Cisco 768 DSL Router/Linux Firewall Configuration

Cisco 768 DSL Router/Linux Firewall Configuration

Post by Roge » Sat, 24 Aug 2002 05:40:06



Hi all

I am very new to Linux and trying to get a good firewall set up to protect a
Windows 2000 Web Server.  Here is the basic setup:

       Internet
            |  206.96.63.1 static IP assigned by ISP (wan0 interface)
    Cisco 768 Router
eth0 10.0.0.1   |
                        | eth0 10.0.0.10 (Linux Box)
                     Linux Box
eth1 10.0.0.11   +-------------------------------Windows 2000 Server
(10.0.0.23)
                         +--------------------------------Workstation 1
(10.0.0.2)

On the Linux box I'm running Redhat 7.3.  I have a semi strong ruleset using
iptables and do both IP masquerading and port forwarding. I can hit the web
with the server and the workstations, but I can't hit the web server from
outside the network. I have this ruleset to allow incoming traffic to hit
the web server on port 80.  What am I doing wrong?

PORTFWIP="10.0.0.23"
EXTIP="206.96.63.1"

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 80 -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 80 \
-j DNAT --to $PORTFWIP:80

I'm really liking Linux, but I need a little help past this, especially so I
can win over the other people in the office.

TIA
--
Roger Stepper
River City Consulting & Web Design
Cell: (509) 981.3467
http://www.rivercityconsulting.net

 
 
 

Cisco 768 DSL Router/Linux Firewall Configuration

Post by Michael Wozniczk » Sun, 25 Aug 2002 20:42:46


Hi Roger!


>        Internet
>             |  206.96.63.1 static IP assigned by ISP (wan0 interface)
>     Cisco 768 Router
> eth0 10.0.0.1   |
>                         | eth0 10.0.0.10 (Linux Box)
>                      Linux Box
> eth1 10.0.0.11   +-------------------------------Windows 2000 Server
> (10.0.0.23)
>                          +--------------------------------Workstation 1
> (10.0.0.2)

Perhaps you should explain your problem a little bit more detailed...

What I get from your description is that your ISP assings a static
public IP (206.96.63.1) to your router. The router uses SNAT to make
internet connections possible from your local network (10.0.0.0). The
Linux box is directly attached to the router, has two nics with local
IPs and should work as firewall. Further you have installed a web server
in your local network and you want to allow public access.

Tell me if I'm wrong...

...if I'm right go on reading...

Imagine an internet box that tries to access your web server. The packet
is sent to your public IP (the router). The router looks if there has
been a suitable outgoing connection from your local network before
(cause it has to know the local IP where to forward the packet). Of
course that's not the case, so the packet is dropped.
This means that the configuration of your Linux box has no influence on
this kind of incoming traffic (because it never arrives at the box).

Here my proposals to solve your problem (and a little bit more):

First you should use different local subnets for the router (eth0) <->
Linux box network (eth0) (i.e. 192.168.0.0/24) and the Linux box (eth1)
<-> server/clients network (i.e. 192.168.1.0/24).
Next you have to say your router (I don't know if it's possible) to do
http port forwarding to your Linux box and your Linux box to do port
forwarding to your webserver.
On the Linux box the rules could look like these:

# DNAT to do a http port forwarding to your web server
#  EXT_DEV:       external device of your Linux box (i.e. eth0)
#  EXT_DEV_IP:    IP of the external device (i.e. 192.168.0.2)
#  WEB_SERVER_IP: IP of the local web server (i.e. 192.168.1.2)

$IPTABLES -t nat -A PREROUTING -p tcp -d $EXT_DEV_IP --dport 80 -i
$EXT_DEV -j DNAT --to-destination $WEB_SERVER_IP

# SNAT to make internet access possible for local workstations
#  LOCAL_NETWORK: local network (i.e. 192.168.1.0/24)
#  EXT_DEV:       outgoing device (i.e. eth0)
#  EXT_DEV_IP:    IP of the outgoing device (i.e. 192.168.1.2)

$IPTABLES -t nat -A POSTROUTING -s $LOCAL_NETWORK -o $EXT_DEV -j SNAT
--to-source $EXT_DEV_IP

Of course don't forget to think about security, but that's another
problem...

There are also other solutions:

- Remove the router and use the Linux box instead (but then you have
   to care additionally about the connection to your ISP [ppp/pppoe]).
- Ask your ISP for additional public IPs, so that your web server is
   accessible by its own public IP.
- ...and probably some more...

Quote:> I'm really liking Linux, but I need a little help past this, especially so I
> can win over the other people in the office.

Good luck for this purpose!

Michael

 
 
 

Cisco 768 DSL Router/Linux Firewall Configuration

Post by Roge » Fri, 30 Aug 2002 01:27:51



> Hi Roger!


