Making a router from a Linux machine

I have a Debian Linux on one machine which has 2 Ethernet cards. I want
to make this machine to be my firewall. eth0 is connected to one small
network of about 15 computers, while eth1 is connected to another
"network" of 1 computer. I want to make my Linux machine filter
everything I want and let everything I need. However, many days working
with iptables just didn't help - I still don't have a solution. My
current solution is to use a simple Ethernet bridging, which is a
"goodbye to firewall". I have tried everything reasonable from the
iptables documentation provided. I also searched the Internet,
including these Groups. I used to make it work good in one direction,
but not vice-versa. I also am concerned if the iptables is enough,
since many things work on the lower level (ARP, RARP, DNS and many
other protocols use the OSI Layer 2 or TCP/IP network layer to provide
their services).

Since I have tried "everything" and it didn't work, the only reasonable
answer to this might be a complete configuration. If anyone has a
sample configuration which is analogous to the above, please post here
or send me a complete process of how to do this. I think no further
explanation would be necessary of the given solution, the only thing I
want is it to work. Maybe this is too much to ask, but that seems the
only solution.

Shortly, I need no masquerading, but I need to translate all eth0
addresses to eth1 and vice versa. I still want my firewall to be
functional as a workstation or a server and a part of any network,
preferrably one of eth0.



iceman_to_the_max@yahoo.com

(E-Mail Removed) wrote:

> I have a Debian Linux on one machine which has 2 Ethernet cards. I want
> to make this machine to be my firewall. eth0 is connected to one small
> network of about 15 computers, while eth1 is connected to another
> "network" of 1 computer. I want to make my Linux machine filter
> everything I want and let everything I need. However, many days working
> with iptables just didn't help - I still don't have a solution. My
> current solution is to use a simple Ethernet bridging, which is a
> "goodbye to firewall". I have tried everything reasonable from the
> iptables documentation provided. I also searched the Internet,
> including these Groups. I used to make it work good in one direction,
> but not vice-versa. I also am concerned if the iptables is enough,
> since many things work on the lower level (ARP, RARP, DNS and many
> other protocols use the OSI Layer 2 or TCP/IP network layer to provide
> their services).
>
> Since I have tried "everything" and it didn't work, the only reasonable
> answer to this might be a complete configuration. If anyone has a
> sample configuration which is analogous to the above, please post here
> or send me a complete process of how to do this. I think no further
> explanation would be necessary of the given solution, the only thing I
> want is it to work. Maybe this is too much to ask, but that seems the
> only solution.
>
> Shortly, I need no masquerading, but I need to translate all eth0
> addresses to eth1 and vice versa. I still want my firewall to be
> functional as a workstation or a server and a part of any network,
> preferrably one of eth0.

sure you turned routing on?
under debian, file /etc/network/options
there option: ip_forward=yes

--
mfG Florian

First make sure that the two networks can talk to each other. Switch off
all firewall, make sure that your central machine is the default gateway on
both sides, and see if they can talk to each other. YOu need to get this
working first.

Once you have that working then you can get the firewall working. I use
shorewall, a wrapper for iptables.

I do not think tht there is any reason why you should be using masquarading
in this context. There is no reason I could imagine why you should.
Just leave them with their separate networks and addresses, and set up the
routing table appropriately.


(E-Mail Removed) writes:

>I have a Debian Linux on one machine which has 2 Ethernet cards. I want
>to make this machine to be my firewall. eth0 is connected to one small
>network of about 15 computers, while eth1 is connected to another
>"network" of 1 computer. I want to make my Linux machine filter
>everything I want and let everything I need. However, many days working
>with iptables just didn't help - I still don't have a solution. My
>current solution is to use a simple Ethernet bridging, which is a
>"goodbye to firewall". I have tried everything reasonable from the
>iptables documentation provided. I also searched the Internet,
>including these Groups. I used to make it work good in one direction,
>but not vice-versa. I also am concerned if the iptables is enough,
>since many things work on the lower level (ARP, RARP, DNS and many
>other protocols use the OSI Layer 2 or TCP/IP network layer to provide
>their services).

