On Sun Jul 12 2000 at 10:49, "Theresa Lane" wrote:
> i am attempting to insert a linux firewall in between a linux router
> and an nt subnet. there are multiple boxes on the subnet
> and only 6 are supposed to be behind the firewall.
VERY good idea to do that :) I'd put them ALL behind a firewall!
(Really).
> this is the current configuration.
>
> internet==> router ==> eth1 184.92.52.32 ====>nt boxes 184.92.52.*
> netmask 255.255.255.224
That's 256-224 = 32 addresses, 30 hosts in that subnet (.32->.63)
because .32 is the network address, .63 the broadcast address.
That's a CIDR "/27" subnet (CIDR = classless internet domain
routing).
> my proposed configuration is:
>
> internet==> router ==> eth1 184.92.52.32 ===>non firewalled nt boxes
> ===>firewall 184.92.52.38
> ||
> ||
> private firewalled subnet
> 192.168.44.*
> netmask 255.255.255.0
>
> the router belongs to the ISP and can not be changed without pulling
> eye teeth.
:-)
> the hardware looks like this:
>
> cable modem > router > 5 port hub
> |1| |2| |uplink|
> router plugged here firewall here rest of subnet
> hub hub
> devices devices
(The firewall in hubport 2 will only protect the network behind it,
and not the "rest of the subnet).
> the distribution being used is red hat 6.1 right out of the box.
Fine. (RH 6.2 does things slightly differently, see below).
> the kernel has been recompiled. it is monolithic up. modular
> support is configed but necessary options are compiled into the
> kernel.
That's not necessarily a good thing. Monolithic kernels are usually
bad news because they rob you of a lot of flexability with managing
device drivers.
With obvious exceptions, build everything as much as you can as
modules. (Believe me, I've been using linux for more than 6 years,
and driver modules ARE the way to go).
> network initialization is accomplished through red hat scripts.
> ipchains script accomplishes nat for firewalled subnet.
> all firewalled boxes have 184.92.52.38 as their gateway.
Good.
> all other boxes on the subnet have 184.92.52.32 as their gateway.
> everything works correctly from inside the firewalled subnet.
Yes, good. (But frightening to think of non-firewalled NT boxes:)
> the boxes can talk to each other and get out using .38 as
> a proxy.
I assume you are talking about the 192.168.44.0/24 subnet. But it
still is confusing... "proxy" for who?
Also, what do you mean by "proxy"? I think you mean "masquerading",
surely... (?)
> however, from the outside in, the only thing the firewall can see
> is broadcast traffic for 184.92.52.255.
It shouldn't see that at all.
You imply above here that the broadcast address for that particular
subnet is 184.92.52.63 --- you state above that the network address
is .32 and the netmask is 255.255.255.224.
> ifconfig for eth1 on the firewall shows an oddity. no matter what
> ip address you put in IPADDR for the red hat network initialization
> scripts to use, the address for this interface is always
> 184.92.52.38.
You must have incorrect information in:
/etc/sysconfig/network-scripts/ifcfg-eth1
> it occurred to me that this might be the lack of the option
> config_as_router_not_as_host. however, i can't check this
> because my last config dataset was overlayed by my own stupidity.
> i am rebuilding the kernel to recreate the config dataset but
> have upleveled sources to 2.3.15 and don't want to throw another
> variable into the soup.
Use the default standard distribution kernel (or rather, replace
this with the updated kernel from ftp.redhat.com) - it will do
everything that you need to do here.
However, if you need to do *advanced* routing (multiple routing
tables, using fwmark and TOS for routing decisions, traffic shaping,
etc), then you'll need to recompile it.
> i have put eth1 into promiscuous mode. but still packets which
> i am reasonably sure are on the wire do not seem to be visible
> to the firewall.
No big deal about promiscuous mode... tcpdump does that by default
if you want to listen. Besides, the information you get from this
is almost useless if you are using a **SWITCHED** hub - you only get
to see the traffic that YOU need to see, not all the traffic.
> any suggestions would be appreciated.
These are the key configuration files:
/etc/sysconfig/network
/etc/sysconfig/network-scripts/ifcfg-eth0
/etc/sysconfig/network-scripts/ifcfg-eth1
/etc/sysconfig/static-routes (if needed)
/etc/conf.modules
What is the output of:
/sbin/ifconfig
/sbin/route -n
cat /proc/sys/net/ipv4/ip_forward
ip_forward should be "1" to turn on kernel routing. For redhat 6.1
and previous, this is set at bootup in /etc/sysconfig/network like
this:
FORWARD_IPV4=true
On redhat 6.2 this is done in /etc/sysctl.conf
To do this on a running box, do:
echo 1 > /proc/sys/net/ipv4/ip_forward
If you don't turn on routing, then it simply won't route packets :-)
ifconfig should show (at least) three network devices: lo eth0 eth1
The entry for eth1 should look something like this:
eth1 Link encap:Ethernet HWaddr 00:10:5B:68:C9:C3
inet addr:192.168.44.9 Bcast:192.168.44.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:28336 errors:0 dropped:0 overruns:0 frame:0
TX packets:1854 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:5 Base address:0xa400
You don't state the actual IP address you have put on the
firewalling box on the private subnet side, I've called it .44.9 here
as an example.
For the public address side, it should look something like this:
eth1 Link encap:Ethernet HWaddr 00:10:5F:68:FC:C3
inet addr:184.92.52.38 Bcast:184.92.52.63 Mask:255.255.255.224
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:83436 errors:0 dropped:0 overruns:0 frame:0
TX packets:11854 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:5 Base address:0xa400
Note the broadcast address of .63 with that network mask.
The ipchains rules on your firewall-router need to set up
masquerading for the private network:
/sbin/ipchains -A forward -i eth0 -j MASQ
(easy, no? :)
The routing table should look something like this:
Destination Gateway Genmask Flags Metric Ref Use Iface
184.92.52.32 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
192.168.44.9 0.0.0.0 255.255.255.255 UH 0 0 0 eth1
184.92.52.0 0.0.0.0 255.255.255.224 UH 0 0 0 eth0
192.168.44.0 0.0.0.0 255.255.255.0 UH 0 0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 184.92.52.32 0.0.0.0 UG 0 0 0 eth0
This should give you some things to think about as you try to see
shy what that you want to happen isn't happening...
Cheers
Tony
-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-
Tony Nugent <[EMAIL PROTECTED]> Systems Administrator, RHCE
GrowZone OnLine (a project of) GrowZone Development Network
POBox 475 Toowoomba Oueensland Australia 4350 Ph: 07 4637 8322
-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-
