firewall (networking) question - Please help me

firewall (networking) question - Please help me

Post by ERJone » Thu, 23 Dec 1999 04:00:00



hey all,

I am trying to set up a firewall configuration here with a dmz and an
internal network.  (there is a network diagram at the bottom)

my question stems from this:
when I hook up my test machine on teh dmz I can ping the dmz
interface.  I can also ping the external interface of the firewall.  In
the IPCHAINS HOWTO it says to echo a 0 into
the /proc/.../ip_forward 'file'.  ok fine, did that still can ping
the .2 (external) interface.  I cannot ping anything on teh internet.

what I am wondering about is the following excerpt from the Firewall
HOWTO:
----
  BIG NOTE: If you are using "REAL" IP addresses on your LAN (not
192.168.2.*) and you can't ping the internet but you CAN ping the
Internet side of your firewall, make sure your ISP is routing packets
for your private network address.

  A test for this problem is to have someone else on the Internet (say
a friend using a local provider) use traceroute to your network. If the
trace stops at your providers router, then they are not forwarding your
traffic
-------
so this would seem to fit.  my traceroutes from external hosts die at
the ISP side of my link.  the problem is, w/o the firewall, the address
routes fine.  the servers are up and running no problem.  maybe it is
just my limited network knowledge but I assumed that the router was
passing everything to my subnet and the firewall (one of two machines
on that hub) would pick it up and forward it to the correct interface.
so the ISP (Att) routing shouldn't be an issue.  Right?

I am basically at the end of my ideas on this one.  Can anybody shed
some light on teh issue?

TIA
ej

the plan is to have this:
   External Network
           |
           |
       eth0|
    ---------------
    | 199.1.1.2/28|             Server Network (DMZ)
    |             |eth1 (199.1.1.129/28)
    |             |----------------------------------------------
    |             |               |             |              |
    |             |               |             |              |
    |10.1.1.0     |               |             |              |
    ---------------          --------       -------        -------
           | eth2            | SMTP |       | DNS |        | WWW |
           |                 --------       -------        -------
           |                    .150          .131          .130
           |
   Internal Network
(stolen from IPCHAINS HOWTO and modified  )

For now forget about the internal (10.) network as that won't be giong
into effect till after the new year.  I am now just trying to set up
the DMZ.

--

"A computer lets you make more mistakes faster than any other invention
in human history, with the possible exception of handguns and tequila."
             - Mitch Radcliffe

Sent via Deja.com http://www.deja.com/
Before you buy.

 
 
 

firewall (networking) question - Please help me

Post by Claudiu Cismar » Thu, 23 Dec 1999 04:00:00



> hey all,

> I am trying to set up a firewall configuration here with a dmz and an
> internal network.  (there is a network diagram at the bottom)

> my question stems from this:
> when I hook up my test machine on teh dmz I can ping the dmz
> interface.  I can also ping the external interface of the firewall.  In
> the IPCHAINS HOWTO it says to echo a 0 into
> the /proc/.../ip_forward 'file'.  ok fine, did that still can ping
> the .2 (external) interface.  I cannot ping anything on teh internet.

    FIRST of all YOU NEED ip forward :) what you have done here, you have
disabled ip_forward. Just echo 1 to /proc/.../ip_forward :)

    Ok:

    1. assign to your internal lan addresses from 192.168.1.2 up to
192.168.1.x
    2. config the eth0 with 192.168.1.1
    3. set up the route for 192.168.1.0/24 (if your kernel is 2.0.x)
    4. be sure that your routing table looks like (route -n command):

    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
    your_gateway  0.0.0.0         255.255.255.255 UH    0      0        1
dmz_interface
    192.168.1.0     0.0.0.0         255.255.255.0   U     0      0      177
eth0
    127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        5
lo
    0.0.0.0         your_gateway  0.0.0.0         UG    0      0     1361
dmz_interface

    5. ~# /sbin/ipchains -A forward -s 192.168.1.0/24 -d 0/0 -j MASQ

    Now, you have the ip masquerade up :)

    Good luck :)

    Claudiu