iptables firewall between dsl router and intranet

Hello,

I had setup a iptables based linux firewall. It was connected with eth0 to
the internal network and with eth1 to a dsl modem (pppoe) and did also all
the NAT stuff. A lightning strike blows my modem and the new dsl hardware is
a router itself, providing NAT, voip etc. Nevertheless I would like to use
my iptables firewall between this router and my internal network.

Internal network is 192.168.5.x

Questions
Is it a good idea to set the unsecure nic eth1 of the firewall and the dsl
router to another net, for instance 192.168.6.x?
How are the machines of the internal network routed? Is the gateway ip the
ip of the firewall's secure nic eth0? I suppose it is, but how is the
firewall networking setup? Does it need also a gateway ip, the ip of the dsl
router? Can this be the default route or do I have to setup different routes
for eth0 and eth1?

I hope someone can enlighten me.


Thomas

>Is it a good idea to set the unsecure nic eth1 of the firewall and the dsl
>router to another net, for instance 192.168.6.x?

You are creating something like a DMZ...

> How are the machines of the internal network routed?

A client in 192.168.5.x gets the default gateway of your linux
firewall, but of the interface which is in 192.168.5.x NOT the
interface of 192.168.6.x of the second networkcard of your linux
firewall. It is possible to have only a router without NAT on your
linux firewall. The linux firewall needs your dsl router as default
gateway. Your dsl-Router needs a route to the 192.168.5.x network over
the 192.168.6.x interface of your linux firewall. And here the problem
starts. On some dsl-routers you can't configure a route in the
webinterface. Check that first.

Hope that helps. Let me know...

Achim

> linux firewall. The linux firewall needs your dsl router as default
> gateway. Your dsl-Router needs a route to the 192.168.5.x network over
> the 192.168.6.x interface of your linux firewall. And here the problem
> starts. On some dsl-routers you can't configure a route in the
> webinterface. Check that first.

Routes can be set in this dsl router. Thank you for this information. So
only the internal machines and the dsl router need a default gateway. The
firewall itself is connected to both networks and doesn't need a gateway. Is
this right?

Internal machines -> gateway ip of firewall's secure nic -> firewall ->
firewall's unsecure nic -> dsl router -> internet

Internet -> dsl router -> gateway ip of firewall's unsecure nic ->
firewall -> firewall's secure nic -> internal machines

I will try to setup this at weekend, when nobody is working here with
internet.


Thomas

On Wed, 27 Jul 2005 08:31:54 +0200, "Thomas Olschewski" <(E-Mail Removed)> wrote:
>
> I had setup a iptables based linux firewall. It was connected with eth0 to
> the internal network and with eth1 to a dsl modem (pppoe) and did also all
> the NAT stuff. A lightning strike blows my modem and the new dsl hardware is
> a router itself, providing NAT, voip etc. Nevertheless I would like to use
> my iptables firewall between this router and my internal network.
>
> Internal network is 192.168.5.x
>
> Questions
> Is it a good idea to set the unsecure nic eth1 of the firewall and the dsl
> router to another net, for instance 192.168.6.x?
Necessary. Bridging is a pain and probably not required.

> How are the machines of the internal network routed? Is the gateway ip the
> ip of the firewall's secure nic eth0? I suppose it is, but how is the
> firewall networking setup? Does it need also a gateway ip, the ip of the dsl
> router? Can this be the default route or do I have to setup different routes
> for eth0 and eth1?
You're confused... you have a 1:1 link from PC NIC to DSL, the
other NIC to localnet. In your prior setup with PPPoE the public
interface was ppp0, now it is ethX (X = whatever). The modem does
the connection to ISP and it knows default route to world + DNS.
So treat modem now as 'first hop'. Default route for localnet is
firewall, firewall forwards to modem, okay? Now, I've either confused
you or me more, or less? I dunno )

You could put the modem into bridge mode and do it all in
firewall again, no?

Grant.

> You could put the modem into bridge mode and do it all in
> firewall again, no?

Modem should stay in router mode for VoIP and I am not sure if it can work
as bridge at all. I read, that the linux firewall could work as bridge. But
this would be the second choice for me if the first way doesn't work. At
first I will try this

Internal machines -> gateway ip of firewall's secure nic -> firewall ->
firewall's unsecure nic -> dsl router -> internet

Internet -> dsl router -> gateway ip of firewall's unsecure nic ->
firewall -> firewall's secure nic -> internal machines

Thanks for answering.

Thomas

Thomas Olschewski wrote:
>>You could put the modem into bridge mode and do it all in
>>firewall again, no?
>
>
> Modem should stay in router mode for VoIP and I am not sure if it can work
> as bridge at all. I read, that the linux firewall could work as bridge. But
> this would be the second choice for me if the first way doesn't work. At
> first I will try this
>
> Internal machines -> gateway ip of firewall's secure nic -> firewall ->
> firewall's unsecure nic -> dsl router -> internet
>
> Internet -> dsl router -> gateway ip of firewall's unsecure nic ->
> firewall -> firewall's secure nic -> internal machines
>
> Thanks for answering.
>
> Thomas
>
>

but you dont want to double NAt do you? will VOIP agree with that? I
would turn off the linux nat/routing, or turn off the dsl routers
nat/routing. I wouldnt leave both on.

--
Respectfully,


CL Gilbert

> but you dont want to double NAt do you? will VOIP agree with that? I would
> turn off the linux nat/routing, or turn off the dsl routers nat/routing.
> I wouldnt leave both on.

Yes, I nat twice. Don't know, what voip clients at PCs agree with that. The
DSL Router features an integrated ISDN port. I simply switch my ISDN Bus to
this port and talk with my ISDN hardware as before. I can define in the DSL
Router, which calls go out by voip or by ISDN.

Thomas

> Internal machines -> gateway ip of firewall's secure nic -> firewall ->
> firewall's unsecure nic -> dsl router -> internet
>
> Internet -> dsl router -> gateway ip of firewall's unsecure nic ->
> firewall -> firewall's secure nic -> internal machines

And firewall router needs a default gateway to dsl router too! Now it works.

Thomas