Hi,
We are trying to setup a Linux Router/Firewall on our network.
But, we are taking little steps, to test and ensure each part is working
properly. The configuration is the classic two Unix System Bastion Host and
Interior Router. The Bastion Host is the First one on the Firewall and the
Interior Router is the connection to the internal network.
The Problem/Question:
A. Do I use ipfwadm on the Interior Router (Second Linux Box)? I have it
setup on both boxes, but the (Interior Router) does not appear to be passing
on the packets.
B. Does ipfwadm support stacking of ip through each system it passes through?
C. Is the configuration missing something? (75% works correctly)
Configuration / Tests
1. We have setup 2 linux boxes, running Slackware 3.2. The First Linux box
has been configured with 2 ethernet cards and the same with the Second Linux
box. Each ethernet connection can ping and telnet to its own subnet. Each
box can also ping and surf the web and ftp to any location.
3. The "Our Internal Network" can receive a DNS entry (resolve name to
address), but can not reach the hosts on the Internet. Furthermore,
if we try to ping an IP address on the internet, we receive network
timeout.
4. Checking the ipfwadm rules, it does show when a system on the "Our
Internal Network" pings, so the packets do go to the "Interior Router"
system.
Below is the layout and the configuration of how it is
setup. Any suggestions would be greatly appreciated.
Thanks
Darren [EMAIL PROTECTED]
Internet
\|/
|
Cisco Router (ISP)
| 999.170.224.104 mask: 255.255.255.252
|
|
| 999.170.224.105 mask: 255.255.255.252
Cisco Router (ours)
| 888.64.128.33 mask: 255.255.255.224
|
|
| 888.64.128.40 mask: 255.255.255.224
First Linux Box (Bastion Host)
| 192.168.1.40 mask: 255.255.255.0
|
|
| 192.168.1.41 mask: 255.255.255.0
Second Linux Box (Interior Router)
| 10.60.1.41 mask: 255.255.0.0
|
|
|
/|\ 10.X.X.X mask: 255.255.0.0
Our Internal Network
======= First Linux Box ========
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
888.64.128.32 * 255.255.255.224 U 0 0 1 eth0
192.168.1.0 * 255.255.255.0 U 0 0 1 eth1
loopback * 255.0.0.0 U 0 0 3 lo
default * 0.0.0.0 U 0 0 2 eth0
======= Second Linux Box ========
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 2 eth1
10.60.0.0 0.0.0.0 255.255.0.0 U 0 0 1 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 1 lo
0.0.0.0 192.168.1.40 0.0.0.0 UG 1 0 3 eth1
======================== rc.inet1 From First Linux Box ==============
#! /bin/sh
HOSTNAME=`cat /etc/HOSTNAME`
#
# Attach the loopback device.
#
/sbin/ifconfig lo 127.0.0.1
/sbin/route add -net 127.0.0.0 netmask 255.0.0.0 lo
/sbin/route add default eth0
#
# Ethernet Port 1
# This is the side of the local net (DMZ).
#
/sbin/ifconfig eth1 192.168.1.40 broadcast 192.168.1.255 netmask 255.255.255.0
/sbin/route add -net 192.168.1.0 netmask 255.255.255.0 eth1
#
# Ethernet Port 0
# This is the side of the internet.
#
/sbin/ifconfig eth0 888.64.128.40 broadcast 888.64.128.63 netmask 255.255.255.224
/sbin/route add -net 888.64.128.32 netmask 255.255.255.224 eth0
======================== rc.inet1 From Second Linux Box ==============
#! /bin/sh
HOSTNAME=`cat /etc/HOSTNAME`
# Attach the loopback device.
/sbin/ifconfig lo 127.0.0.1
/sbin/route add -net 127.0.0.0 netmask 255.0.0.0 lo
# Our Local Network
/sbin/ifconfig eth0 10.60.1.41 broadcast 10.60.255.255 netmask 255.255.0.0
/sbin/route add -net 10.60.0.0 netmask 255.255.0.0 eth0
# DMZ
/sbin/ifconfig eth1 192.168.1.41 broadcast 192.168.1.255 netmask 255.255.255.0
/sbin/route add -net 192.168.1.0 netmask 255.255.255.0 eth1
/sbin/route add default gw 192.168.1.40 metric 1
============== FIREWALL FORWARDING RULES ===============
IP accounting rules
IP firewall input rules, default policy: accept
IP firewall output rules, default policy: accept
IP firewall forward rules, default policy: deny
type prot source destination ports
acc/m all 192.168.1.0/24 anywhere n/a
IP masquerading entries
============== COMMANDS TO SETUP FORWARDING RULES =======
/sbin/ipfwadm -I -f
/sbin/ipfwadm -O -f
/sbin/ipfwadm -F -f
/sbin/ipfwadm -F -p deny
/sbin/ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0
modprobe ip_masq_ftp
modprobe ipip
modprobe rarp
============== FIREWALL FORWARDING RULES For Second Linux Box ===============
IP accounting rules
IP firewall input rules, default policy: accept
IP firewall output rules, default policy: accept
IP firewall forward rules, default policy: deny
type prot source destination ports
acc/m all localnet/16 bastion n/a
IP masquerading entries
============== COMMANDS TO SETUP FORWARDING RULES For Second Linux Box =======
modprobe ip_masq_ftp
modprobe ipip
modprobe rarp
/sbin/ipfwadm -I -f
/sbin/ipfwadm -O -f
/sbin/ipfwadm -F -f
/sbin/ipfwadm -F -p deny
/sbin/ipfwadm -F -a m -S 10.60.0.0/255.255.0.0 -D 192.168.1.40
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
http://tiffany.indyramp.com/mailman/listinfo/masq
Admin requests can be handled by web (above) or [EMAIL PROTECTED]
