Replace private IP by public IP : Big problems !!! ;-(

Hi all,

I've got a big problem with my firewall which have three ethernet
cards.
eth0 : 172.16.2.1/255.255.255.0 ---->LAN
eth1: 192.168.2.1/255.255.255.0----->DMZ
eth2: 192.168.3.1/255.255.255.0-----> WAN

This firewall is connected to a router which have Wan IP 192.168.3.254
and a public IP for WAN : 62.160.X.X/255.255.255.255
This configurations is working !!!

I have tried to replace the Wan IP of my firewall by a public IP :
62.160.X.Y
# ifconfig eth2 62.160.X.Y netmask 255.255.255.248
# route add default gw 62.160.X.Z (which is new Ip of the router (WAN
and LAN interfaces of the router are the same)

I can access to the internet from my firewall but unfortunately not
from my LAN.
I can ping ping my firewall and my router from my lan.
So now I come back to my old configuration until I find why it was not
working.
Have you got any idea please ?

Thanks

Fred99

On 23 Jul 2004 15:21:41 -0700, Fred99 <(E-Mail Removed)> wrote:
> Hi all,
>
> I've got a big problem with my firewall which have three ethernet
> cards.
> eth0 : 172.16.2.1/255.255.255.0 ---->LAN
> eth1: 192.168.2.1/255.255.255.0----->DMZ
> eth2: 192.168.3.1/255.255.255.0-----> WAN
>
> This firewall is connected to a router which have Wan IP 192.168.3.254
> and a public IP for WAN : 62.160.X.X/255.255.255.255
> This configurations is working !!!
>
> I have tried to replace the Wan IP of my firewall by a public IP :
> 62.160.X.Y
> # ifconfig eth2 62.160.X.Y netmask 255.255.255.248
> # route add default gw 62.160.X.Z (which is new Ip of the router (WAN
> and LAN interfaces of the router are the same)
>
> I can access to the internet from my firewall but unfortunately not
> from my LAN.
> I can ping ping my firewall and my router from my lan.
> So now I come back to my old configuration until I find why it was not
> working.
> Have you got any idea please ?

Have you enable masquerading, so any traffic from eth0 out eth2 will be
masqueraded as eth2 IP? The internet is not going to know how to route
replies to private 172.16.x.x IPs.

Also if you later configure block of public IPs on DMZ eth1, you would
need to configure eth1 with 255.255.255.248 netmask, and eth2 would need:

ifconfig eth2 62.160.X.Y netmask 255.255.255.255 broadcast 62.160.X.Y
route add -host 62.160.X.Z dev eth2
route add default gw 62.160.X.Z

Then your system will know how to find gateway (and its own IP) on eth2,
but will route all other IPs in that block to eth1.

Not sure which Linux you are using, but SuSE has SuSEfirewall2 that is
very easy to configure 3 interfaces for public, DMZ (other public IPs),
and masqueraded LAN, by editing a few variables.

--
David Efflandt - All spam ignored http://www.de-srv.com/

Hello David,

Thanks for you answer.
I'm using Red Hat.
Here are my iptables rules which are working when eth2 is a private IP
but not when it is a public IP. Could you see something wrong ?


iptables -t filter -F
iptables -t nat -F



echo 1 > /proc/sys/net/ipv4/ip_forward



#################
# Tables filter #
#################
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP

#################
# Boucle locale #
#################
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT



###########
# FORWARD #
###########

##############
# LAN -->DMZ #
##############



###########################
# PROTOCOLE SMTP : TCP 25 #
###########################

iptables -t filter -A FORWARD -i eth0 -o eth1 -s 172.16.0.0/16 -d
192.168.2.100/32 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j
ACCEPT
iptables -t filter -A FORWARD -i eth1 -o eth0 -s 192.168.2.100/32 -d
172.16.0.0/16 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT



############################
# PROTOCOLE POP3 : TCP 110 #
############################

iptables -t nat -A PREROUTING -d 172.16.2.1 -p tcp --dport 110 -j DNAT
--to-destination 192.168.2.150:110
iptables -t filter -A FORWARD -i eth0 -o eth1 -s 172.16.0.0/16 -d
192.168.2.150/32 -p tcp --dport 110 -m state --state NEW,ESTABLISHED
-j ACCEPT
iptables -t filter -A FORWARD -i eth1 -o eth0 -s 192.168.2.150/32 -d
172.16.0.0/16 -p tcp --sport 110 -m state --state ESTABLISHED -j
ACCEPT


