Using a linux server as a firewall

Redhat Linux 7.3.
Two ethernet cards:

eth0 Link encap:Ethernet HWaddr 00:60:08:9D:9D:A1
inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:386260 errors:0 dropped:0 overruns:0 frame:0
TX packets:333085 errors:0 dropped:0 overruns:0 carrier:27
collisions:10054 txqueuelen:100
RX bytes:29697918 (28.3 Mb) TX bytes:139509719 (133.0 Mb)
Interrupt:10 Base address:0x310

eth1 Link encap:Ethernet HWaddr 00:01:02:64:0A:6B
inet addr:192.168.1.102 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4946 errors:0 dropped:0 overruns:0 frame:0
TX packets:1811 errors:0 dropped:0 overruns:0 carrier:0
collisions:2 txqueuelen:100
RX bytes:602307 (588.1 Kb) TX bytes:216816 (211.7 Kb)
Interrupt:11 Base address:0xdc80

eth0 is connected to 4 port router, which is connected to ADSL modem.
eth1 is connected to 8 port hub, which is connected to other systems on
the LAN.

Output of route (collapsed slightly to fit width):

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 192.168.1.2 255.255.255.0 UG 0 0 0 eth0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default eth0 0.0.0.0 UG 0 0 0 eth0

IP address of router is 192.168.1.1.
IP address of eth0 is 192.168.1.2.
IP address of eth1 is 192.168.1.102.

Able to ping the router through eth0 with no problem.

Problem: Cannot ping any systems on LAN through eth1 -- unless forced,
all attempts to ping go through eth0 (default gateway, no surprise).
When cables are switched to connect eth0 to the LAN, can ping the LAN
through eth0 with no problems.

iptables settings all set to ACCEPT to simplify testing of initial
configuration (I'll worry about that later -- first things first).

So, I've obviously missed something. Any suggestions for how to get eth1
to "see" the LAN?

[FollowUps set to comp.os.linux.networking]

"Lyle H. Gray" <(E-Mail Removed)> said:
>Redhat Linux 7.3.
>Two ethernet cards:
>
>eth0 Link encap:Ethernet HWaddr 00:60:08:9D:9D:A1
> inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
....
>eth1 Link encap:Ethernet HWaddr 00:01:02:64:0A:6B
> inet addr:192.168.1.102 Bcast:192.168.1.255 Mask:255.255.255.0
....
>Kernel IP routing table
>Destination Gateway Genmask Flags Metric Ref Use Iface
>192.168.1.0 192.168.1.2 255.255.255.0 UG 0 0 0 eth0
>192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
>192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
>127.0.0.0 * 255.0.0.0 U 0 0 0 lo
>default eth0 0.0.0.0 UG 0 0 0 eth0
>
>IP address of router is 192.168.1.1.
>IP address of eth0 is 192.168.1.2.
>IP address of eth1 is 192.168.1.102.

Not good. You're having the same network on both sides of the machine
(identical combinations of destination and mask for eth0 and eth1).
So, how on earth should the machine know which way to send each packet
destined for that network?

So, declare either of the networks (the one connected to eth0 or the one
connected to eth1) to be 192.168.2.x, and change addressing of all
hardware within that network accordingly.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

