non-masquerading firewall

I have built a number of NAT systems in several countries, which use
reserved IP addresses for their masqueraded networks (192.168.0.0/16,
10.10.0.0/16, etc.). I am familiar with IP tables.

Now I would like to build a system, that would just forward packets from
eth0 to eth1. Both NIC would operate in the same IP block.
That would give me an opportunity to filter out undesirables in both
directions, while making all my machines visible from outside.

I looked over HOWTO's and miniHOWTO's, but they all deal with NAT systems,
not just strict forwarding.

Before I start reinventing the wheel, I would like to see some solutions
already available in public domain.
Could anyone please point me to a source of info on this subject?

Thanks


Frank Bures, <(E-Mail Removed)>

On Thu, 29 Jan 2004 15:27:08 -0500 (EST), "FEEB" <(E-Mail Removed)>
wrote:

>I have built a number of NAT systems in several countries, which use
>reserved IP addresses for their masqueraded networks (192.168.0.0/16,
>10.10.0.0/16, etc.). I am familiar with IP tables.
>
>Now I would like to build a system, that would just forward packets from
>eth0 to eth1. Both NIC would operate in the same IP block.
>That would give me an opportunity to filter out undesirables in both
>directions, while making all my machines visible from outside.
>
>I looked over HOWTO's and miniHOWTO's, but they all deal with NAT systems,
>not just strict forwarding.
>
>Before I start reinventing the wheel, I would like to see some solutions
>already available in public domain.
>Could anyone please point me to a source of info on this subject?

It seems to me that this is simpler than you think.

If you aren't doing NAT, then you just need ACCEPT or DROP rules. As for
forwarding, you leave that up to the Linux TCP/IP stack by setting the
/proc/sys/net/ipv4/ip_forward value to 1.

--
Lew Pitcher
IT Consultant, Enterprise Technology Solutions
Toronto Dominion Bank Financial Group

(Opinions expressed are my own, not my employers')

On Thu, 29 Jan 2004 20:54:04 GMT, Lew Pitcher wrote:

>On Thu, 29 Jan 2004 15:27:08 -0500 (EST), "FEEB"
<(E-Mail Removed)>
>wrote:
>
>>I have built a number of NAT systems in several countries, which use
>>reserved IP addresses for their masqueraded networks (192.168.0.0/16,
>>10.10.0.0/16, etc.). I am familiar with IP tables.
>>
>>Now I would like to build a system, that would just forward packets from
>>eth0 to eth1. Both NIC would operate in the same IP block.
>>That would give me an opportunity to filter out undesirables in both
>>directions, while making all my machines visible from outside.
>>
>>I looked over HOWTO's and miniHOWTO's, but they all deal with NAT
systems,
>>not just strict forwarding.
>>
>>Before I start reinventing the wheel, I would like to see some solutions
>>already available in public domain.
>>Could anyone please point me to a source of info on this subject?
>
>It seems to me that this is simpler than you think.
>
>If you aren't doing NAT, then you just need ACCEPT or DROP rules. As for
>forwarding, you leave that up to the Linux TCP/IP stack by setting the
>/proc/sys/net/ipv4/ip_forward value to 1.

So, you just assign those two NIC's two different IP addresses from the
same IP block?


Frank Bures, <(E-Mail Removed)>

In article <(E-Mail Removed) ronto.ca>
, FEEB wrote:
> I have built a number of NAT systems in several countries, which use
> reserved IP addresses for their masqueraded networks (192.168.0.0/16,
> 10.10.0.0/16, etc.). I am familiar with IP tables.
>
> Now I would like to build a system, that would just forward packets from
> eth0 to eth1. Both NIC would operate in the same IP block.
> That would give me an opportunity to filter out undesirables in both
> directions, while making all my machines visible from outside.
>
> I looked over HOWTO's and miniHOWTO's, but they all deal with NAT systems,
> not just strict forwarding.

Each NIC needs to be on a UNIQUE network for a routing table to be able
to determine which interface to route traffic. To create a router that
connects two networks that are from the same block you need to use
static NAT in both directions to hide the fact that they are the same
network (and routing decisions can therefore be made correctly). If you
just want a range of machines to be available on your network then you
can just simply forward packets out of your iptables box unaltered (no
need of nat table just use the filter table) and put in rules (again in
the filter table) to allow restricted access back to those IP's. This
however is a bad idea IMHO since a compromise of one of those hosts
(remember that security doesn't stop with allowed/disallowed ports)
would lead to further INTERNAL hosts being compromised.

Fluffy

--
woof woof