Router+Firewall+Proxy+DNS on one Linux-Machine??

Router+Firewall+Proxy+DNS on one Linux-Machine??

Post by d.. » Thu, 14 Oct 1999 04:00:00



I have a big problem setting up *one* Linux machine as
Gateway/Router for Win-Clients between 2 Subnets
Firewall
Proxy (transparent)
and DNS

My config:

Subnet with WIN-Clients: 10.10.XX.0 Mask: 255.255.252.0
  |
  |
eth1 Linux Box (10.10.XX.252)
  |
eth0 Linux Box (192.168.1.6) (Net:192.168.1.4 Mask 255.255.255.252)
  |
  |
ISDN-Router ethernet port (192.168.1.5 fix address not changeable)
  |
ISDN-Router ISDN-Port (?.?.?.?)
  |
  |ISDN-128KBit permanent Connection
  |
ISDN-Router of Provider (?.?.?.?)
  |
ISDN-Router ethernet (?.?.?.?)
  |
  |
Gateway of foreign Subnet (ext)
  |
Gateway (int 10.10.YY.YY)
  |
  |
Subnet 10.10.YY.0 Mask: 255.255.252.0

I only have access to 10.10.XX.0 and the Linux-Box
The Netmask of this subnet is fix

Now my problem:
A ping from an Win-Client of 10.10.XX.0 to 10.10.YY.0 is
forwarded correctly
A ping out of my Linux Box into 10.10.XX.0 (own Subnet)
replies correctly too.
A ping out of my Linux Box into foreign Subnet doesn't Reply.
So Squid and DNS can't connect to any host outside!
Is there any possibility to 'Masq' Linux *itself* with another
IP? I think there is a Problem with the IP of eth0. (only IPs
to 10.10.XX.0 are routed back!?)
Or can I spoof the 192.168.1.6 to another IP?

Any help is welcome
Thanks

Alexander Dehm

(I know, its a little bit confusing, but if you want more
Information please tell)

Here some Data:


Linux 2.2.10 #1 Tue Jul 20 16:32:24 MEST 1999 i586


CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_TOS=y
CONFIG_IP_ROUTE_VERBOSE=y
# CONFIG_IP_ROUTE_LARGE_TABLES is not set
CONFIG_IP_ROUTE_NAT=y
# CONFIG_IP_PNP is not set
CONFIG_IP_FIREWALL=y
CONFIG_IP_FIREWALL_NETLINK=y
CONFIG_IP_ALWAYS_DEFRAG=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_TRANSPARENT_PROXY=y
CONFIG_IP_MASQUERADE=y
CONFIG_IP_MASQUERADE_ICMP=y
CONFIG_IP_MASQUERADE_MOD=y
CONFIG_IP_MASQUERADE_IPAUTOFW=m
CONFIG_IP_MASQUERADE_IPPORTFW=m
CONFIG_IP_MASQUERADE_MFW=m
# CONFIG_IP_ROUTER is not set
CONFIG_NET_IPIP=m
CONFIG_NET_IPGRE=m
# CONFIG_NET_IPGRE_BROADCAST is not set
# CONFIG_IP_MROUTE is not set
CONFIG_IP_ALIAS=y
CONFIG_IPV6=m
# CONFIG_IPV6_EUI64 is not set
CONFIG_IPX=m
# CONFIG_IPX_INTERN is not set
# CONFIG_SCSI_IPS is not set
# CONFIG_IPDDP is not set


Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
192.168.1.4     *               255.255.255.252 U     0      0        0
eth0
10.10.XX.0      *               255.255.252.0   U     0      0        0
eth1
loopback        *               255.0.0.0       U     0      0        0
lo
default         192.168.1.5     0.0.0.0         UG    0      0        0
eth0


eth0      Link encap:Ethernet  HWaddr 00:10:4B:48:2E:A3
          inet addr:192.168.1.6  Bcast:192.168.1.7  Mask:255.255.255.252
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:711 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6903 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          Interrupt:11 Base address:0x1400

eth1      Link encap:Ethernet  HWaddr 00:10:4B:48:11:80
          inet addr:10.10.XX.252  Bcast:10.10.XX.255  Mask:255.255.252.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:34816 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3411 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          Interrupt:5 Base address:0x1080

Sent via Deja.com http://www.deja.com/
Before you buy.

 
 
 

1. Firewalling a Local Area Network with routers, MS Exchange, MS Proxy and LINUX.........

Dear all,

I wonder if someone could offer some advice?

Let take a second to explain the network topology we have here - briefly:

Single subnet LAN - comprising NT network with the odd bit of Novell kit.

Our comms machine runs MS Exchange 5.5 and Proxy 2.0 (it also has RRAS for
VPNs but this doesn't work because of the router listed below).

This comms machine is multihomed (I believe this is the term for 2 network
cards) The internal network as above and the external network connects to a
CISCO 760 series ISDN router. This machine is the BDC - the seperate PDC is
also the internal DNS server.

Currently, all internet access works fine via the router. This is using port
address translation to hide all internal IP addresses and present as one.
Exchange happily fires off through the link too - and when connected - our
SMTP feed pushes into the Exchange server. We have 'firewalling' set up on
the router and with MS Proxy.

There are two issues I want to raise.....

1. One problem we have is that MS Exchange brings up the ISDN link every
time an externally destined email is sent - and I don't believe it is
possible to get Exchange to hold the outbound mail and fire it off at
predetermined intervals. This is costing us a fortune.....  We send large
amounts of externally bound email - all quite small - but with the ISDN line
being brought up very often, you can guess what the bill is like (5-10 sends
per hour). When we used modems, this could be achieved because Exchange used
RAS connections which could be limited to 'batch' dial-outs. This no longer
is true for the router setup.

2. We have an ISDN modem which I daresay we could use instead of the router
to give us limited dial-out but then we become reliant upon MS Proxy
firewalling as we loose the router. Is MS Proxy secure enough? (Seriously
please Linux boys and girls :-) )  And will Linux provide the internal IP
address 'hiding' - presenting one address to the outside world? Should we
drop a linux box in between the MS-Proxy/Exchange and the ISDN? Is this hard
to administer/setup as a dedicated firewall.

We want to set up a system with http. ftp etc initialed dialout (MS Proxy)
but not by email (MS Exchange) which we can fire off every couple of hours
or so (We have a batch file which can do this in reverse in order to recieve
our mail).

We need it to be secure (!) or should I say as secure as possible... and it
would be cool if we could get VPN too (MS RRAS flavor) via the ISDN modem as
the router will not handle the encapsulation properly.

Oh and finally, the funds available are very limited, so a big
UNIX/commercial solution is probably prohibitively costly.

All ideas welcome.

Ta everyone

S

2. Turning off LCD

3. Linux as a Proxy/Firewall/Router ?

4. comp.unix.aix Frequently Asked Questions (Part 1 of 5)

5. Linux Box As A Router + Firewall + DNS + NIS

6. uuname and pine/sendmail don't like each other

7. DNS problems through my Linux router/firewall

8. rootpre.sh

9. BEST Linux distribution for ROUTER/FIREWALL machine?

10. Interested in making a firewall and router on a Linux machine

11. using firewalled linux router as answering machine, security compromised?

12. router and server on one linux machine, need help.

13. Interested in making a firewall and/or router on a Linux machine