On Fri, 21 Nov 2003 17:11:19 GMT, Lyle H. Gray
<(E-Mail Removed)> wrote:
> Redhat Linux 7.3.
> Two ethernet cards:
>
> eth0 Link encap:Ethernet HWaddr 00:60:08:9D:9D:A1
> inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:386260 errors:0 dropped:0 overruns:0 frame:0
> TX packets:333085 errors:0 dropped:0 overruns:0 carrier:27
> collisions:10054 txqueuelen:100
> RX bytes:29697918 (28.3 Mb) TX bytes:139509719 (133.0 Mb)
> Interrupt:10 Base address:0x310
>
> eth1 Link encap:Ethernet HWaddr 00:01:02:64:0A:6B
> inet addr:192.168.1.102 Bcast:192.168.1.255 Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:4946 errors:0 dropped:0 overruns:0 frame:0
> TX packets:1811 errors:0 dropped:0 overruns:0 carrier:0
> collisions:2 txqueuelen:100
> RX bytes:602307 (588.1 Kb) TX bytes:216816 (211.7 Kb)
> Interrupt:11 Base address:0xdc80
>
> eth0 is connected to 4 port router, which is connected to ADSL modem.
> eth1 is connected to 8 port hub, which is connected to other systems on
> the LAN.
>
> Output of route (collapsed slightly to fit width):
>
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use Iface
> 192.168.1.0 192.168.1.2 255.255.255.0 UG 0 0 0 eth0
> 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
> 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
> 127.0.0.0 * 255.0.0.0 U 0 0 0 lo
> default eth0 0.0.0.0 UG 0 0 0 eth0
>
> IP address of router is 192.168.1.1.
> IP address of eth0 is 192.168.1.2.
> IP address of eth1 is 192.168.1.102.
>
> Able to ping the router through eth0 with no problem.
>
> Problem: Cannot ping any systems on LAN through eth1 -- unless forced,
> all attempts to ping go through eth0 (default gateway, no surprise).
> When cables are switched to connect eth0 to the LAN, can ping the LAN
> through eth0 with no problems.
>
> iptables settings all set to ACCEPT to simplify testing of initial
> configuration (I'll worry about that later -- first things first).
>
> So, I've obviously missed something. Any suggestions for how to get eth1
> to "see" the LAN?
>
> [FollowUps set to comp.os.linux.networking]

eth0 and eth1 have the same subnet (192.168.1.0/255.255.255.0). Can you
change the address of eth0 and the router? Or if there is nothing else
connected to the router, connect eth0 directly to the ADSL modem.

--
You can go anywhere you want if you look serious and carry a clipboard.

Lyle H. Gray wrote:
> Redhat Linux 7.3.
> Two ethernet cards:
>
> eth0 Link encap:Ethernet HWaddr 00:60:08:9D:9D:A1
> inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:386260 errors:0 dropped:0 overruns:0 frame:0
> TX packets:333085 errors:0 dropped:0 overruns:0 carrier:27
> collisions:10054 txqueuelen:100
> RX bytes:29697918 (28.3 Mb) TX bytes:139509719 (133.0 Mb)
> Interrupt:10 Base address:0x310
>
> eth1 Link encap:Ethernet HWaddr 00:01:02:64:0A:6B
> inet addr:192.168.1.102 Bcast:192.168.1.255 Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:4946 errors:0 dropped:0 overruns:0 frame:0
> TX packets:1811 errors:0 dropped:0 overruns:0 carrier:0
> collisions:2 txqueuelen:100
> RX bytes:602307 (588.1 Kb) TX bytes:216816 (211.7 Kb)
> Interrupt:11 Base address:0xdc80
>
> eth0 is connected to 4 port router, which is connected to ADSL modem.
> eth1 is connected to 8 port hub, which is connected to other systems on
> the LAN.
>
> Output of route (collapsed slightly to fit width):
>
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use Iface
> 192.168.1.0 192.168.1.2 255.255.255.0 UG 0 0 0 eth0
> 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
> 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
> 127.0.0.0 * 255.0.0.0 U 0 0 0 lo
> default eth0 0.0.0.0 UG 0 0 0 eth0
>
> IP address of router is 192.168.1.1.
> IP address of eth0 is 192.168.1.2.
> IP address of eth1 is 192.168.1.102.
>
> Able to ping the router through eth0 with no problem.
>
> Problem: Cannot ping any systems on LAN through eth1 -- unless forced,
> all attempts to ping go through eth0 (default gateway, no surprise).
> When cables are switched to connect eth0 to the LAN, can ping the LAN
> through eth0 with no problems.
>
> iptables settings all set to ACCEPT to simplify testing of initial
> configuration (I'll worry about that later -- first things first).
>
> So, I've obviously missed something. Any suggestions for how to get eth1
> to "see" the LAN?
>
> [FollowUps set to comp.os.linux.networking]