> >        Internet
> >             |  206.96.63.1 static IP assigned by ISP (wan0 interface)
> >     Cisco 768 Router
> > eth0 10.0.0.1   |
> >                         | eth0 10.0.0.10 (Linux Box)
> >                      Linux Box
> > eth1 10.0.0.11   +-------------------------------Windows 2000 Server
> > (10.0.0.23)
> >                          +--------------------------------Workstation 1
> > (10.0.0.2)

> Perhaps you should explain your problem a little bit more detailed...

> What I get from your description is that your ISP assings a static
> public IP (206.96.63.1) to your router. The router uses SNAT to make
> internet connections possible from your local network (10.0.0.0). The
> Linux box is directly attached to the router, has two nics with local
> IPs and should work as firewall. Further you have installed a web server
> in your local network and you want to allow public access.

> Tell me if I'm wrong...

> ...if I'm right go on reading...

> Imagine an internet box that tries to access your web server. The packet
> is sent to your public IP (the router). The router looks if there has
> been a suitable outgoing connection from your local network before
> (cause it has to know the local IP where to forward the packet). Of
> course that's not the case, so the packet is dropped.
> This means that the configuration of your Linux box has no influence on
> this kind of incoming traffic (because it never arrives at the box).

> Here my proposals to solve your problem (and a little bit more):

> First you should use different local subnets for the router (eth0) <->
> Linux box network (eth0) (i.e. 192.168.0.0/24) and the Linux box (eth1)
> <-> server/clients network (i.e. 192.168.1.0/24).
> Next you have to say your router (I don't know if it's possible) to do
> http port forwarding to your Linux box and your Linux box to do port
> forwarding to your webserver.
> On the Linux box the rules could look like these:

> # DNAT to do a http port forwarding to your web server
> #  EXT_DEV:       external device of your Linux box (i.e. eth0)
> #  EXT_DEV_IP:    IP of the external device (i.e. 192.168.0.2)
> #  WEB_SERVER_IP: IP of the local web server (i.e. 192.168.1.2)

> $IPTABLES -t nat -A PREROUTING -p tcp -d $EXT_DEV_IP --dport 80 -i
> $EXT_DEV -j DNAT --to-destination $WEB_SERVER_IP

> # SNAT to make internet access possible for local workstations
> #  LOCAL_NETWORK: local network (i.e. 192.168.1.0/24)
> #  EXT_DEV:       outgoing device (i.e. eth0)
> #  EXT_DEV_IP:    IP of the outgoing device (i.e. 192.168.1.2)

> $IPTABLES -t nat -A POSTROUTING -s $LOCAL_NETWORK -o $EXT_DEV -j SNAT
> --to-source $EXT_DEV_IP

> Michael

Michael

Thank you very much for the info!  I got it up and working just as you said!

Roger

 
 
 

1. Linux firewall behind Cisco DSL Router

Before even starting off, apologies for the newbie questions, on the
other hand: *I need help!*

My setup:

ADSL running with DHCP'ed IP from our ISP. The router is a 677, with
LAN-IP = 10.100.1.1. This router is doing NAT. Our problem is that we
are in the Middle East, with a paranoid ISP, so on the router we
cannot change any settings.

I want to setup a linux router/fw for the network. IP Range on Private
network is 192.168.x.y (where x is actually room numbers in the
building)(mask = 255.255.0.0) My question then is this:

a) Can I plug the DSL router Internal interface into a hub, with the
linux box's External interface into the same hub? (The reason for this
is that I want to put a second fw with same config into that hub as a
backup at some stage) Or is is better to plug the external-fw cable
directly into the LAN port of the 677?
b) Do I assign a Firewall-External-IP of 10.100.1.5, 255.0.0.0,gateway
10.100.1.1, and FW-Internal-IP of 192.168.x.y?
c) Do I need to enable NAT on the firewall machine even if 677 is
doing it already, is this "double-nat" healthy?
d) I want to use IPTables, and make the fw-internal-IP the gateway
address of the private network PC's. have tried Shorewall, but despite
IP-forwarding showing enabled, I can get from the fw out, but not from
inside the private network. (Even if rules permit it)

I guess in short I am not conceptually sure what fw/gateway features
to use with this specific network. Any help would be *hugely*
appreciated. I don't mind reading through any literature, as long as
someone could tell me what my setup should/could look like, or what I
need to install on the fw. Used RH8 +9 up to now. I would need to have
a mail server (with dyndns) up on the private network as well in the
future, as well as transparent squid.

Thanks in advance!

Eugene.

2. in.popd with shadow passwords

3. router configuration of a cisco router

4. CALL FOR AIUTHORS - Linux Firewalls

5. Cisco Router/OpenBSD router firewall setup

6. Mandrake 6.1 and XF86-v.4

7. DSL Cisco 675 modem/router to linux

8. global opened file table

9. Problem DSL Router <-> Firewall Router <-> Clients

10. Topology - Cisco 678 (DSL) + Linux Firewall

11. Cisco Router and Linux Firewall

12. Linux firewall to Cisco 1005 Router

13. Linux DSL router box/firewall problem