Board index Linux Networking

iptables firewall between dsl router and intranet

iptables firewall between dsl router and intranet

Post by Thomas Olschewsk » Thu, 28 Jul 2005 15:31:54



Hello,

I had setup a iptables based linux firewall. It was connected with eth0 to
the internal network and with eth1 to a dsl modem (pppoe) and did also all
the NAT stuff. A lightning strike blows my modem and the new dsl hardware is
a router itself, providing NAT, voip etc. Nevertheless I would like to use
my iptables firewall between this router and my internal network.

Internal network is 192.168.5.x

Questions
Is it a good idea to set the unsecure nic eth1 of the firewall and the dsl
router to another net, for instance 192.168.6.x?
How are the machines of the internal network routed? Is the gateway ip the
ip of the firewall's secure nic eth0? I suppose it is, but how is the
firewall networking setup? Does it need also a gateway ip, the ip of the dsl
router? Can this be the default route or do I have to setup different routes
for eth0 and eth1?

I hope someone can enlighten me.

Thomas

 
 
 
Top

iptables firewall between dsl router and intranet

Post by haki » Thu, 28 Jul 2005 15:54:42


Quote:>Is it a good idea to set the unsecure nic eth1 of the firewall and the dsl
>router to another net, for instance 192.168.6.x?

You are creating something like a DMZ...

Quote:> How are the machines of the internal network routed?

A client in 192.168.5.x gets the default gateway of your linux
firewall, but of the interface which is in 192.168.5.x NOT the
interface of 192.168.6.x of the second networkcard of your linux
firewall. It is possible to have only a router without NAT on your
linux firewall. The linux firewall needs your dsl router as default
gateway. Your dsl-Router needs a route to the 192.168.5.x network over
the 192.168.6.x interface of your linux firewall. And here the problem
starts. On some dsl-routers you can't configure a route in the
webinterface. Check that first.

Hope that helps. Let me know...

Achim

 
 
 
Top

iptables firewall between dsl router and intranet

Post by Thomas Olschewsk » Thu, 28 Jul 2005 17:00:00


Quote:> linux firewall. The linux firewall needs your dsl router as default
> gateway. Your dsl-Router needs a route to the 192.168.5.x network over
> the 192.168.6.x interface of your linux firewall. And here the problem
> starts. On some dsl-routers you can't configure a route in the
> webinterface. Check that first.

Routes can be set in this dsl router. Thank you for this information. So
only the internal machines and the dsl router need a default gateway. The
firewall itself is connected to both networks and doesn't need a gateway. Is
this right?

Internal machines -> gateway ip of firewall's secure nic -> firewall ->
firewall's unsecure nic -> dsl router -> internet

Internet -> dsl router -> gateway ip of firewall's unsecure nic ->
firewall -> firewall's secure nic -> internal machines

I will try to setup this at weekend, when nobody is working here with
internet.

Thomas

 
 
 
Top

iptables firewall between dsl router and intranet

Post by G_r_a_n.. » Thu, 28 Jul 2005 17:06:33



> I had setup a iptables based linux firewall. It was connected with eth0 to
> the internal network and with eth1 to a dsl modem (pppoe) and did also all
> the NAT stuff. A lightning strike blows my modem and the new dsl hardware is
> a router itself, providing NAT, voip etc. Nevertheless I would like to use
> my iptables firewall between this router and my internal network.

> Internal network is 192.168.5.x

> Questions
> Is it a good idea to set the unsecure nic eth1 of the firewall and the dsl
> router to another net, for instance 192.168.6.x?

Necessary.  Bridging is a pain and probably not required.

Quote:> How are the machines of the internal network routed? Is the gateway ip the
> ip of the firewall's secure nic eth0? I suppose it is, but how is the
> firewall networking setup? Does it need also a gateway ip, the ip of the dsl
> router? Can this be the default route or do I have to setup different routes
> for eth0 and eth1?

You're confused...  you have a 1:1 link from PC NIC to DSL, the
other NIC to localnet.  In your prior setup with PPPoE the public
interface was ppp0, now it is ethX (X = whatever).  The modem does
the connection to ISP and it knows default route to world + DNS.
So treat modem now as 'first hop'.  Default route for localnet is
firewall, firewall forwards to modem, okay?  Now, I've either confused
you or me more, or less?  I dunno :o)

You could put the modem into bridge mode and do it all in
firewall again, no?

Grant.

 
 
 
Top

iptables firewall between dsl router and intranet

Post by Thomas Olschewsk » Thu, 28 Jul 2005 19:53:51


Quote:> You could put the modem into bridge mode and do it all in
> firewall again, no?

Modem should stay in router mode for VoIP and I am not sure if it can work
as bridge at all. I read, that the linux firewall could work as bridge. But
this would be the second choice for me if the first way doesn't work. At
first I will try this

Internal machines -> gateway ip of firewall's secure nic -> firewall ->
firewall's unsecure nic -> dsl router -> internet

Internet -> dsl router -> gateway ip of firewall's unsecure nic ->
firewall -> firewall's secure nic -> internal machines

Thanks for answering.

Thomas

 
 
 
Top

iptables firewall between dsl router and intranet

Post by dnoy » Thu, 28 Jul 2005 22:45:54



>>You could put the modem into bridge mode and do it all in
>>firewall again, no?

