Linux Firewall/Router w/DMZ setup questions

Linux Firewall/Router w/DMZ setup questions

Post by Michael Nee » Fri, 18 Aug 2000 04:00:00



Hello all,

    Been searching archives for sometime now, and figured I should just ask
the question(s) and take my RTFM lumps (but please tell me which M ;)

    I have setup several IPChains Masq Firewalls in the past, but this is my
first with 3 NIC's.  Quick and dirty: eth0 is internal masq (10.0.0.1/24),
eth1 is the world (1.2.3.130), and eth2 is the dmz (1.2.3.131/27).  RH 6.2,
with 2.2.16 kernel (custom compile - not an rpm update) I am petty
confidante in the ipchain rules i have, but have problems with routing.  A
route -n shows (not quite thrilled with the ip route show version's output):

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
10.0.0.1        0.0.0.0         255.255.255.255 UH    0      0        0 eth0
1.2.3.129       0.0.0.0         255.255.255.255 UH    0      0        0 eth1
1.2.3.130       0.0.0.0         255.255.255.255 UH    0      0        0 eth1
1.2.3.128       0.0.0.0         255.255.255.224 U     0      0        0 eth2
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
1.2.3.0         0.0.0.0         255.255.255.0   U     0      0        0 eth1
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         1.2.3.129       0.0.0.0         UG    0      0        0 eth1

    I manually added the 1.2.3.129 route, so that it can find the default
gateway on eth1 - because it's in the eth2's network.  Problem is, once this
is running, I cannot ping anything (although using ping I can see that it is
trying to go out over the correct interface).  I cannot even ping the IPs
assingened to the cards, i.e. 1.2.3.130 - but I can ping the box from other
machines in the masq zone or dmz.  I have disabled the IPchains rules to
rule out any problems comming from there.  Taking down eth2, all is well
(and even masq'd correctly).

    On a side note, I would like to know if it is possible (and if so where
to get more info) to have this box be a "transparent gateway" - I would like
to have the DMZ boxes keep a GW of 1.2.3.129 if possible, so that should the
firewall fail, a quick changing of cables can have all the DMZ boxes online
without the need to reconfigure them.  Of course, the masq boxes would be
down...

Thanks,
Mike

 
 
 

Linux Firewall/Router w/DMZ setup questions

Post by Thorsten G?llne » Fri, 18 Aug 2000 04:00:00


This table is not correct, I think. How can it be that 1.2.3.129 and
1.2.3.130 are both available ober eth1 and the subnet 1.2.3.128 (netmask
255.255.255.224) is reachable over eth2?

Quote:> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface
> 10.0.0.1        0.0.0.0         255.255.255.255 UH    0      0        0
eth0
> 1.2.3.129       0.0.0.0         255.255.255.255 UH    0      0        0
eth1
> 1.2.3.130       0.0.0.0         255.255.255.255 UH    0      0        0
eth1
> 1.2.3.128       0.0.0.0         255.255.255.224 U     0      0        0
eth2
> 10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0
eth0
> 1.2.3.0         0.0.0.0         255.255.255.0   U     0      0        0
eth1
> 127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
> 0.0.0.0         1.2.3.129       0.0.0.0         UG    0      0        0
eth1

>     I manually added the 1.2.3.129 route, so that it can find the default
> gateway on eth1 - because it's in the eth2's network.  Problem is, once
this
> is running, I cannot ping anything (although using ping I can see that it
is
> trying to go out over the correct interface).  I cannot even ping the IPs
> assingened to the cards, i.e. 1.2.3.130 - but I can ping the box from
other
> machines in the masq zone or dmz.  I have disabled the IPchains rules to
> rule out any problems comming from there.  Taking down eth2, all is well
> (and even masq'd correctly).


 
 
 

Linux Firewall/Router w/DMZ setup questions

Post by Michael Nee » Fri, 18 Aug 2000 04:00:00


Yes, both eth1 and eth2 are in the same subnet.  Some ascii art ;)

ISP Router (1.2.3.129)
   |
Switch1
   |
(eth1 1.2.3.130)
Firewall (eth 0 10.0.0.1) - Switch2 - LAN (10.0.0.0/24)
(eth2 1.2.3.142)
   |
Switch3
   |
DMZ (1.2.3.131/27)

For the most part of 1.2.3.x/27 I want to use eth2, except for 130 and 129,
hence adding static routes to use the eth1 interface in these cases.

Machines inside the DMZ can get out to the internet, as well as those in the
LAN.  LAN can get to the DMZ (the DMZ is not able to get to the LAN, but
this is by design).  It is only from the firewall console itself where i
cannot get a ping back on anything.