#################################
# PROTOCOLE DNS : UDP et TCP 53 #
#################################

iptables -t filter -A FORWARD -i eth0 -o eth2 -s 172.16.2.200/32 -d
0/0 -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i eth2 -o eth0 -s 0/0 -d
172.16.2.200/32 -p tcp --sport 53 -m state --state ESTABLISHED -j
ACCEPT
iptables -t filter -A FORWARD -i eth0 -o eth2 -s 172.16.2.200/32 -d
0/0 -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i eth2 -o eth0 -s 0/0 -d
172.16.2.200/32 -p udp --sport 53 -m state --state ESTABLISHED -j
ACCEPT


####################################
# PROTOCOLE IDENT : TCP et UDP 113 #
####################################
iptables -t filter -A FORWARD -p tcp --dport 113 -j ACCEPT
iptables -t filter -A FORWARD -p tcp --sport 113 -j ACCEPT
iptables -t filter -A FORWARD -p udp --dport 113 -j ACCEPT
iptables -t filter -A FORWARD -p udp --sport 113 -j ACCEPT



###################################
# HTTP, HTTPS : TCP 80 et TCP 443 #
###################################
iptables -t filter -A FORWARD -i eth0 -o eth2 -s 172.16.0.0/16 -d 0/0
-p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i eth2 -o eth0 -s 0/0 -d 172.16.0.0/16
-p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i eth0 -o eth2 -s 172.16.0.0/16 -d 0/0
-p tcp --dport 443 -j ACCEPT
iptables -t filter -A FORWARD -i eth2 -o eth0 -s 0/0 -d 172.16.0.0/16
-p tcp --sport 443 -j ACCEPT
iptables -t filter -A FORWARD -i eth0 -o eth2 -s 172.16.0.0/16 -d 0/0
-p udp --dport 443 -j ACCEPT
iptables -t filter -A FORWARD -i eth2 -o eth0 -s 0/0 -d 172.16.0.0/16
-p udp --sport 443 -j ACCEPT

##################
# Protocole POP3 #
##################

iptables -t filter -A FORWARD -i eth0 -o eth2 -s 172.16.0.0/16 -d 0/0
-p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i eth2 -o eth0 -s 0/0 -d 172.16.0.0/16
-p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT

#################
# Protocole FTP #
#################


modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

iptables -t filter -A FORWARD -s 172.16.0.0/16 -d 0/0 -p tcp --dport
21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -s 0/0 -d 172.16.0.0/16 -p tcp --sport
21 -m state --state ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -s 172.16.0.0/16 -d 0/0 -p tcp --dport
20 -m state --state ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -s 0/0 -d 172.16.0.0/16 -p tcp --sport
20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A FORWARD -s 172.16.0.0/16 -d 0/0 -p tcp --dport
1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A FORWARD -s 0/0 -d 172.16.0.0/16 -p tcp --sport
1024:65535 -m state --state ESTABLISHED -j ACCEPT
-m state --state NEW,ESTABLISHED -j ACCEPT


#################################
# Protocole DNS : TCP et UDP 53 #
#################################

iptables -t filter -A FORWARD -s 192.168.2.0/24 -d 0/0 -p tcp --dport
53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -s 0/0 -d 192.168.2.0/24 -p tcp --sport
53 -m state --state ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -s 192.168.2.0/24 -d 0/0 -p udp --dport
53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -s 0/0 -d 192.168.2.0/24 -p udp --sport
53 -m state --state ESTABLISHED -j ACCEPT



###############
# WAN --> DMZ #
###############

###########################
# Protocole SMTP et POP3S #
###########################

#iptables -t filter -A FORWARD -i eth2 -o eth1 -s 0/0 -d
192.168.2.150/32 -p tcp --dport 995 -m state --state NEW,ESTABLISHED
-j ACCEPT
#iptables -t filter -A FORWARD -i eth1 -o eth2 -s 192.168.2.150/32 -d
0/0 -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i eth2 -o eth1 -s 0/0 -d
192.168.2.100/32 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j
ACCEPT
iptables -t filter -A FORWARD -i eth1 -o eth2 -s 192.168.2.100/32 -d
0/0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i eth2 -o eth1 -s 0/0 -d
192.168.2.100/32 -p tcp --dport 465 -m state --state NEW,ESTABLISHED
-j ACCEPT
iptables -t filter -A FORWARD -i eth1 -o eth2 -s 192.168.2.100/32 -d
0/0 -p tcp --sport 465 -m state --state ESTABLISHED -j ACCEPT

############################
# Protocole POP3 : TCP 110 #
############################

iptables -t filter -A FORWARD -i eth2 -o eth1 -s 0/0 -d
192.168.2.150/32 -p tcp --dport 110 -m state --state NEW,ESTABLISHED
-j ACCEPT
iptables -t filter -A FORWARD -i eth1 -o eth2 -s 192.168.2.150/32 -d
0/0 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT




iptables -t filter -A INPUT -j DROP
iptables -t filter -A OUTPUT -j DROP
iptables -t filter -A FORWARD -j DROP

Thanks again

Fred