Very Computer

Howdy from Texas -

I am trying to set up a masquerading firewall.  I have done this before
with no real problems, but I am doing something a little weird at a
customer's request.  It has a legal address assigned by the ISP, and
they want me to assign a private address for ipmasq to the same NIC, so
the same physical interface is configured for the public and the private
network.

In rc.inet1 I am doing

/sbin/ifconfig eth0 201.20.99.2 broadcast 201.20.99.255 netmask
255.255.255.0
/sbin/ifconfig eth0:0 192.168.200.1 broadcast 192.168.200.255 netmask
255.255.255.0
 /sbin/route add default gw 201.20.99.1 netmask 0.0.0.0 metric 1
 /sbin/route add -net 192.168.200.0 gw 192.168.200.1

In a file I created called rc.masq I am doing

/sbin/modprobe /lib/modules/2.0.36/ipv4/ip_masq_cuseeme.o
/sbin/modprobe /lib/modules/2.0.36/ipv4/ip_masq_ftp.o
/sbin/modprobe /lib/modules/2.0.36/ipv4/ip_masq_irc.o
/sbin/modprobe /lib/modules/2.0.36/ipv4/ip_masq_quake.o
/sbin/modprobe /lib/modules/2.0.36/ipv4/ip_masq_raudio.o
/sbin/modprobe /lib/modules/2.0.36/ipv4/ip_masq_vdolive.o
/sbin/ipfwadm -F -p accept
/sbin/ipfwadm -F -f
/sbin/ipfwadm -I -f
/sbin/ipfwadm -O -f
/sbin/ipfwadm -F -a m -S 192.168.200.0/24 -D 0.0.0.0/0

I know, I have not yet locked down the firewalling portion, I just want
to get connectivity squared away before I start shutting services down.

I am getting kind of weird results, like _intermittent_ ability to get
out to the Internet from within the private network, especially from
folks dialing in to the >cringe< WinNT RAS server.

I am running Slackware 3.6, kernel 2.0.36, and an Intel Ether Express
Pro 100b.  Is this just not a good thing to do, running two logical
networks on one physical interface?  I am starting to believe it is not,
but I was just looking for anyone who had any input.

If convenient, please respond via e-mail as well as post.

Thanks!

This is not a good idea since all packets will be put on the wires even
if you have the firewall in place!  Since they share the same interface,
for both networks, then both networks share the same data as well, not
good! Go spend $50 for another card and do it the right way: two cards,
two physical networks.  All packets MUST go through the box this way and
you have control over what you want to go through.

-Matt

--

+---------  Northrop Grumman Corporation, Bethpage, NY ---------+
+---------  TEL: (516) 346-9101 FAX: (516) 346-9740 ------------+

I am also a little miffed by this install.  You are saying they have 1 NIC,
and that is it and want to do IP masq.

I agree with previous.  Get another NIC, set it up the correct way.  Even
better, get a third NIC, will throw hackers off from the outside...

Keith

I did it using the config as below, using one nic with 1 valid ip address
and 2 privite ip.

my rc.local with lines :

# Setting up IP alias interfaces.
echo "Setting up 192.168.10.1 IP Aliases ... "
/sbin/ifconfig eth0:0 192.168.10.1 netmask 255.255.255.0 up
/sbin/ifconfig eth0:1 192.168.20.1 netmask 255.255.255.0 up
#
# Setting up IP routes
echo "Setting up IP routes ..."
/sbin/route add -net 192.168.10.0 netmask 255.255.255.0 eth0:0
/sbin/route add -net 192.168.20.0 netmask 255.255.255.0 eth0:1
# Loading modules
/sbin/depmod -a
/sbin/modprobe ip_masq_ftp.o
#
# Setting up IP Masquerade
echo "Setting IP Masquerade ..."
ipfwadm -F -p deny
ipfwadm -F -a m -S 192.168.10.0/24 -D 0.0.0.0/0
ipfwadm -F -a m -S 192.168.20.0/24 -D 0.0.0.0/0

and my network report the status as :

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Bcast:127.255.255.255  Mask:255.0.0.0
          UP BROADCAST LOOPBACK RUNNING  MTU:3584  Metric:1
          RX packets:28 errors:0 dropped:0 overruns:0 frame:0
          TX packets:28 errors:0 dropped:0 overruns:0 carrier:0 coll:0

eth0      Link encap:Ethernet  HWaddr 00:60:8C:C8:C0:A6
          inet addr:192.168.133.155  Bcast:192.168.133.255
Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1040584 errors:0 dropped:0 overruns:0 frame:0
          TX packets:440875 errors:0 dropped:0 overruns:0 carrier:0
coll:2116
          Interrupt:10 Base address:0x330

eth0:0    Link encap:Ethernet  HWaddr 00:60:8C:C8:C0:A6
          inet addr:192.168.10.1  Bcast:192.168.10.255  Mask:255.255.255.0
          UP RUNNING  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 coll:0

eth0:1    Link encap:Ethernet  HWaddr 00:60:8C:C8:C0:A6
          inet addr:192.168.20.1  Bcast:192.168.20.255  Mask:255.255.255.0
          UP RUNNING  MTU:1500  Metric:1
          RX packets:1 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 coll:0

the system work fine on a 486-100 16M RAM linux box with slackware 3.5,
kernel 2.0.36.

Why the third NIC?

--

_________________________________________________________________________
The above opinions are my own and not those of ISM Corp., a subsidiary of
IBM Canada Ltd.

Quote:> I am trying to set up a masquerading firewall.  I have done this before
> with no real problems, but I am doing something a little weird at a
> customer's request.  It has a legal address assigned by the ISP, and they
> want me to assign a private address for ipmasq to the same NIC, so the
> same physical interface is configured for the public and the private
> network.

Your customer is being stupid. Spend the $15 and get a second ethernet card.

miguel