> Modem should stay in router mode for VoIP and I am not sure if it can work
> as bridge at all. I read, that the linux firewall could work as bridge. But
> this would be the second choice for me if the first way doesn't work. At
> first I will try this

> Internal machines -> gateway ip of firewall's secure nic -> firewall ->
> firewall's unsecure nic -> dsl router -> internet

> Internet -> dsl router -> gateway ip of firewall's unsecure nic ->
> firewall -> firewall's secure nic -> internal machines

> Thanks for answering.

> Thomas

but you dont want to double NAt do you? will VOIP agree with that? I
would turn off the linux nat/routing, or turn off the dsl routers
nat/routing.  I wouldnt leave both on.

--
Respectfully,

CL Gilbert

 
 
 
Top

iptables firewall between dsl router and intranet

Post by Thomas Olschewsk » Fri, 05 Aug 2005 04:43:45


Quote:> but you dont want to double NAt do you? will VOIP agree with that? I would
> turn off the linux nat/routing, or turn off the dsl routers nat/routing.
> I wouldnt leave both on.

Yes, I nat twice. Don't know, what voip clients at PCs agree with that. The
DSL Router features an integrated ISDN port. I simply switch my ISDN Bus to
this port and talk with my ISDN hardware as before. I can define in the DSL
Router, which calls go out by voip or by ISDN.

Thomas

 
 
 
Top

iptables firewall between dsl router and intranet

Post by Thomas Olschewsk » Fri, 05 Aug 2005 04:45:19


Quote:> Internal machines -> gateway ip of firewall's secure nic -> firewall ->
> firewall's unsecure nic -> dsl router -> internet

> Internet -> dsl router -> gateway ip of firewall's unsecure nic ->
> firewall -> firewall's secure nic -> internal machines

And firewall router needs a default gateway to dsl router too! Now it works.

Thomas

 
 
 
Top

1. Problem DSL Router <-> Firewall Router <-> Clients

Hello,

I would like to setup the following network configuration.

DSL Router <-> Firewall Router <-> Clients

I use static IPs, DHCP is disabled everywhere.

DSL Router
----------
- IP: 192.168.1.2
- does all NAT stuff, integrated DNS Server
- Route for network 192.168.0.0 set to 192.168.1.1

Firewall Router
---------------
- Linux machine with iptables firewall
- NIC connected with DSL Router: 192.168.1.1
- NIC connected with Clients   : 192.168.0.20

Clients
-------
All in 192.168.0.0 network
Default Gateway: 192.168.0.20
DNS entry: 192.168.1.2 and other

I can't establish a connection, for instance for http. Currently the
firewall has no rules which drop packets, so this should not cause the
error:

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW

I logged traffic with tcpdump at eth0 and eth1 in the firewall router.
Perhaps somebody can find out the problem. Traffic was logged while trying
to access an url www.spiegel.de.

eth0:
21:56:13.217316 192.168.1.2.53 > 192.168.0.2.1026: 2702 4/0/0 CNAME[|domain]
21:56:13.225296 192.168.0.2.1161 > 213.200.97.168.80: S
3917602455:3917602455(0) win 16384 <mss 1432,nop,nop,sackOK> (DF)
21:56:17.225336 192.168.0.2.1161 > 213.200.97.168.80: S
3917602455:3917602455(0) win 16384 <mss 1432,nop,nop,sackOK> (DF)
21:56:19.205192 arp who-has 192.168.0.2 tell 192.168.0.20
21:56:19.225350 192.168.0.2.1163 > 195.71.11.67.80: S
3263991039:3263991039(0) win 16384 <mss 1432,nop,nop,sackOK> (DF)
21:56:19.355293 arp reply 192.168.0.2 is-at <mac>
21:56:21.355341 192.168.0.2.1163 > 195.71.11.67.80: S
3263991039:3263991039(0) win 16384 <mss 1432,nop,nop,sackOK> (DF)
21:56:22.245295 192.168.0.2.1161 > 213.200.97.168.80: S
3917602455:3917602455(0) win 16384 <mss 1432,nop,nop,sackOK> (DF)
21:56:27.245343 192.168.0.2.1163 > 195.71.11.67.80: S
3263991039:3263991039(0) win 16384 <mss 1432,nop,nop,sackOK> (DF)
21:56:35.245363 192.168.0.2.1165 > 213.200.97.166.80: S
3719467109:3719467109(0) win 16384 <mss 1432,nop,nop,sackOK> (DF)
21:56:38.245367 192.168.0.2.1165 > 213.200.97.166.80: S
3719467109:3719467109(0) win 16384 <mss 1432,nop,nop,sackOK> (DF)

eth1:
21:55:18.658322 192.168.1.2.53 > 192.168.0.2.1026: 63104 4/0/0
CNAME[|domain]
21:55:24.585228 arp who-has 192.168.1.2 tell 192.168.1.1
21:55:24.585590 arp reply 192.168.1.2 is-at <mac>

Do I have a mtu problem? I integrated this line for iptables:
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
No success.

I also tried to vary the mtu of the firewall NICs 1500 / 1472 / 1432: no
success.

What else could be the reason?

Thomas

2. Bravo Bill!

3. DSL connection and iptables firewall script

4. Need help configuring tin

5. DSL router / firewall problem

6. Will Sun release a patch for Solaris 10 / cron?

7. Firewall on DSL/router LAN?

8. Korean Image Annotations

9. help to setup ftp server behind dsl router and firewall

10. Cisco 768 DSL Router/Linux Firewall Configuration

11. Linux firewall behind Cisco DSL Router

12. Need advice - firewall with DSL router

13. DSL software router with firewalling and virtual private networking with your SEGA Dreamcast.


All times are UTC
Board index