc.org/HOWTO/NET3-4-HOWTO.html
    http://www.linuxdoc.org/HOWTO/mini/IP-Masquerade.html
[2] http://juanjox.kernelnotes.org/
[3] http://www.linuxdoc.org/HOWTO/mini/Bridge.html
    http://www.linuxdoc.org/HOWTO/mini/Bridge+Firewall.html
[4] http://www.csn.tu-chemnitz.de/HyperNews/get/linux-ip-nat.html


Later!

    ^chewie

+----------------------------------------------------+
| Chad Walstrom           mailto:chewie@wookimus.net | 
| ICQ: 9985127           http://wookimus.net/~chewie |
+----------------------------------------------------+
 Need a new truck?  Check out my '97 Explorer 2-door
   Sport at http://wookimus.net/~chewie/truck.html