You seem to be using the same IP address (192.168.1/24) on both sides of
your firewall/NAT box. This is definitely a problem. The firewall/NAT
box acts like a router, and routers join together network segments that
have *different* IP addresses. In other words, the networks on the two
sides of your firewall/NAT box must have different IP addresses. For
example, you could assign the IP address 192.168.1/24 to your "DMZ"
network, and the IP address "192.168.2/24" to your internal/private network:

Your xDSL router/modem
| (192.168.1.1/24)
|
| Your "DMZ" network (192.168.1/24)
|
| (eth0 - 192.168.1.2/24)
Your Linux firewall/NAT box
| (eth1 - 192.168.2.1/24)
|
| Your internal/private network (192.168.2/24)
|
(The hosts on your private network)

--
Jim

To reply by email, remove "link" and change "now.here" to "yahoo"
jfischer_link5809{at}now.here.com

"Lyle H. Gray" <(E-Mail Removed)> wrote in message news:<Xns943A7BFC21CA4graynoibisspamcsumas@130.81. 64.196>...
> Redhat Linux 7.3.
> Two ethernet cards:
>
> eth0 Link encap:Ethernet HWaddr 00:60:08:9D:9D:A1
> inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
....
>
> eth1 Link encap:Ethernet HWaddr 00:01:02:64:0A:6B
> inet addr:192.168.1.102 Bcast:192.168.1.255 Mask:255.255.255.0
....
>
> eth0 is connected to 4 port router, which is connected to ADSL modem.
> eth1 is connected to 8 port hub, which is connected to other systems on
> the LAN.

You are better off putting eth1 on a different subnet. For more info, see
http://ide-cf.info-for.us/firewall

>
> Output of route (collapsed slightly to fit width):
>
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use Iface
> 192.168.1.0 192.168.1.2 255.255.255.0 UG 0 0 0 eth0
> 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
> 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
> 127.0.0.0 * 255.0.0.0 U 0 0 0 lo
> default eth0 0.0.0.0 UG 0 0 0 eth0
>
> IP address of router is 192.168.1.1.
> IP address of eth0 is 192.168.1.2.
> IP address of eth1 is 192.168.1.102.
>
> Able to ping the router through eth0 with no problem.
>
> Problem: Cannot ping any systems on LAN through eth1 -- unless forced,
> all attempts to ping go through eth0 (default gateway, no surprise).
> When cables are switched to connect eth0 to the LAN, can ping the LAN
> through eth0 with no problems.
>
> iptables settings all set to ACCEPT to simplify testing of initial
> configuration (I'll worry about that later -- first things first).
>
> So, I've obviously missed something. Any suggestions for how to get eth1
> to "see" the LAN?
>
> [FollowUps set to comp.os.linux.networking]

I think your two nics have to be on different networks:

eth0: 192.168.1.1/255.255.255.0
eth1: 192.168.2.1/255.255.255.0

Then set up appropriate routes and iptables rules.

