Very Computer

Before even starting off, apologies for the newbie questions, on the
other hand: *I need help!*

My setup:

ADSL running with DHCP'ed IP from our ISP. The router is a 677, with
LAN-IP = 10.100.1.1. This router is doing NAT. Our problem is that we
are in the Middle East, with a paranoid ISP, so on the router we
cannot change any settings.

I want to setup a linux router/fw for the network. IP Range on Private
network is 192.168.x.y (where x is actually room numbers in the
building)(mask = 255.255.0.0) My question then is this:

a) Can I plug the DSL router Internal interface into a hub, with the
linux box's External interface into the same hub? (The reason for this
is that I want to put a second fw with same config into that hub as a
backup at some stage) Or is is better to plug the external-fw cable
directly into the LAN port of the 677?
b) Do I assign a Firewall-External-IP of 10.100.1.5, 255.0.0.0,gateway
10.100.1.1, and FW-Internal-IP of 192.168.x.y?
c) Do I need to enable NAT on the firewall machine even if 677 is
doing it already, is this "double-nat" healthy?
d) I want to use IPTables, and make the fw-internal-IP the gateway
address of the private network PC's. have tried Shorewall, but despite
IP-forwarding showing enabled, I can get from the fw out, but not from
inside the private network. (Even if rules permit it)

I guess in short I am not conceptually sure what fw/gateway features
to use with this specific network. Any help would be *hugely*
appreciated. I don't mind reading through any literature, as long as
someone could tell me what my setup should/could look like, or what I
need to install on the fw. Used RH8 +9 up to now. I would need to have
a mail server (with dyndns) up on the private network as well in the
future, as well as transparent squid.

Thanks in advance!

Eugene.

Quote:> Before even starting off, apologies for the newbie questions, on the
> other hand: *I need help!*

> My setup:

> ADSL running with DHCP'ed IP from our ISP. The router is a 677, with
> LAN-IP = 10.100.1.1. This router is doing NAT. Our problem is that we
> are in the Middle East, with a paranoid ISP, so on the router we
> cannot change any settings.

> I want to setup a linux router/fw for the network. IP Range on Private
> network is 192.168.x.y (where x is actually room numbers in the
> building)(mask = 255.255.0.0) My question then is this:

> a) Can I plug the DSL router Internal interface into a hub, with the
> linux box's External interface into the same hub? (The reason for this
> is that I want to put a second fw with same config into that hub as a
> backup at some stage) Or is is better to plug the external-fw cable
> directly into the LAN port of the 677?

What purpose would a hub serve on the DSL modem/router if it only gives
out 1 LAN IP (unless you were going to IP alias and masquerade/fw your
private LAN on the same nic that accesses the modem router, which is
possible, but generally not recommended)?

Generally you would use a _crossover_ cable between the modem/router and
your Linux router/fw box.  Then a second nic on that box should lead to
the hub/switch and your 192.168.x.y network.

Quote:> b) Do I assign a Firewall-External-IP of 10.100.1.5, 255.0.0.0,gateway
> 10.100.1.1, and FW-Internal-IP of 192.168.x.y?

Yes, but if the modem/router DHCP assigns your 10.100.1.x IP, you should
do something in your dhcp client config to automatically refresh your
firewall with your current Firewall-Esternal-IP if it changes.

Quote:> c) Do I need to enable NAT on the firewall machine even if 677 is
> doing it already, is this "double-nat" healthy?

Yes you have to masquerade your own private network, because the
modem/router knows nothing about your 192.168.x.y network or how to route
to it.

Quote:> d) I want to use IPTables, and make the fw-internal-IP the gateway
> address of the private network PC's. have tried Shorewall, but despite
> IP-forwarding showing enabled, I can get from the fw out, but not from
> inside the private network. (Even if rules permit it)

Were you masquerading the internal network?

Quote:> I guess in short I am not conceptually sure what fw/gateway features
> to use with this specific network. Any help would be *hugely*
> appreciated. I don't mind reading through any literature, as long as
> someone could tell me what my setup should/could look like, or what I
> need to install on the fw. Used RH8 +9 up to now. I would need to have
> a mail server (with dyndns) up on the private network as well in the
> future, as well as transparent squid.

Connections initiated from inside should not be a problem.  Whether
outside initiated connections to servers would be a problem depends upon
whether your ISP or modem/router blocks any ports.

One issue may be mtu path discovery.  If something blocks that and the
modem/router uses PPPoE (max mtu 1492 due to 8 byte header), you may need
to set mtu of 10.100.1.x nic of router/fw to no more than mtu of PPPoE.  
Max mtu can be found using "ping -s 1472 -M do some.internet.host", then
work the -s down until it works, and add 28 for max mtu (for PPPoE
typically 1464 + 28 = 1492).  Or the ping error may tell you actual mtu.  
That should be necessary for your LAN boxes, just the public side of your
router/fw.

--
David Efflandt - All spam ignored  http://www.de-srv.com/
http://www.autox.chicago.il.us/  http://www.berniesfloral.net/
http://cgi-help.virtualave.net/  http://hammer.prohosting.com/~cgi-wiz/

No reason not to use the hub. However if you want a hot-backup fw, you
should think about virtual IPs and linux-ha now rather than later - save
you some grief in the long run.

Quote:> b) Do I assign a Firewall-External-IP of 10.100.1.5, 255.0.0.0,gateway
> 10.100.1.1, and FW-Internal-IP of 192.168.x.y?

Sounds fine.

Quote:> c) Do I need to enable NAT on the firewall machine even if 677 is
> doing it already, is this "double-nat" healthy?

It's not unhealthy, it just adds an extra layer of possible confusion.
Once the debugging's out of the way it should be fine, and may be a real
boon if the ISP decides to change the internal ranges on you.

Quote:> d) I want to use IPTables, and make the fw-internal-IP the gateway
> address of the private network PC's. have tried Shorewall, but despite
> IP-forwarding showing enabled, I can get from the fw out, but not from
> inside the private network. (Even if rules permit it)

Assuming you're right that the rules don't prevent it (turn on logging
for anything which you drop) and that ip-forwarding is enabled, then it
sounds very much like a routing issue. Time to dig around with route and
tcpdump. Are the packets even reaching the internal interface? The
external interface? If stuck, post the output from route -n.

Pete
--
Openstrike - improving business through open source
http://www.openstrike.co.uk/