topic Re: ipfiltering does not work in Operating System - Linux

ipfiltering does not work

pollux0 — Thu, 19 Dec 2002 21:49:57 GMT

i cant get the ip filtering working(firewall, iptables linux 2.4x)
From internal client i can ping the internal NIC and external NIC on the firewall but nothing past that including the internet.

eth0(to external)
ip=212.51.51.5
nm=255.255.255.0
nw=212.51.51.0
bc=212.51.51.255
gw=212.51.51.1(router ip address to internet)

eth1(to internal)
ip=212.51.51.6
nm=255.255.255.0
nw=212.51.51.0
bc=212.51.51.255

internal client
ip=212.51.51.7
nm=255.255.255.0
nw=212.51.51.0
bc=212.51.51.255
gw=212.51.51.6

Re: ipfiltering does not work

Kodjo Agbenu — Thu, 19 Dec 2002 23:41:16 GMT

Hello,

Your 3 NICs are on the same subnet. I'm afraid but it may not work because the filtering rules and particularly masquerading are based on IP subnet.

If you can, put the 3 NICs on different subnets.

If you cannot, explain with more details what you need, and post the rules that you have already configured.

Good luck.

Kodjo

Re: ipfiltering does not work

gwu — Fri, 20 Dec 2002 03:28:05 GMT

i am new to linux networking and trying to setup a firewall(router if needed) for a small office. I believe you have answered my question.. if i understand correctly the firewall cannot just "forward" the packets, but must also "route" the packets as well(or use ip Masq). I was able to set up IP Masq but it of course interfeared with M$'s SMB protocol so i am just going w/ firewall only(it seems the best route to take). in any case i have research but only came up w/ more questions. I need answers to some basic questions about subnetting like you just answered. its a simple network really. i have attached a diagram and from what you are saying then is that i would need 3 subnets(internal, external, and DMZ). I am also guessing by subnetting, i cannot keep the external subnet at 255.255.255.0 since i have to split it up. is this network in the diagram the most efficient? i have tried many combinations of iptable script but none that have worked so far. All i really need now is something to get it working. I can make it more secure later.

sorry to bombard you w/ all the questions;thanks for any advice you can give...

Re: ipfiltering does not work

Ron Kinner — Fri, 20 Dec 2002 18:05:46 GMT

http://www.linuxguruz.org/iptables/howto/iptables-HOWTO.html

is a good guide to setting up iptables.

As far as networking goes you normally use Network Address Translation (NAT) on the router so that we only need a few registered IP address. The DMZ addresses would then be assigned manually from one of the private IP ranges say 192.168.1.x mask 255.255.255.0

The internal clients would probably prefer to use DHCP to get their addresses. Assuming we have a small internal network we could let the Linux box play DHCP server and have it assign addresses in the 192.168.2.x mask 255.255.255.0 range.

Your network design is a bit strange unless you are using a dialup. See:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094763.shtml

or

http://new.linuxnow.com/docs/content/Firewall-HOWTO-html/Firewall-HOWTO-3.html

for a typical router firewall setup.

http://new.linuxnow.com/docs.shtml

has info on "howto" do just about anything in Linux.

Ron

Re: ipfiltering does not work

pollux0 — Fri, 20 Dec 2002 18:22:56 GMT

jut out of curiosity,how is it strange? all i want to do is setup a firewall w/o MASQ..seems simple enough. i tried th ip MASQ (192.x.x.x) and it worked fine but interfeared w/ M$'s SMB proto . so all it need is a firewall.

Re: ipfiltering does not work

pollux0 — Fri, 20 Dec 2002 18:56:53 GMT

in addition...lets say instead i want to setup something EXACTLY like the first figure on http://new.linuxnow.com/docs/content/Firewall-HOWTO-html/Firewall-HOWTO-3.html , w/o ip MASQ, do i need to subnet and do i need to change the routing table on the cisco router?

Re: ipfiltering does not work

Ron Kinner — Mon, 23 Dec 2002 21:12:11 GMT

Strange because you are using a third NIC when you don't need it. Also makes it harder to get the firewall to work.

NAT or IP MASQ is a security barrier so it is foolish to try and do without them if you are going to use a firewall.

Anyway to implement the first drawing without IP MASQ would be very difficult unless the ISP gave you a lot of registered IP addresses.

You would have to use IP unnumbered on the cisco and let it use its ethernet address on the link to the ISP. Then you could use your registered IP addresses in the DMZ. I suppose if we split the subnet in half we could use half of the registered addresses in the DMZ and the other half on the local LAN (other splits are possible depending upon how many ip addresses you have and how many hosts will be in the DMZ and the Local LAN). You would have to make sure the router had the same subnet mask and give it a route to the second half of the addresses which pointed to the firewall.

Ron