>Since I have tried "everything" and it didn't work, the only reasonable
>answer to this might be a complete configuration. If anyone has a
>sample configuration which is analogous to the above, please post here
>or send me a complete process of how to do this. I think no further
>explanation would be necessary of the given solution, the only thing I
>want is it to work. Maybe this is too much to ask, but that seems the
>only solution.

>Shortly, I need no masquerading, but I need to translate all eth0
>addresses to eth1 and vice versa. I still want my firewall to be
>functional as a workstation or a server and a part of any network,
>preferrably one of eth0.

> First make sure that the two networks can talk to each other.
<
They ping well.

> Switch off all firewall, make sure that your central machine is the
default gateway on both sides, and see if they can talk to each other.
YOu need to get this working first.
<
This is not possible. The first network is beyond my control and I
cannot set the default gateway on the machines in this network. Is this
the obligatory requirement? Consider that the first network is
connected to the Internet by a router that is a default gateway, like
this:

Internet
|
router (default gateway)
|
first network ---- many workstations with def. gtw. set to a router IP
|
| eth0
my Linux firewall
| eth1
|
second network --- one or small number of workstations (maybe some
laptops)

> Once you have that working then you can get the firewall working. I
use
shorewall, a wrapper for iptables.
<
I don't remember hearing about a shorewall, but I will look for that.

> I do not think tht there is any reason why you should be using
masquarading
in this context.
<
I don't want to use the masquerading.

I have seen some scripts that to the job, but they are too long for me
to fully understand all the things they are doing. Is there a script, a
tutorial or a sample of the simmilar setup as the network I have
"drawn" above?

Thanks for your replies, since I am really interested in solving this
problem and in networks generally.

Bill Unruh wrote:
> First make sure that the two networks can talk to each other. Switch
off
> all firewall, make sure that your central machine is the default
gateway on
> both sides, and see if they can talk to each other. YOu need to get
this
> working first.
>
> Once you have that working then you can get the firewall working. I
use
> shorewall, a wrapper for iptables.
>
> I do not think tht there is any reason why you should be using
masquarading
> in this context. There is no reason I could imagine why you should.
> Just leave them with their separate networks and addresses, and set
up the
> routing table appropriately.
>
>
> (E-Mail Removed) writes:
>
> >I have a Debian Linux on one machine which has 2 Ethernet cards. I
want
> >to make this machine to be my firewall. eth0 is connected to one
small
> >network of about 15 computers, while eth1 is connected to another
> >"network" of 1 computer. I want to make my Linux machine filter
> >everything I want and let everything I need. However, many days
working
> >with iptables just didn't help - I still don't have a solution. My
> >current solution is to use a simple Ethernet bridging, which is a
> >"goodbye to firewall". I have tried everything reasonable from the
> >iptables documentation provided. I also searched the Internet,
> >including these Groups. I used to make it work good in one
direction,
> >but not vice-versa. I also am concerned if the iptables is enough,
> >since many things work on the lower level (ARP, RARP, DNS and many
> >other protocols use the OSI Layer 2 or TCP/IP network layer to
provide
> >their services).
>
> >Since I have tried "everything" and it didn't work, the only
reasonable
> >answer to this might be a complete configuration. If anyone has a
> >sample configuration which is analogous to the above, please post
here
> >or send me a complete process of how to do this. I think no further
> >explanation would be necessary of the given solution, the only thing
I
> >want is it to work. Maybe this is too much to ask, but that seems
the
> >only solution.
>
> >Shortly, I need no masquerading, but I need to translate all eth0
> >addresses to eth1 and vice versa. I still want my firewall to be
> >functional as a workstation or a server and a part of any network,
> >preferrably one of eth0.