"Lyle H. Gray" <(E-Mail Removed)> wrote in message news:<Xns943A7BFC21CA4graynoibisspamcsumas@130.81. 64.196>...
> Redhat Linux 7.3.
> Two ethernet cards:
>
> eth0 Link encap:Ethernet HWaddr 00:60:08:9D:9D:A1
> inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:386260 errors:0 dropped:0 overruns:0 frame:0
> TX packets:333085 errors:0 dropped:0 overruns:0 carrier:27
> collisions:10054 txqueuelen:100
> RX bytes:29697918 (28.3 Mb) TX bytes:139509719 (133.0 Mb)
> Interrupt:10 Base address:0x310
>
> eth1 Link encap:Ethernet HWaddr 00:01:02:64:0A:6B
> inet addr:192.168.1.102 Bcast:192.168.1.255 Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:4946 errors:0 dropped:0 overruns:0 frame:0
> TX packets:1811 errors:0 dropped:0 overruns:0 carrier:0
> collisions:2 txqueuelen:100
> RX bytes:602307 (588.1 Kb) TX bytes:216816 (211.7 Kb)
> Interrupt:11 Base address:0xdc80
>
> eth0 is connected to 4 port router, which is connected to ADSL modem.
> eth1 is connected to 8 port hub, which is connected to other systems on
> the LAN.
>
> Output of route (collapsed slightly to fit width):
>
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use Iface
> 192.168.1.0 192.168.1.2 255.255.255.0 UG 0 0 0 eth0
> 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
> 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
> 127.0.0.0 * 255.0.0.0 U 0 0 0 lo
> default eth0 0.0.0.0 UG 0 0 0 eth0
>
> IP address of router is 192.168.1.1.
> IP address of eth0 is 192.168.1.2.
> IP address of eth1 is 192.168.1.102.
>
> Able to ping the router through eth0 with no problem.
>
> Problem: Cannot ping any systems on LAN through eth1 -- unless forced,
> all attempts to ping go through eth0 (default gateway, no surprise).
> When cables are switched to connect eth0 to the LAN, can ping the LAN
> through eth0 with no problems.
>
> iptables settings all set to ACCEPT to simplify testing of initial
> configuration (I'll worry about that later -- first things first).
>
> So, I've obviously missed something. Any suggestions for how to get eth1
> to "see" the LAN?
>
> [FollowUps set to comp.os.linux.networking]

(E-Mail Removed) (Sales for IDE-CF flash drive) wrote in
news:(E-Mail Removed) m:

> You are better off putting eth1 on a different subnet. For more info,
> see http://ide-cf.info-for.us/firewall

That page appears to be 404...

(E-Mail Removed) (hairy918) wrote in
news:(E-Mail Removed) om:

> I think your two nics have to be on different networks:
>
> eth0: 192.168.1.1/255.255.255.0
> eth1: 192.168.2.1/255.255.255.0
>
> Then set up appropriate routes and iptables rules.

This pretty much appears to be the concensus, and now that I've read all
of the comments, it certainly makes sense to me.

Now I just have to pick which choice for the new subnet means the least
reconfiguration of the other computers on the LAN. If I switch the
subnet for eth1, then the other computers on the LAN have to all get new
IP addresses, and all of the folder and print shares have to be reset.
If I switch the subnet for eth0, that means only the router and eth0 have
to be given new IP addresses, and the gateway has to be redefined. I
need to change the gateway IP addresses on the other computers anyway to
be redirected through the firewall system rather than through the router,
so there's no additional cost for that.

Sounds like switching the eth0 subnet is the best choice.

Thanks for the responses, everyone.

OK. I've switched the IP address and subnet for one of the two nics,
setting eth0 gw to 192.168.2.0/24 and keeping eth1 gw as 192.168.1.0/24,
as the path of least work. ;-)

Router IP address changed to 192.168.2.1, eth0 IP changed to 192.168.2.2.
LAN remains 192.168.1.0/24. Default gw set to 192.168.2.1 (the router)
for IP addresses not in either subnet.

The pings now behave correctly, as far as I can tell. The default
gateway was tested by using ssh to connect to an outside Unix host.