My other problem is how do i let the ISP router know that all 1.2.3.x/27
should go to 130 - since it is the gw to that network?  routed? gated? or
must i get the ISP to reconfigure their box?  trying to avoid setting up ip
aliases and then using ipchains to do some heavy mask work...

ps. there was a rule for 1.2.3.x/24 to go to eth1 but i killed that rule -
did matter though, everything should have matched an earlier rule and never
got that far.

mike


This table is not correct, I think. How can it be that 1.2.3.129 and
1.2.3.130 are both available ober eth1 and the subnet 1.2.3.128 (netmask
255.255.255.224) is reachable over eth2?

Quote:> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface
> 10.0.0.1        0.0.0.0         255.255.255.255 UH    0      0        0
eth0
> 1.2.3.129       0.0.0.0         255.255.255.255 UH    0      0        0
eth1
> 1.2.3.130       0.0.0.0         255.255.255.255 UH    0      0        0
eth1
> 1.2.3.128       0.0.0.0         255.255.255.224 U     0      0        0
eth2
> 10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0
eth0
> 1.2.3.0         0.0.0.0         255.255.255.0   U     0      0        0
eth1
> 127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
> 0.0.0.0         1.2.3.129       0.0.0.0         UG    0      0        0
eth1

>     I manually added the 1.2.3.129 route, so that it can find the default
> gateway on eth1 - because it's in the eth2's network.  Problem is, once
this
> is running, I cannot ping anything (although using ping I can see that it
is
> trying to go out over the correct interface).  I cannot even ping the IPs
> assingened to the cards, i.e. 1.2.3.130 - but I can ping the box from
other
> machines in the masq zone or dmz.  I have disabled the IPchains rules to
> rule out any problems comming from there.  Taking down eth2, all is well
> (and even masq'd correctly).

 
 
 

Linux Firewall/Router w/DMZ setup questions

Post by Ian Mortime » Tue, 22 Aug 2000 12:55:38


:
: first with 3 NIC's.  Quick and dirty: eth0 is internal masq (10.0.0.1/24),
: eth1 is the world (1.2.3.130), and eth2 is the dmz (1.2.3.131/27).  RH 6.2,
:
:     On a side note, I would like to know if it is possible (and if so where
: to get more info) to have this box be a "transparent gateway" - I would like
: to have the DMZ boxes keep a GW of 1.2.3.129 if possible, so that should the
: firewall fail, a quick changing of cables can have all the DMZ boxes online
: without the need to reconfigure them.  Of course, the masq boxes would be
: down...

You might be able to get this to work using auto proxy arp.
You need to do:

   echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
   echo 1 > /proc/sys/net/ipv4/conf/eth2/proxy_arp

Then your firewall will answer arp queries for the router on
the DMZ interface and for the DMZ on the router interface.
(That's provided your routing tables are set up correctly.)
See arp(7) and arp(8) for more details.

Ian

 
 
 

1. Cisco Router/OpenBSD router firewall setup

I have the following network and I was wishing some comments on it's
IP schema.
The IPs (except for office and DMZ) correspond to NICs as well as an
outside IP for a serial card on a cisco router.

Internet ISP Gateway [x.x.x.d1]

|
---> Cisco Router [x.x.x.d2 (outside IP ) | y.y.y.d1 (inside IP)]

|
---> OBSD FW [ y.y.y.d2 (out IP) | (192.168.1.1,192.168.2.1) (2 in
IPs)]

|
---> (192.168.1.x (DMZ), 192.168.2.x (office) ]

 That is the OBSD takes the ethernet connection from the cisco router
 and communicates with 2 sub-networks. The x.x.x and y.y.y are
Internet
 addressable IPs.

 Should I consider using only the outside IP address of the Cisco
router
 as the only internet addressable address in such a system and if so,
 how do I go about assigning IPs in the network which would be more
apt?
 My naive sense of security is telling me the less internet
addressable
 IPs in your system, the better this is for system security.

 Thanks for any comments or suggestions or related links

 Mike

2. Need help Installing zimage - am I missing a step?

3. dmz firewall setup

4. Help with OTI-087 & X Window

5. Firewall Setup with T1 to router question...

6. ATI Pro Turbo PC2TV card with 8MB is working

7. Questions about network Structure Linux using Linux Router/Firewall

8. fips Problems...&

9. ipchains/firewall/dmz question

10. Problems w/ setting up a Linux DMZ Server behind a Linksys Router

11. Linux, routers and the DMZ

12. Linux 3 nic router won't connect to internet from DMZ

13. Linux, New Corporate Network, Cisco Routers, T1 Ethernet Handoff, DMZ...