Here's my new route -n report:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.0 192.168.2.2 255.255.255.0 UG 0 0 0 eth0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.1.0 192.168.1.102 255.255.255.0 UG 0 0 0 eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth0

Here's my new ifconfig report for eth0 and eth1:

eth0 Link encap:Ethernet HWaddr 00:60:08:9D:9D:A1
inet addr:192.168.2.2 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:394871 errors:0 dropped:0 overruns:0 frame:0
TX packets:340667 errors:0 dropped:0 overruns:0 carrier:27
collisions:10076 txqueuelen:100
RX bytes:30403258 (28.9 Mb) TX bytes:141166293 (134.6 Mb)
Interrupt:10 Base address:0x310

eth1 Link encap:Ethernet HWaddr 00:01:02:64:0A:6B
inet addr:192.168.1.102 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7905 errors:0 dropped:0 overruns:0 frame:0
TX packets:2064 errors:0 dropped:0 overruns:0 carrier:0
collisions:2 txqueuelen:100
RX bytes:919227 (897.6 Kb) TX bytes:238108 (232.5 Kb)
Interrupt:11 Base address:0xdc80

Any comments before I start setting up my iptables configuration?

TIA,
Lyle

Lyle H. Gray wrote:
> OK. I've switched the IP address and subnet for one of the two nics,
> setting eth0 gw to 192.168.2.0/24 and keeping eth1 gw as 192.168.1.0/24,
> as the path of least work. ;-)
>
> Router IP address changed to 192.168.2.1, eth0 IP changed to 192.168.2.2.
> LAN remains 192.168.1.0/24. Default gw set to 192.168.2.1 (the router)
> for IP addresses not in either subnet.

Just to clarify: The Linux FW/NAT box should specify its default gateway
as 192.168.2.1 - i.e., the xDSL router/modem's IP address on the DMZ.
Each host on the private 192.168.1/24 network should specify its default
gateway as 192.168.1.102 - i.e., the IP address of eth1 on the Linux
FW/NAT box.

xDSL router/modem
| (192.168.2.1)
|
| DMZ network (192.168.2/24)
|
| eth0 (192.168.2.2)
Linux FW/NAT box
| eth1 (192.168.1.102)
|
| Private network (192.168.1/24)
|
{ Hosts on the private 192.168.1/24 network }


> The pings now behave correctly, as far as I can tell. The default
> gateway was tested by using ssh to connect to an outside Unix host.
>
> Here's my new route -n report:

I'm assuming the following routing table information is for the Linux
FW/NAT box only.

> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use Iface

The following static route is unnecessary:
> 192.168.2.0 192.168.2.2 255.255.255.0 UG 0 0 0 eth0

Keep this entry:
> 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

Likewise, this static route is unnecessary:
> 192.168.1.0 192.168.1.102 255.255.255.0 UG 0 0 0 eth1

Keep this entry:
> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1

The following entry is a duplicate:
> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1

Keep these entries:
> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
> 0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth0


IOW, I recommend the following routing table for the FW/NAT box:

Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth0


Here's the routing table I recommend for the hosts on the 192.168.1/24
network (the private LAN):

Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.1.102 0.0.0.0 UG 0 0 0 eth0


> Here's my new ifconfig report for eth0 and eth1:
>
> eth0 Link encap:Ethernet HWaddr 00:60:08:9D:9D:A1
> inet addr:192.168.2.2 Bcast:192.168.2.255 Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:394871 errors:0 dropped:0 overruns:0 frame:0
> TX packets:340667 errors:0 dropped:0 overruns:0 carrier:27
> collisions:10076 txqueuelen:100
> RX bytes:30403258 (28.9 Mb) TX bytes:141166293 (134.6 Mb)
> Interrupt:10 Base address:0x310
>
> eth1 Link encap:Ethernet HWaddr 00:01:02:64:0A:6B
> inet addr:192.168.1.102 Bcast:192.168.1.255 Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:7905 errors:0 dropped:0 overruns:0 frame:0
> TX packets:2064 errors:0 dropped:0 overruns:0 carrier:0
> collisions:2 txqueuelen:100
> RX bytes:919227 (897.6 Kb) TX bytes:238108 (232.5 Kb)
> Interrupt:11 Base address:0xdc80
>
> Any comments before I start setting up my iptables configuration?

--
Jim

To reply by email, remove "link" and change "now.here" to "yahoo"
jfischer_link5809{at}now.here.com